Authenticate Azure Function by Token with Resource

Question

I have an Azure Function with Authorization/authnetication enabled via AD log in.

I am trying to authenticate by generating a token using client_credentials:

Refer to the following code below:

        var tokenendpoint = "https://login.microsoftonline.com/172f05a2-f956-4856-b4c8-9580a54dbd56/oauth2/token";

        string clientID = "eaeff78a-26ef-4bcb-b977-638316ff15b7";
        string clientSecret = "HvVlipQkpuezmD4YiUcWVpZ5Cn1cP3vxiW61pSpDo8k=";
        string resource = "eaeff78a-26ef-4bcb-b977-638316ff15b7"; //ClientID
        string grantType = "client_credentials";

        using (var reqToken = new WebClient())
        {
            NameValueCollection parameters = new NameValueCollection();
            parameters.Add("client_id", clientID);
            parameters.Add("client_secret", clientSecret);
            parameters.Add("resource", resource);
            parameters.Add("grant_type", grantType);

            var responseTokenBytes = reqToken.UploadValues(tokenendpoint, "POST", parameters);
            string responseTokenContent = Encoding.UTF8.GetString(responseTokenBytes).Replace(@"\", "");

            azureFunctionTokenResponse = responseTokenContent.Deserialize<AzureFunctionTokenResponseBase>();
            AzureFunctionToken = azureFunctionTokenResponse.access_token;
        }

All works fine if I set the resource as the ClientID of my function. However, in many examples online the Resource is set to the Azure Function Uri.

If I set my Resource to https://www.xxxxxx.azurewebsites.com then I get a 401 error.

Why is this?

I spent a whole day in getting this to finally work but nowhere in the docs does it say to enter the ClientID as the Resource??

Answer 1

If you use the same AAD app to enable Authorization/Authentication for your Azure Function and your client code to acquire the access_token for accessing your Azure Function, you could specify the resource to the Application ID (ClientID) or the App ID URI of your AAD app.

In general, we would use the ClientID as the resource , and App Service Authorization/Authentication would compare the Client ID you configured under Authentication / Authorization > Azure Active Directory Settings with the aud property of the incoming JWT bearer token, you could leverage https://jwt.io/ to decode your token.

However, in many examples online the Resource is set to the Azure Function Uri.

If I set my Resource to https://www.xxxxxx.azurewebsites.com then I get a 401 error.

I assume that those samples may use the App ID URI , you could set the App ID URI to https://www.xxxxxx.azurewebsites.com for your AAD app (Settings > Properties > App ID URI), then you could use App ID URI for the resource parameter.

Note: For this approach, you may need adjust the Azure Active Directory Settings for your Azure Function, you may keep the Client ID to the Application ID of your AAD app and add App ID URI to ALLOWED TOKEN AUDIENCES list or you could just replace it with your App ID URI.

Additionally, you could ADAL library for acquiring the token. Also, if you create each AAD app for your Azure Function and your client app, you could follow this issue .