Skip to content

Instantly share code, notes, and snippets.

@svrooij

svrooij/0-EasyAuth-trouble.md Secret

Last active May 4, 2021 14:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save svrooij/49a3db2a57d270313f35b9eea795adf0 to your computer and use it in GitHub Desktop.
Save svrooij/49a3db2a57d270313f35b9eea795adf0 to your computer and use it in GitHub Desktop.
Download ZIP
Multi-tenant azure functions
Raw
0-EasyAuth-trouble.md

Issue with EasyAuth on Azure Functions

In the authentication wizard on a newly created functions app, you can pick multi-tenant, but this only changes the possible accounts for the created app registration.

It doesn't seems to be possible to:

  1. Use EasyAuth with multiple tenants
  2. Receive a working access token for the Graph api

Steps to reproduce

  1. Create a new functions app. I picked Code, .NET, 3.1
  2. Add authentication, let it create a new application with Any Azure AD directory - Multi-tenant and Allow unauthenticated access selected. And make sure the Token store is turned on.
  3. Add the provided function, HttpTrigger, name HttpTrigger1 (which should either trigger a login or display the value of the X-MS-TOKEN-AAD-ACCESS-TOKEN header).
  4. Go to /api/HttpTrigger1
  5. If it's correct you should see an access token, that if you paste it to jwt.ms should have an audience of 00000003-0000-0000-c000-000000000000 meaning Microsoft Graph.
  6. Call /.auth/logout to clear the session
  7. Change the issuer to https://login.microsoftonline.com/organizations/v2.0
  8. Try to go to /api/HttpTrigger1, it will fail because of an issuer mismatch.
  9. Remove the issuer url, (this will revert back to the Azure AD v1 auth endpoint). The instructions did I find here.
  10. Go to /api/HttpTrigger1
  11. You should now see some access token, and you can login with multiple tenants.

Actual issue

Removing the issuer, switches the authentication back to the Azure AD v1 auth endpoint, as you can see in the redirected urls.

If I try to use the token from step 10 to call something from the graph api, I'm stuck with the CompactToken parsing failed with error code: 80049217 that is described here

According to the documentation, I need to change the additionalLoginParams at resources.azure.com, but that isn't allowed because I (apparently) am on the auth v2 settings (which I didn't pick nor can go back from).

Possible solution

It would be really awesome, if you would pick Any Azure AD - multi-tenant in the wizard, it would switch the Issuer URL to https://login.microsoftonline.com/organizations/v2.0 and display an extra list for allowed issuers (like the allowed audiences).

This allowed issuers list should by default contain 1 entry, namely *, which means I don't care about the issuer just login the user, but could also be replaced by multiple issuers. That means the application is multi-tenant, but you can at still limit users based on their tenant.

Raw
0-HttpTrigger1-run.csx
#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
var header = "X-MS-TOKEN-AAD-ACCESS-TOKEN";
log.LogInformation("C# HTTP trigger function processed a request.");
if(!req.HttpContext.User.Identity.IsAuthenticated) {
return new LocalRedirectResult("/.auth/login/aad?post_login_redirect_url=/api/HttpTrigger1", false);
}
string result = "Access Token: " + (req.Headers.ContainsKey(header) ? req.Headers[header].ToString() : "empty");
return new OkObjectResult(result);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment