Why does my HttpTrigger AuthorizationLevel.User keep return 401?

Question

Why does my HttpTrigger AuthorizationLevel.User keep return 401?

Sean Sparkman 10

Why does my token work for /.auth/me but my custom HttpTrigger AuthorizationLevel.User not work. If I set the AuthorizationLevel.Anonymous, the endpoint works just fine, so it's the easy auth. I am using the idToken generated from logging in with google. JWT.IO also says that the JWT has an invalid signature. I have configured EasyAuth with Google Provider. I get past the google screens no problem.

https://<function>.azurewebsites.net/.auth/login/google =>
I pulled the authentication token from the token fragment in resulting callback.

I put the token in the X-ZUMO-AUTH header for /.auth/me => gets what looks valid

I call the custom HttpTrigger AuthorizationLevel.User with the same token => 401

Ultimately, I am planning on using this in a .NET Maui app using WebAuthenticator. I have that part all worked.

I have tried creating a whole new azure function, configuring and deploying it. No dice. I am at wits in, and I have been trying to fix this for multiple days. i am convinced that this is a configuration problem.

P.S. Allowed external redirect URLs cannot be set to anything besides https or http, so I can't make it open an app.

Pashikanti Kumar 1,560 Reputation points Microsoft External Staff Moderator

2025-09-16T21:53:55.6066667+00:00
Hi Sean Sparkman,

Thank you for posting your question in the Microsoft Q&A forum

You're encountering persistent 401 Unauthorized errors when calling your Azure Function with AuthorizationLevel.User, despite successfully authenticating via Google and receiving what appears to be a valid token. Based on your detailed reproduction steps and extensive internal and external documentation, here's a breakdown of what's going wrong and how to fix it.

Two Authentication Mechanisms

Your Azure Function is configured with AuthorizationLevel.User, which expects a valid JWT token in the Authorization header using the Bearer scheme. However, you're using the X-ZUMO-AUTH header, which is intended for mobile SDKs and Easy Auth cookie-based flows.

/.auth/me works because it reads the encrypted cookie set by Easy Auth.

Your custom HttpTrigger fails because it tries to validate the JWT token directly, and the token you're using has an invalid signature.

Use the Correct Token

Ensure you're using the ID token, not the access token.

The token must be signed by Google and verifiable by Azure Functions.

Use https://jwt.io to inspect the token. If the signature is invalid, Azure will reject it.

Configure Easy Auth Properly

Go to Authentication / Authorization in the Azure portal.

Set up Google as an identity provider.

Ensure the client ID and secret are correct.

Set Allowed Token Audiences to match your function app’s URL.

Use Authorization Header Correctly

Authorization: Bearer <your_valid_id_token>

Do not use X-ZUMO-AUTH for HttpTrigger endpoints with AuthorizationLevel.User.

Debugging Tips

Use Postman or curl to test with the correct header.

Enable Application Insights to capture detailed logs.

Implement JwtBearerEvents in your function to log token validation failures

(Troubleshooting 401 Unauthorized Errors in ASP.NET Core Web API with Microsoft Entra ID Authentication | Microsoft Learn)

Common Pitfalls

Invalid Signature: If JWT.IO says the signature is invalid, Azure will return 401.

Wrong Token Type: Access tokens won’t work; use ID tokens.

Local Testing: Easy Auth does not work locally. You must deploy to Azure to test properly.

C# Azure Function that protects an HTTP trigger function with Easy Auth and access token scope validation. - Code Samples | Microsoft Learn

Redirect URLs: Must be HTTPS or HTTP. Custom schemes like myapp:// are not allowed.

References

Azure Functions HTTP trigger | Microsoft Learn

Troubleshooting 401 Unauthorized Errors in ASP.NET Core Web API with Microsoft Entra ID Authentication | Microsoft Learn)
Pashikanti Kumar 1,560 Reputation points Microsoft External Staff Moderator

2025-09-19T19:31:02.9833333+00:00
Hi Sean Sparkman,

The root cause is that Microsoft Entra (Azure AD) and Azure App Service now enforce redirect URI validation with stricter rules. Custom schemes like myapp://easyauth.callback are no longer accepted unless they meet exact validation criteria. Examples like myapp://auth pass the validation because they follow a simpler scheme structure.

Key points about redirect URI validation:

Redirect URIs must start with https except for some localhost exceptions.

Custom URI schemes (like myapp://) are allowed but must be precise and registered correctly.

Certain characters or complex paths in the URI might cause the validation to fail.

Microsoft documentation highlights these best practices and restrictions here:
https://learn.microsoft.com/en-us/entra/identity-platform/reply-url

Why your myapp://easyauth.callback stopped working:

Microsoft likely updated validation rules to improve security.

Your custom scheme and path might violate the new stricter pattern.

The example myapp://auth works because it's a simpler, widely accepted pattern.

Recommended next steps:

Use HTTPS redirect URIs if possible, combined with deep linking mechanisms inside your app.

If you must use a custom URI scheme, simplify it and re-register it carefully.

Review your Azure AD app registration's redirect URI list carefully.

Consider reporting this as feedback to Microsoft if this behavior significantly impacts your solution.

The recent Azure platform updates impose stricter redirect URI validation forbidding current usage of myapp://easyauth.callback. Simplifying the custom scheme or switching to HTTPS-based redirects usually solves the problem.

