@Jeremywhiteley Thanks for the feedback! I have assigned this issue to the content author to evaluate and update the documentation as appropriate.

in-progress

@Jeremywhiteley - So the authentication of an HTTP trigger with input or output to Azure Cosmos DB is handled by Azure Functions. They have a bit of info about it here https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings#auth and then they link to the App Service authentication article - https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview.

What do you think needs to be added to the article you opened this issue on - https://docs.microsoft.com/en-us/azure/cosmos-db/serverless-computing-database. Do you just want a mention of the authentication being handled by Functions, or something deeper?

@Jeremywhiteley - Someone just pointed me at your tweet - https://twitter.com/jeremywhiteley/status/969626234064744449?s=09. So you're looking a code sample for AzureFunctions with Azure AD B2C?

Yes, show us code examples with best practices on how to use Azure AD B2C, facebook login, or google login with Azure Functions to secure access to Cosmos DB using the resource tokens that Cosmos DB requires.

This is the only example I could find, but I couldn't get it work with Azure AD B2C. The example just uses Azure AD which I think is different. https://github.com/adamhockemeyer/Azure-Functions---CosmosDB-ResourceToken-Broker

I used this article to try setting up Azure AD B2C with Azure Functions. https://blogs.msdn.microsoft.com/hmahrt/2017/03/07/azure-active-directory-b2c-and-azure-functions/

I understand this is new technology, however we need code examples that show best practices so we can secure our code. All I see to links to articles that talk about it, but they don't walk you through it nor do they tie the technology all together.

I have also gone through all the Azure functions code samples and Cosmos DB. None of them include authentication except the Xamarin sample but that is just a web api and it doesn't seem to use best practices.

https://azure.microsoft.com/en-us/resources/samples/?sort=0&service=cosmos-db
https://azure.microsoft.com/en-us/resources/samples/?sort=0&service=functions

Also should client app talk directly to the Cosmos DB or should it always use and API layer? The Xamarin sample shows it not using an API layer.

So basically I am looking for code examples that show you how to authenticate using Azure Functions with Azure AD B2C to Cosmos DB. We really need this. I have talked to other very skilled Azure developers and they come back to me with the same questions. Thank you for listening!

Ok, we will investigate and post back soon.

Thank you for your feedback @jeremywhiteley!

We have an Issue open on our backlog to address this issue. It will be addressed in an upcoming sprint.

https://mseng.visualstudio.com/TechnicalContent/_workitems/edit/1125634

@Jeremywhiteley - How can we help you best here? Are you looking for a long term plan on documenting all the authentication patterns (which we have covered in https://mseng.visualstudio.com/TechnicalContent/_workitems/edit/1125634) or is there one sample that we can provide to unblock you in the short term? If you're looking for the long term plan, this documentation will be created and tracked internally per the work item above, and we will close this git issue. However, if you need one code sample to unblock you, let us know. In that case, also let me know if you want to use resource tokens or key vault. Thank you.

@mimig1 I can't access that link. I get a permissions issue. Long term that would be great! Short term if you can point me to a code sample on git that would be great. Key vault would work. I very much appreciate your help and Microsoft being so open to helping customers.

@Jeremywhiteley - Yes, that link is to our internal tracking tool, but we include it here so we can map back to your original issue. We will work on the key vault sample and will follow up by EOD tomorrow with progress.

@Jeremywhiteley - @ealsur from the Azure Cosmos DB team has published a code sample and instructions here (https://medium.com/@Ealsur/azure-cosmos-db-functions-cookbook-secure-client-b2d8b3b1b5ca) to address your immediate concerns. And I see you've already posted a comment and seen it. Can you confirm that meets your immediate needs and then we'll close this issue and track the long term doc work internally?

@mimig1 @ealsur Awesome blog post! Will this work with Azure AD B2C and Easy Auth in Azure App Services (Azure Function or Web API)? I am trying to use a front end Web SPA app and a mobile front end (Flutter or Nativescript) with Cosmos DB.

Glad it was useful 😄 I have not tested the Easy Auth scenario, I believe that validates access to the Azure Function but I'm not sure if the identity will pass through, if it does, it's a matter of customizing the Key Vault's access policies for particular AD Users. For that, the best answer can be given by the Functions team 😄

They can’t answer that and they just send me back to the Cosmos DB team. I am frustrated by this.

Are these articles helpful? https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/, https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/ to setup Easy Auth and B2C?

Thank you. Those articles were super helpful. They addressed some of my other questions. I will need to try it and see what works.

I still think a complete sample with authentication here would be super helpful for developers.

https://azure.microsoft.com/en-us/resources/samples/

Get Outlook for iOShttps://aka.ms/o0ukef

From: Matias Quaranta notifications@github.com
Sent: Friday, March 9, 2018 11:17:47 AM
To: MicrosoftDocs/azure-docs
Cc: Jeremy Whiteley; Mention
Subject: Re: [MicrosoftDocs/azure-docs] Authentication (#5314)

Are these articles helpful? https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/, https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/ to setup Easy Auth and B2C?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/5314#issuecomment-371899635, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABeTrp_JXvdOnkLF2YNgpANnb1ura_CPks5tcsdKgaJpZM4Sd4qR.

@Jeremywhiteley - We are tracking the complete samples via our internal work item, and it looks like you've been unblocked by the code sample and articles provided by @ealsur. I'm going to suggest that we close this issue as the immediate need has been taken care of, and the request for the long term plan has been filed. If this is not a correct assessment, please let me know. #please-close

Though it’s a good article. From what I have read you can’t use key vault with azure ad b2c.

https://stackoverflow.com/questions/41473562/can-i-share-the-same-keyvault-between-azure-b2c-and-azure-b2b-aad

I am puzzled why Microsoft can’t provide code examples that show good practices on how to secure these technologies together. Google and AWS make it easy.