How do I get Azure Functions "Easy Auth" to return an app role to the function from a valid JWT token?

Jason Olsan 21 Reputation points
2022-05-16T21:16:01.15+00:00

I'm having a very difficult time getting an application role to return in an Azure Function I've created.

I've successfully gotten a service principal (via a console client that is registered as a separate app) to authenticate. I'm able to make authenticated calls to every endpoint I've created via the service principal.

I'm attempting to access the ClaimsPrincipal via HttpRequest.HttpContext.User.

Looking at the app insights traces I've created, the User is valid and the Identity is returning as authenticated via Federation. However, I'm not getting any sort of Identity.Name and all calls to User.IsInRole() are returning false.

I've returned all claims and headers in my traces as well and I don't see a "roles" claim in the claims list and I also notice that I'm not seeing a X-MS-CLIENT-PRINCIPAL-NAME header, which the docs indicate I should see.

I'm having the exact same problem from an SPA connecting to the API, but I'm starting with the service principal since it's more direct.

Here's the JWT payload from JWT.io (stripped of identifying info, but each item was confirmed before removing):

{
  "aud": "<my web API's app registration Object ID>",
  "iss": "https://login.microsoftonline.com/<my Azure AD tenant ID>/v2.0",
  "iat": 1652734002,
  "nbf": 1652734002,
  "exp": 1652737902,
  "aio": "<internal claim string>",
  "azp": "<my client's app registration Object ID>",
  "azpacr": "1",
  "oid": "<my client's enterprise app Object ID>",
  "rh": "<revalidation token>",
  "roles": [
    "Test.View"
  ],
  "sub": "<my client's enterprise app Object ID>",
  "tid": "<my Azure AD tenant ID>",
  "uti": "M5DkpJ-Rr0Gv02vEwkMdAQ",
  "ver": "2.0"
}

Update: Here's the JWT from my SPA client:

{
  "aud": "<my web API's app registration Object ID>",
  "iss": "https://login.microsoftonline.com/<my Azure AD tenant ID>/v2.0",
  "iat": 1652735561,
  "nbf": 1652735561,
  "exp": 1652739461,
  "groups": [
    "<group id>"
  ],
  "name": "Jason Olsan",
  "nonce": "<paramter>",
  "oid": "<my user Object ID>",
  "preferred_username": "jolsan@<AD domain>.com",
  "rh": "<revalidation token>",
  "roles": [
    "Test.View"
  ],
  "sub": "<token>",
  "tid": "<my Azure AD tenant ID>",
  "uti": "4O5HzQKc9EivfB55YPNXAA",
  "ver": "2.0"
}

I'm also not getting the "groups" claim returned either, but I'll dig into that later.

Second update: I've noticed that post-"Easy Auth", there's a header in the HttpRequest called "X-ZUMO-AUTH" (same header as the one that the SPA uses to authenticate with the function). When I decrypt the token from the function side, the payload is significantly smaller AND the "sub" doesn't match. I can't even find the object ID from "sub" in my AD.

I've also checked the post-"Easy Auth" header for my service principal request (which is a completely separate app and identity) and it comes back with the exact same "sub" ID: sid:4400ffb5ab5cf2fc7660cea8b10d2f6a.

Sus.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,114 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,127 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.