├── .gitignore
├── IsolatedFunctionAuth.sln
├── IsolatedFunctionAuth
├── .gitignore
├── Authorization
│ ├── AppRoles.cs
│ ├── AuthorizeAttribute.cs
│ ├── Scopes.cs
│ └── UserRoles.cs
├── IsolatedFunctionAuth.csproj
├── Middleware
│ ├── AuthenticationMiddleware.cs
│ ├── AuthorizationMiddleware.cs
│ ├── FunctionContextExtensions.cs
│ └── JwtPrincipalFeature.cs
├── Program.cs
├── Properties
│ ├── serviceDependencies.json
│ └── serviceDependencies.local.json
├── TestFunctions.cs
├── host.json
└── local.settings.sample.json
├── LICENSE
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs
2 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.0.31410.414
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IsolatedFunctionAuth", "IsolatedFunctionAuth\IsolatedFunctionAuth.csproj", "{507778F4-B446-48CE-8D1F-1375961C4DE2}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {507778F4-B446-48CE-8D1F-1375961C4DE2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {507778F4-B446-48CE-8D1F-1375961C4DE2}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {507778F4-B446-48CE-8D1F-1375961C4DE2}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {507778F4-B446-48CE-8D1F-1375961C4DE2}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {3A864DB8-DEF8-457A-8827-DA433718548E}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | local.settings.json
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Bb]in/
24 | [Oo]bj/
25 | [Ll]og/
26 |
27 | # Visual Studio 2015 cache/options directory
28 | .vs/
29 | # Uncomment if you have tasks that create the project's static files in wwwroot
30 | #wwwroot/
31 |
32 | # MSTest test Results
33 | [Tt]est[Rr]esult*/
34 | [Bb]uild[Ll]og.*
35 |
36 | # NUNIT
37 | *.VisualState.xml
38 | TestResult.xml
39 |
40 | # Build Results of an ATL Project
41 | [Dd]ebugPS/
42 | [Rr]eleasePS/
43 | dlldata.c
44 |
45 | # DNX
46 | project.lock.json
47 | project.fragment.lock.json
48 | artifacts/
49 |
50 | *_i.c
51 | *_p.c
52 | *_i.h
53 | *.ilk
54 | *.meta
55 | *.obj
56 | *.pch
57 | *.pdb
58 | *.pgc
59 | *.pgd
60 | *.rsp
61 | *.sbr
62 | *.tlb
63 | *.tli
64 | *.tlh
65 | *.tmp
66 | *.tmp_proj
67 | *.log
68 | *.vspscc
69 | *.vssscc
70 | .builds
71 | *.pidb
72 | *.svclog
73 | *.scc
74 |
75 | # Chutzpah Test files
76 | _Chutzpah*
77 |
78 | # Visual C++ cache files
79 | ipch/
80 | *.aps
81 | *.ncb
82 | *.opendb
83 | *.opensdf
84 | *.sdf
85 | *.cachefile
86 | *.VC.db
87 | *.VC.VC.opendb
88 |
89 | # Visual Studio profiler
90 | *.psess
91 | *.vsp
92 | *.vspx
93 | *.sap
94 |
95 | # TFS 2012 Local Workspace
96 | $tf/
97 |
98 | # Guidance Automation Toolkit
99 | *.gpState
100 |
101 | # ReSharper is a .NET coding add-in
102 | _ReSharper*/
103 | *.[Rr]e[Ss]harper
104 | *.DotSettings.user
105 |
106 | # JustCode is a .NET coding add-in
107 | .JustCode
108 |
109 | # TeamCity is a build add-in
110 | _TeamCity*
111 |
112 | # DotCover is a Code Coverage Tool
113 | *.dotCover
114 |
115 | # NCrunch
116 | _NCrunch_*
117 | .*crunch*.local.xml
118 | nCrunchTemp_*
119 |
120 | # MightyMoose
121 | *.mm.*
122 | AutoTest.Net/
123 |
124 | # Web workbench (sass)
125 | .sass-cache/
126 |
127 | # Installshield output folder
128 | [Ee]xpress/
129 |
130 | # DocProject is a documentation generator add-in
131 | DocProject/buildhelp/
132 | DocProject/Help/*.HxT
133 | DocProject/Help/*.HxC
134 | DocProject/Help/*.hhc
135 | DocProject/Help/*.hhk
136 | DocProject/Help/*.hhp
137 | DocProject/Help/Html2
138 | DocProject/Help/html
139 |
140 | # Click-Once directory
141 | publish/
142 |
143 | # Publish Web Output
144 | *.[Pp]ublish.xml
145 | *.azurePubxml
146 | # TODO: Comment the next line if you want to checkin your web deploy settings
147 | # but database connection strings (with potential passwords) will be unencrypted
148 | #*.pubxml
149 | *.publishproj
150 |
151 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
152 | # checkin your Azure Web App publish settings, but sensitive information contained
153 | # in these scripts will be unencrypted
154 | PublishScripts/
155 |
156 | # NuGet Packages
157 | *.nupkg
158 | # The packages folder can be ignored because of Package Restore
159 | **/packages/*
160 | # except build/, which is used as an MSBuild target.
