Reputation: 125
Azure Function Authentication using AD B2C for Daemon Applications
I have a Azure Function App running in a Premium Plan that is authenticated using Azure AD B2C. Users of a simple SPA obtain their tokens through a signin flow of the AD B2C. The SPA is registered as app in the AD B2C and the Function App's Authentication is configured to use that app registration:
Authentication / Azure Active Directory / Advanced
ClientId: <ClientId of the app registration>
Issuer Url: https://<ADB2C-Tenant>.b2clogin.com/<ADB2C-Tenant>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Sign_In
Calls against the Function App with these tokens obtained throught the SPA work fine.
Now, I need a daemon applications (at the moment the function itself) to access the Function App, without a user performing a login.
For this I tried obtaining the token as client credential with shared secret:
GET
https://login.microsoftonline.com/<B2C-Tenant-Id>/oauth2/v2.0/token?
grant_type=client_credentials
&client_id=<ClientId of the app registration>
&scope=https://<ADB2C-Tenant>.onmicrosoft.com/<ClientId of the app registration>/.default
&client_secret=<Secret of the app registration>
This successfully returns a JWT token, however using it to authenticate a call to the function app results in 401: You do not have permission to view this directory or page..
I suspect this is caused by a "false" issuer of the token: https://login.microsoftonline.com/<ADB2C-Tenant>/v2.0 as opposed to the issuer of the working JWT token: https://<ADB2C-Tenant>.b2clogin.com/<B2C-Tenant-Id>/v2.0/. The latter gets accepted by the Function App, the former does not.
I understand that the "OAuth 2.0 client credentials grant flow" is currently not directly supported by the Azure AD B2C as described here. However, the document describes a "workaround", which is from my understanding essentially what I already tried without success.
How can I get this working and access a Azure Function App protected with Azure AD B2C with Daemon Applications as well?
Upvotes: 1
Views: 406
Answers (2)
Reputation: 6021
FYI Authentication v2 now supports this - you can add multiple identity providers.
Upvotes: 1
Reputation: 1866
As mentioned by @Jas Suri in the comment section, We can only setup one issuer from portal. You need to use authentication libraries to trust two issuers.
Upvotes: 1
Related Questions
- azure functions and AD B2C integration
- Secure Azure Functions App in another tenant
- How to restrict an Azure function app's access to only AD B2C API connector?
- Connect to Active Directory B2C secured Azure Function App from Blazor Webassembly standalone
- Azure AD B2C + App Service + Functions : How to flow the auth?
- connect azure function to b2c
- Azure AD B2C - MFA on a function rather than a user / per user
- Azure Function connectivity with app service which has windows authentication
- Authenticating as a Service with Azure AD B2C
- adding azure ad b2c authentication to azure function spa