Share via

Function App ClaimsPrincipal empty name

Urs Meier 6 Reputation points
2021-05-19T08:05:43.343+00:00

Short summary:
Log-in via MSAL and Log-In via Browser (without MSAL) do not create the same ClaimsPrincipal object on the server. The ClaimsPrincipal object is populated with the HttpRequest.HttpContext.User and this should be always identical.

Details:
We have Azure function app (.Net Core 3.1) protected with AD authentication.
The function app uses the ClaimsPrincipal (identity.name). The object is populated by HttpRequest.HttpContext.User 

public static string GetPrincipalName(ClaimsPrincipal principal)  
{  
    string name = principal.Identity.Name;  
    return string.IsNullOrEmpty(name) ? "anonymous" : name;  
}

This works fine when calling a function in the browser, e.g. https://ourapp-admin-api-v3.azurewebsites.net/api/myfunction

However, calling the same function over MSAL2 from an Angular client app, the name attribute is empty, even though the user is authenticated:

97750-116751759-ccf2fe00-aa04-11eb-9374-ed043fa67ae7.png

According to the MSAL2 authors this is not related to MSAL, but to the Azure App manifest.
See also https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3562

Do I have to configure something special in the App Registration or what could be the problem?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,475 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,079 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pramod Valavala 20,601 Reputation points Microsoft Employee
    2021-05-20T05:47:21+00:00

    @Urs Meier The Client Identity is available when using App Service Authentication / Authorization which are driven by special headers injected by App Service. You can leverage the same by implementing the Authentication Flow described in the docs.

    For direct OAuth/OpenID Connect, usually all claims are present in the JWT which you would verify and extract from. If this is what you are looking for, instead of App Service Authentication, you could use Azure APIM in front of your function apps and setup pre-validation of tokens. With this, you could simply use MSAL.js to fetch the token and pass in the Authorization header.

  2. DiBok 11 Reputation points
    2024-05-20T11:38:07.8433333+00:00

    Exact same situation here:

    I'm moving my solution from .net6 to .net8, consisting of 2 projects: API - Azure functions, and Client - Blazor Wasm.

    After moving, I lost access to the ClaimsPrincipal on the Function side(it's always null). I've implemented the middleware solution described here: https://adamstorr.co.uk/blog/using-azure-functions-middleware-to-access-claimsprincipal-in-azure-static-web-apps/

    On the client side, I'm using the Refit library: https://github.com/reactiveui/refit. Haven't changed anything in how I'm calling Azure functions from the client side.

    Previously, I was checking roles found inside the Azure portal - static web app - Role management.

    After moving to .net8 - now using Microsoft Entra - App registrations - App itself - App roles.

    And users: Enterprise Application - App itself - Users and groups

    But nothing works out. If on a client side I successfully log in and check roles, when I call Azure function, there are no headers in "x-ms-client-principal" request.

    Do I need to somehow pass something from the client side request?

    What should I tweak more? 

    Nothing was found in the official documentation.