161 | !**/packages/build/
162 | # Uncomment if necessary however generally it will be regenerated when needed
163 | #!**/packages/repositories.config
164 | # NuGet v3's project.json files produces more ignoreable files
165 | *.nuget.props
166 | *.nuget.targets
167 |
168 | # Microsoft Azure Build Output
169 | csx/
170 | *.build.csdef
171 |
172 | # Microsoft Azure Emulator
173 | ecf/
174 | rcf/
175 |
176 | # Windows Store app package directories and files
177 | AppPackages/
178 | BundleArtifacts/
179 | Package.StoreAssociation.xml
180 | _pkginfo.txt
181 |
182 | # Visual Studio cache files
183 | # files ending in .cache can be ignored
184 | *.[Cc]ache
185 | # but keep track of directories ending in .cache
186 | !*.[Cc]ache/
187 |
188 | # Others
189 | ClientBin/
190 | ~$*
191 | *~
192 | *.dbmdl
193 | *.dbproj.schemaview
194 | *.jfm
195 | *.pfx
196 | *.publishsettings
197 | node_modules/
198 | orleans.codegen.cs
199 |
200 | # Since there are multiple workflows, uncomment next line to ignore bower_components
201 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
202 | #bower_components/
203 |
204 | # RIA/Silverlight projects
205 | Generated_Code/
206 |
207 | # Backup & report files from converting an old project file
208 | # to a newer Visual Studio version. Backup files are not needed,
209 | # because we have git ;-)
210 | _UpgradeReport_Files/
211 | Backup*/
212 | UpgradeLog*.XML
213 | UpgradeLog*.htm
214 |
215 | # SQL Server files
216 | *.mdf
217 | *.ldf
218 |
219 | # Business Intelligence projects
220 | *.rdl.data
221 | *.bim.layout
222 | *.bim_*.settings
223 |
224 | # Microsoft Fakes
225 | FakesAssemblies/
226 |
227 | # GhostDoc plugin setting file
228 | *.GhostDoc.xml
229 |
230 | # Node.js Tools for Visual Studio
231 | .ntvs_analysis.dat
232 |
233 | # Visual Studio 6 build log
234 | *.plg
235 |
236 | # Visual Studio 6 workspace options file
237 | *.opt
238 |
239 | # Visual Studio LightSwitch build output
240 | **/*.HTMLClient/GeneratedArtifacts
241 | **/*.DesktopClient/GeneratedArtifacts
242 | **/*.DesktopClient/ModelManifest.xml
243 | **/*.Server/GeneratedArtifacts
244 | **/*.Server/ModelManifest.xml
245 | _Pvt_Extensions
246 |
247 | # Paket dependency manager
248 | .paket/paket.exe
249 | paket-files/
250 |
251 | # FAKE - F# Make
252 | .fake/
253 |
254 | # JetBrains Rider
255 | .idea/
256 | *.sln.iml
257 |
258 | # CodeRush
259 | .cr/
260 |
261 | # Python Tools for Visual Studio (PTVS)
262 | __pycache__/
263 | *.pyc
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Authorization/AppRoles.cs:
--------------------------------------------------------------------------------
1 | namespace IsolatedFunctionAuth.Authorization
2 | {
3 | public static class AppRoles
4 | {
5 | public const string AccessAllFunctions = "Functions.Access.All";
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Authorization/AuthorizeAttribute.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace IsolatedFunctionAuth.Authorization
4 | {
5 | ///
6 | /// Set at Function class or method level to
7 | /// set what scopes/user roles/app roles are
8 | /// required in requests.
9 | ///
10 | ///
11 | /// If you do not specify app roles, calls
12 | /// without user context will fail.
13 | /// Same goes for scopes/user roles;
14 | /// calls with user context will fail if
15 | /// both are not specified.
