CODEWITHSUNDEEP
asp.net-coreauthenticationazure-functionsidentityserver4claims
parag
parag

Reputation: 2573

Get user info and other claims in Azure Function with Identity server

I am having an application where Authentication is done using IdentityServer4 with Azure AD as an OpenID provider. IdentityServer4 is hosted in Azure App service. After successful authentication, I am able to get access token in Angular application. Access token is passed to .Net Core based RESTful API which is hosted in Azure Function 3.x. In my Azure function I would like to get user info and other claims without hitting the end point "/connect/userinfo" of IdentityServer4.

Something similar to following for getting Claims would be helpful

[FunctionName("MyFunctionName")]
public static HttpResponseMessage Run(
            [HttpTrigger(
                AuthorizationLevel.Anonymous,
                "get", "post",
                Route = "MyFunctionName")]HttpRequestMessage req, 
            ILogger log, 
            ClaimsPrincipal claimsPrincipal)
{
    // My function code here...
}

How do I get I user info and other claims in Azure function where Authentication is done by IdentityServer4 with Azure AD as OpenID provider

Upvotes: 0

Views: 2072

Answers (2)

parag
parag

Reputation: 2573

If you don't want to hit user info end point of Identity Server to get the user info and other claims, here is what needs to be done.

  1. Add the claim info to the authorization token
  2. Parse the authorization token and extract the user info and other claim information.

The downside of this approach is that the token size is increased but advantage is that you don't need hit userinfo end point which saves your http request(s). So there are trade offs between each approach.

Here is how you can add claims info while configuring your api in Identity Server. Typically this information resides in Config.cs if you have used Identity Server template

public static IEnumerable<ApiResource> GetApis()
    {
        var apiResourceList = new List<ApiResource>
        {
                new ApiResource(IdentityServerConstants.LocalApi.ScopeName)
                { 
                    UserClaims =
                    {
                        JwtClaimTypes.Email,
                        JwtClaimTypes.PhoneNumber,
                        JwtClaimTypes.GivenName,
                        JwtClaimTypes.FamilyName,
                        JwtClaimTypes.PreferredUserName
                    },                      
                }
                
        };          
        return apiResourceList;
    }

For parsing and validating the token please follow the blog Manual token validation in Azure Function

This StackOverflow thread is also very useful.

Upvotes: 0

Tore Nestenius
Tore Nestenius

Reputation: 19921

If you have a valid access token, then you can make a request on your own to the UserInfo endpoint to retrieve the remaining user details.

Read more about it here

The only option if you don't want to access the userinfo endpoint is to include the required data in the tokens directly. Here you need to do a trade-of between token size vs convenience. Then you get a really stateless system.

Upvotes: 1

Related Questions