Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,205 questions
Azure Functions V4 (.NET 6): JWT authentication with multiple issuers?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jason Lee
181
Reputation points
Hi,
My team is implementing APIs using Azure Functions V4 (.NET 6). These APIs need to use JWT bearer token authentication using tokens issued by both AAD and AAD B2C, thus the API needs to authenticate tokens from two different token issuers. How do we implement this with Azure functions? Has anyone done this successfully with the latest version of Azure Functions?
The reason we require multiple issuers is because our APIs support both client(single page app)-to-server and server-to-server auth. Our primary tenant is in B2C which doesn't handle the OAuth client credentials flow for server-server communication, so we have to use the underlying AAD tenant for that flow. As such, tokens issued by AAD B2C have a different issuer than the AAD tenant. The problem is the frameworks that currently support JWT authentication in Azure Functions V4 don't support multiple issuers. e.g. we couldn't find a way to get OpenIdConnectExtensions.AddOpenIdConnect to work and Microsoft.Identity.Web doesn't yet support .Net 6.
Thanks in Advance
{count} votes
-
AmanpreetSingh-MSFT 56,301 Reputation points2022-05-09T06:13:45.53+00:00 @Jason Lee • I am looking into it and will post an answer once I have an update.
-
AmanpreetSingh-MSFT 56,301 Reputation points
2022-05-12T06:33:58.153+00:00 @Jason Lee • Is it an issue with .net 6 only. Can you try .Net Core 3.1 to confirm the same?
-
Jason Lee 181 Reputation points
2022-05-12T18:37:34.48+00:00 Hi @AmanpreetSingh-MSFT , we implemented in .NET 6 from the start so we never had a .Net Core 3.1 version working. At the moment, we have implemented a customized fork of https://github.com/fmichellonet/AzureFunctions.Extensions.OpenIDConnect to work with multiple issuers. However, we would prefer to have an official library (e.g. MSAL or Microsoft.Identity.Web) that supports Azure Functions V4 and multiple issuers rather than our own custom authentication module. Is there official guidance from MS for our situation?
Actually, looking at MSAL or Microsoft.Identity.Web documentation in more detail again, I'm not even sure they support multiple token issuers even for platforms that they support. Is this true?
Thanks -
AmanpreetSingh-MSFT 56,301 Reputation points
2022-05-16T07:02:31.72+00:00 @Jason Lee • You can use Multi-tenant application for mulitple token issuers and then use ValidIssuers to authorize only those tokens which are issued by the tenants in the specified list of IEnumerable.
*ValidIssuers - Gets or sets the IEnumerable<T> that contains valid issuers that will be used to check against the token's issuer. The default is null.
-
Jason Lee 181 Reputation points
2022-05-17T17:43:12.167+00:00 Thanks @AmanpreetSingh-MSFT . The problem we're specifically trying to solve is when the first article you mentioned says "A multi-tenant application needs logic to decide which issuer values are valid and which are not based on the tenant ID portion of the issuer value." How do we do that at the API layer with Azure Functions V4 using an out-of-the-box framework like Microsoft.Identity.Web? I believe you're suggesting that there is no easy answer to this question and we have to implement our own custom authentication framework using core .NET libraries, which what we're implementing at the moment. e.g. Our custom auth framework is essentially wrapping System.IdentityModel (we can't use the ValidIssuers you mentioned as that's for the older Microsoft.IdentityModel).
-
AmanpreetSingh-MSFT 56,301 Reputation points
2022-05-17T18:06:38.633+00:00 @Jason Lee • Please refer to Custom Token Validation Allowing only Registered Tenants to do it via
Microsoft.Identity.Web. -
Jason Lee 181 Reputation points
2022-05-18T13:21:20.893+00:00 Hi @AmanpreetSingh-MSFT , that article is for implementing Web APIs instead of Azure Functions V4. We've been unsuccessful so far in adapting Web API libraries/strategies to Azure Functions. Is it known/proven that the approach in this article should work with Azure Functions V4 as well? If so, maybe we did something wrong and we can give it another try. Honestly, I'm starting to wonder if we should have chosen to implement the API using Azure App Service or AKS instead of Azure Functions. We chose Azure Functions due to its scalability and infrastructure simplicity, but we've run into a few issues like this one where it lacks features/capabilities that are out-of-the-box for Web APIs.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 63%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Peter 0 Reputation points2023-05-17T21:19:37+00:00 Jason, what modifications you did to OpenIDConnect to handle multiple issuers?
Sign in to comment