16 | ///
17 | [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
18 | public class AuthorizeAttribute : Attribute
19 | {
20 | ///
21 | /// Defines which scopes (aka delegated permissions)
22 | /// are accepted. In this sample these
23 | /// must be combined with .
24 | ///
25 | public string[] Scopes { get; set; } = Array.Empty();
26 | ///
27 | /// Defines which user roles are accpeted.
28 | /// Must be combined with .
29 | ///
30 | public string[] UserRoles { get; set; } = Array.Empty();
31 | ///
32 | /// Defines which app roles (aka application permissions)
33 | /// are accepted.
34 | ///
35 | public string[] AppRoles { get; set; } = Array.Empty();
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Authorization/Scopes.cs:
--------------------------------------------------------------------------------
1 | namespace IsolatedFunctionAuth.Authorization
2 | {
3 | public static class Scopes
4 | {
5 | public const string FunctionsAccess = "Functions.Access";
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Authorization/UserRoles.cs:
--------------------------------------------------------------------------------
1 | namespace IsolatedFunctionAuth.Authorization
2 | {
3 | public static class UserRoles
4 | {
5 | public const string User = "user";
6 | public const string Admin = "admin";
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/IsolatedFunctionAuth.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 | net6.0
4 | v4
5 | Exe
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | PreserveNewest
18 |
19 |
20 | PreserveNewest
21 | Never
22 |
23 |
24 | PreserveNewest
25 | Never
26 |
27 |
28 | PreserveNewest
29 | Never
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Middleware/AuthenticationMiddleware.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.Azure.Functions.Worker;
2 | using Microsoft.Azure.Functions.Worker.Middleware;
3 | using Microsoft.Extensions.Configuration;
4 | using Microsoft.IdentityModel.Protocols;
5 | using Microsoft.IdentityModel.Protocols.OpenIdConnect;
6 | using Microsoft.IdentityModel.Tokens;
7 | using System;
8 | using System.Collections.Generic;
9 | using System.IdentityModel.Tokens.Jwt;
10 | using System.Linq;
11 | using System.Net;
12 | using System.Text.Json;
13 | using System.Threading.Tasks;
14 |
15 | namespace IsolatedFunctionAuth.Middleware
16 | {
17 | public class AuthenticationMiddleware : IFunctionsWorkerMiddleware
18 | {
19 | private readonly JwtSecurityTokenHandler _tokenValidator;
20 | private readonly TokenValidationParameters _tokenValidationParameters;
21 | private readonly ConfigurationManager _configurationManager;
22 |
23 | public AuthenticationMiddleware(IConfiguration configuration)
24 | {
25 | var authority = configuration["AuthenticationAuthority"];
26 | var audience = configuration["AuthenticationClientId"];
27 | _tokenValidator = new JwtSecurityTokenHandler();
28 | _tokenValidationParameters = new TokenValidationParameters
29 | {
30 | ValidAudience = audience
31 | };
32 | _configurationManager = new ConfigurationManager(
33 | $"{authority}/.well-known/openid-configuration",
34 | new OpenIdConnectConfigurationRetriever());
35 | }
36 |
37 | public async Task Invoke(
38 | FunctionContext context,
39 | FunctionExecutionDelegate next)
40 | {
41 | if (!TryGetTokenFromHeaders(context, out var token))
42 | {
43 | // Unable to get token from headers
44 | context.SetHttpResponseStatusCode(HttpStatusCode.Unauthorized);
45 | return;
46 | }
47 |
48 | if (!_tokenValidator.CanReadToken(token))
49 | {
50 | // Token is malformed
51 | context.SetHttpResponseStatusCode(HttpStatusCode.Unauthorized);
52 | return;
53 | }
54 |
55 | // Get OpenID Connect metadata
56 | var validationParameters = _tokenValidationParameters.Clone();
57 | var openIdConfig = await _configurationManager.GetConfigurationAsync(default);
58 | validationParameters.ValidIssuer = openIdConfig.Issuer;
59 | validationParameters.IssuerSigningKeys = openIdConfig.SigningKeys;
60 |
61 | try
62 | {
63 | // Validate token
64 | var principal = _tokenValidator.ValidateToken(
65 | token, validationParameters, out _);
66 |
67 | // Set principal + token in Features collection
68 | // They can be accessed from here later in the call chain
69 | context.Features.Set(new JwtPrincipalFeature(principal, token));
70 |
71 | await next(context);
72 | }
73 | catch (SecurityTokenException)
74 | {
75 | // Token is not valid (expired etc.)
