Azure Active Directory with Claims for fine grained authorization in Azure Functions

Klaus Villaca 26 Reputation points
2020-06-24T23:14:08.387+00:00

I am trying to implement Azure AD with Claims in a Java Spring Boot project. I can find examples for REST however couldn't understand or find how to do it with functions.
Because in Spring the context just got initialised after the function is called (Trigger) and my security is failing to initialise. Also I want to know how to get the claims, if it would come with the token, using OAuth, or if I will need to make a request to retrieve it, mean via code, e.g. get the user credentials (groups and roles) and query AD to get the claims or if AD could provide the user claims within the authentication.
Because I need authentication to be separated from authorisation. The user can be authenticated but the authorisation will change from app to app or even better from place to place. E.g. a user is authenticate, but if accessing from the office this user will have access to more features than if accessing the app from outside the office and even less if from a mobile or outside the country.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,905 questions
{count} vote

Accepted answer
  1. Krish G 2,331 Reputation points
    2020-07-10T13:09:16.507+00:00

    Hello @KlausVillaca-4090 , The guide to configure Azure Function app to integrate with Azure AD is described here. Please note that since an Azure Function with HTTP trigger acts as an API and like any API app, it can implement authorization by extracting the authorization header and decoding the JWT token to extract claims. I have done that as below using java-jwt (of course you can do it using library of your choice). The full sample can be found here. Also, the first step of configuring the function app with Azure AD will not be needed if you validate the token yourself (e.g. valid authority, scope etc.) at function level.

     Map<String,String> headers = request.getHeaders();
     String authHeader = headers.get("authorization");
     DecodedJWT jwt = JWT.decode(authHeader.replaceFirst("Bearer ", ""));
     Map<String,Claim> claims = jwt.getClaims();    
     // check claims for authorization
    

    The way to authenticate depends on your scenario. For service to service call, your consumer app might use Client Credential flow (no user) to get the auth token and pass as authorization header when calling the function http endpoint. For user login, there needs to be a front end web/mobile app which authenticate with AAD and then pass on the auth token to the protected function API call.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Arturo 46 Reputation points
    2025-01-06T15:26:37.12+00:00

    Use DarkLoop.Azure.Functions.Authorization.Isolated or DarkLoop.Azure.Functions.Authorization.InProcess to have the same fine-grained policy-based authorization as in ASP.NET Core in Azure functions. For Isolated mode you actually use the same ASP.NET Core AuthorizeAttribute

    This is the github repo: https://github.com/dark-loop/functions-authorize

    You can read more here

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.