If needed, I can help review your current configuration or suggest alternative redirect URI strategies based on your app architecture.

References

Azure Functions Consumption plan hosting | Azure Docs

Azure Functions scale and hosting | Microsoft Learn

Azure Functions best practices | Microsoft Learn

Kindly let us know if the above information helps or you need further assistance on this issue.

Please "Upvote" if the information helped you. This will help us and others in the community as well.

Thanks

3 answers

Your answer

Answer 1

the fact that .auth/me works but your function doesn't is a huge clue. the .auth/me endpoint just reads the encrypted cookie that easy auth sets, but your function is trying to validate the JWT token directly from the header. that's two different authentication mechanisms.

when you use AuthorizationLevel.User in your function, it expects a valid JWT token in the Authorization header with the Bearer scheme. it doesn't use the X-ZUMO-AUTH header. that header is for the mobile client sdks.

so, instead of putting your token in the X-ZUMO-AUTH header, try this. add an Authorization header with the value Bearer <your_id_token>. your function should then validate the signature of that JWT against the google issuer.

but wait, you said JWT.IO says the signature is invalid. that's the real problem right there. if the signature is invalid, azure functions will reject it and return a 401. this usually means the JWT wasn't signed correctly, or the key used to sign it isn't available for validation.

since you're using google, make sure you configured the client id and secret correctly in your easy auth settings. also, check that the token you're using is the id_token and not an access_token. easy auth and your function need the id token.

this might help in other scenarios too, always use the id token for authentication.

aha, and here's another thing. the Allowed external redirect URLs field in the google auth setup needs to include your function's callback url. it should be something like https://<your-function>.azurewebsites.net/.auth/login/google/callback. if that's missing, the token might not be issued correctly.

also, give this microsoft doc a quick read. it explains how the tokens flow with easy auth. https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

hope this gets you past that 401 error. swapping that header should do the trick. let me know if it works.

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

https://ctrlaltdel.blog/

Sean Sparkman 10 Reputation points

2025-09-09T21:34:36.5533333+00:00

I have tried all of these. The callback URI is not for an external URI, so it's not needed, but I tried it anyway. I have tried setting the WEBSITE_AUTH_ENCRYPTION_KEY and WEBSITE_AUTH_SIGNING_KEY manually and nothing.
Sean Sparkman 10 Reputation points

2025-09-10T03:10:59.6066667+00:00

It turns out, if I set the AuthorizationLevel.Anonymous and set Restrict access: Require authentication and Unauthenticated requests: Return HTTP 401 Unauthorized, it works. What's the AuthorizationLevel.User even for? I can't have any HttpTrigger endpoints that are public?

Answer 2

Logging in steps to reproduce:

Open in chrome https://<function name>.azurewebsites.net/.auth/login/google
Select my google account to login with
Chrome shows me "You have successfully signed in" on the url: /.auth/login/done#token=<json object>
Take the authenticationToken from the JSON Object (It starts with ey)
Validate this token (Fails validation)
Open Postman
Create new request
1. Url: /.auth/me
2. Add header X-ZUMO-AUTH with authenticationToken from JSON Object
Press Send
1. Receive a 200 OK
The response includes access_token, expiration, provider name, all of my google claims, user_id (my google address and outside of the claims array, and a different id token
Create new request
1. Url: /api/addresses/countries
2. Add header X-ZUMO-AUTH with authenticationToken from JSON Object
Press Send
1. Receive a 401 Unauthorized
Remove X-ZUMO-AUTH header from /api/addresses/countries
Set the Authorization to Bearer and use the authenticationToken from the JSON Object
Press Send
1. Receive a 401 Unauthorized
Take the authenticationToken from the JSON Object and Base64 the value as the Bearer Token
Press Send
1. Receive a 401 Unauthorized
Take the AppServiceAuthSession cookie from Step 3 and replace the Bearer Token
Press Send
1. Receive a 401 Unauthorized
Take the google id_token (different token altogether)
Create new request
1. Url: /.auth/login/google
2. Body (json): { "id_token": "..." }
3. Method: POST
Press Send
1. Receive a 200 OK
2. Response Body: { "authenticationToken": "...", "user": { "userId": "sid:..." } }
Validate this new authenticationToken (Fails, Invalid Signature)
Create new request
1. Url: /api/addresses/countries
2. Add header X-ZUMO-AUTH with authenticationToken from /.auth/login/google results
Press Send
1. Receive a 401 Unauthorized
Remove X-ZUMO-AUTH header from /api/addresses/countries
Set the Authorization to Bearer and use the authenticationToken from /.auth/login/google results
Press Send
1. Receive a 401 Unauthorized
Lose hair.

Answer 3

I fixed it by turning on auth all endpoints and setting all functions to AuthorizationLevel.Anonymous. This is super counter intuitive. I am seriously considering moving to a different solution. I will probably have to open a whole new issue, but the externalRedirectUrls broke today. It no longer works with myapp://easyauth.callback. The documentation gives the example of myapp://auth, but that doesn't past validation. I had myapp://easyauth.callback working today, but it stopped working. I am guessing some kind of update. Azure Functions Authentication is far from easy. I am not even sure why I am using it.

Share via

Why does my HttpTrigger AuthorizationLevel.User keep return 401?

3 answers

Your answer