question

jasonjlee avatar image
0 Votes"
jasonjlee asked jasonjlee commented

Azure Functions V4 (.NET 6): JWT authentication with multiple issuers?

Hi,
My team is implementing APIs using Azure Functions V4 (.NET 6). These APIs need to use JWT bearer token authentication using tokens issued by both AAD and AAD B2C, thus the API needs to authenticate tokens from two different token issuers. How do we implement this with Azure functions? Has anyone done this successfully with the latest version of Azure Functions?

The reason we require multiple issuers is because our APIs support both client(single page app)-to-server and server-to-server auth. Our primary tenant is in B2C which doesn't handle the OAuth client credentials flow for server-server communication, so we have to use the underlying AAD tenant for that flow. As such, tokens issued by AAD B2C have a different issuer than the AAD tenant. The problem is the frameworks that currently support JWT authentication in Azure Functions V4 don't support multiple issuers. e.g. we couldn't find a way to get OpenIdConnectExtensions.AddOpenIdConnect to work and Microsoft.Identity.Web doesn't yet support .Net 6.

Thanks in Advance

azure-active-directoryazure-functionsazure-ad-authenticationazure-ad-authentication-protocols
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@jasonjlee • I am looking into it and will post an answer once I have an update.

0 Votes 0 ·

@jasonjlee • Is it an issue with .net 6 only. Can you try .Net Core 3.1 to confirm the same?

0 Votes 0 ·
jasonjlee avatar image jasonjlee amanpreetsingh-msft ·

Hi @amanpreetsingh-msft, we implemented in .NET 6 from the start so we never had a .Net Core 3.1 version working. At the moment, we have implemented a customized fork of https://github.com/fmichellonet/AzureFunctions.Extensions.OpenIDConnect to work with multiple issuers. However, we would prefer to have an official library (e.g. MSAL or Microsoft.Identity.Web) that supports Azure Functions V4 and multiple issuers rather than our own custom authentication module. Is there official guidance from MS for our situation?

Actually, looking at MSAL or Microsoft.Identity.Web documentation in more detail again, I'm not even sure they support multiple token issuers even for platforms that they support. Is this true?
Thanks

0 Votes 0 ·
Show more comments

0 Answers