Microsoft-identity-web: [Feature Request] New template for .NET 5.0 Azure functions

Created on 7 Apr 2021  路  6Comments  路  Source: AzureAD/microsoft-identity-web

Is your feature request related to a problem? Please describe.
Microsoft.Identity.Web supports NET Core 3.1 Azure functions, but there is now a new model

Describe the solution you'd like
Provide a project template for .NET 5.0 Azure functions

Additional context

func new --name SampleFunc --template "HTTP trigger" --authlevel "anonymous" 
enhancement

Most helpful comment

While this is not directly related to Microsoft.Identity.Web, I did a sample on the out-of-process model with token validation (thanks @damienbod for the head start!) and calls to Microsoft Graph and token exchange via MSAL.

Blog post: https://hajekj.net/2022/04/22/azure-functions-out-of-process-and-authentication-with-azure-ad/
Sample code: https://github.com/hajekj/azure-functions-dotnet-worker-miw

All 6 comments

Just a few thoughts...

I looked into it a bit already, and I think there will be a lot of work behind this due to the fact that the .NET 5.0 out-of-process hosting doesn't have HttpContext (uses custom made HttpRequestData instead - which will not likely work with regular middlewares like JwtBearer). So it would be best to create something like Microsoft.Identity.Web.AzureFunctions.Worker which would introduce the out-of-process helpers and replacements.

Also, since .NET 5.0 is not an LTS and support will likely end on February 2022, it could be better to wait until there's more information available whether the future release of the azure-functions-dotnet-worker will bring actual HttpContext and parity with in-process-model (also .NET 6.0 Functions runtime (~November 2021, which is LTS) will still support in-process hosting).

I am sure that supporting out-of-process model would fix #916, because it doesn't interfere with Azure Functions host.

Thanks for the heads-up, @hajekj! this is very useful.
We'll wait!

@jmprieur @hajekj does that mean that we cannot protect .NET 5.0 Azure Functions HTTP trigger with Microsoft Identity Web before at least November? Do you recommend a temporary workaround (ex. validating the token and claims manually)?
Thanks,
Marc

@MarcAnnous you can protect Functions in .NET 5.0 with Bearer tokens, currently there are two ways (none of them is Microsoft.Identity.Web):

  • Use EasyAuth, example (this is indeed easy and works out of box by just enabling it)
  • Implement the validation in the Function directly like this - note that it will be different, since like mentioned above, there is no HttpContext in the out-of-process model right now. But I think this is currently the best way to achieve it in .NET 5.0 hosting model.

@hajekj @MarcAnnous I extended the solution from Christos Matskas and Boris Wilhelms and added some extra validation which should not be skipped and can be used with any DI and returns the claims.

https://damienbod.com/2020/09/24/securing-azure-functions-using-azure-ad-jwt-bearer-token-authentication-for-user-access-tokens/

I think JWT Bearer auth should be out-of-the-box for any Identity provider using oauth in Azure Functions. Not "just" AAD should be supported although I like this really a lot.

There are also other JWT auth github projects to fulfil this gap.

Greetings Damien

While this is not directly related to Microsoft.Identity.Web, I did a sample on the out-of-process model with token validation (thanks @damienbod for the head start!) and calls to Microsoft Graph and token exchange via MSAL.

Blog post: https://hajekj.net/2022/04/22/azure-functions-out-of-process-and-authentication-with-azure-ad/
Sample code: https://github.com/hajekj/azure-functions-dotnet-worker-miw

Was this page helpful?
0 / 5 - 0 ratings