76 | context.SetHttpResponseStatusCode(HttpStatusCode.Unauthorized);
77 | return;
78 | }
79 | }
80 |
81 | private static bool TryGetTokenFromHeaders(FunctionContext context, out string token)
82 | {
83 | token = null;
84 | // HTTP headers are in the binding context as a JSON object
85 | // The first checks ensure that we have the JSON string
86 | if (!context.BindingContext.BindingData.TryGetValue("Headers", out var headersObj))
87 | {
88 | return false;
89 | }
90 |
91 | if (headersObj is not string headersStr)
92 | {
93 | return false;
94 | }
95 |
96 | // Deserialize headers from JSON
97 | var headers = JsonSerializer.Deserialize>(headersStr);
98 | var normalizedKeyHeaders = headers.ToDictionary(h => h.Key.ToLowerInvariant(), h => h.Value);
99 | if (!normalizedKeyHeaders.TryGetValue("authorization", out var authHeaderValue))
100 | {
101 | // No Authorization header present
102 | return false;
103 | }
104 |
105 | if (!authHeaderValue.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
106 | {
107 | // Scheme is not Bearer
108 | return false;
109 | }
110 |
111 | token = authHeaderValue.Substring("Bearer ".Length).Trim();
112 | return true;
113 | }
114 | }
115 | }
116 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Middleware/AuthorizationMiddleware.cs:
--------------------------------------------------------------------------------
1 | using IsolatedFunctionAuth.Authorization;
2 | using Microsoft.Azure.Functions.Worker;
3 | using Microsoft.Azure.Functions.Worker.Middleware;
4 | using System;
5 | using System.Collections.Generic;
6 | using System.Linq;
7 | using System.Net;
8 | using System.Reflection;
9 | using System.Security.Claims;
10 | using System.Threading.Tasks;
11 |
12 | namespace IsolatedFunctionAuth.Middleware
13 | {
14 | public class AuthorizationMiddleware : IFunctionsWorkerMiddleware
15 | {
16 | private const string ScopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
17 |
18 | public async Task Invoke(
19 | FunctionContext context,
20 | FunctionExecutionDelegate next)
21 | {
22 | var principalFeature = context.Features.Get();
23 | if (!AuthorizePrincipal(context, principalFeature.Principal))
24 | {
25 | context.SetHttpResponseStatusCode(HttpStatusCode.Forbidden);
26 | return;
27 | }
28 |
29 | await next(context);
30 | }
31 |
32 | private static bool AuthorizePrincipal(FunctionContext context, ClaimsPrincipal principal)
33 | {
34 | // This authorization implementation was made
35 | // for Azure AD. Your identity provider might differ.
36 |
37 | if (principal.HasClaim(c => c.Type == ScopeClaimType))
38 | {
39 | // Request made with delegated permissions, check scopes and user roles
40 | return AuthorizeDelegatedPermissions(context, principal);
41 | }
42 |
43 | // Request made with application permissions, check app roles
44 | return AuthorizeApplicationPermissions(context, principal);
45 | }
46 |
47 | private static bool AuthorizeDelegatedPermissions(FunctionContext context, ClaimsPrincipal principal)
48 | {
49 | var targetMethod = context.GetTargetFunctionMethod();
50 |
51 | var (acceptedScopes, acceptedUserRoles) = GetAcceptedScopesAndUserRoles(targetMethod);
52 |
53 | var userRoles = principal.FindAll(ClaimTypes.Role);
54 | var userHasAcceptedRole = userRoles.Any(ur => acceptedUserRoles.Contains(ur.Value));
55 |
56 | // Scopes are stored in a single claim, space-separated
57 | var callerScopes = (principal.FindFirst(ScopeClaimType)?.Value ?? "")
58 | .Split(' ', StringSplitOptions.RemoveEmptyEntries);
59 | var callerHasAcceptedScope = callerScopes.Any(cs => acceptedScopes.Contains(cs));
60 |
61 | // This app requires both a scope and user role
62 | // when called with scopes, so we check both
63 | return userHasAcceptedRole && callerHasAcceptedScope;
64 | }
65 |
66 | private static bool AuthorizeApplicationPermissions(FunctionContext context, ClaimsPrincipal principal)
67 | {
68 | var targetMethod = context.GetTargetFunctionMethod();
69 |
70 | var acceptedAppRoles = GetAcceptedAppRoles(targetMethod);
71 | var appRoles = principal.FindAll(ClaimTypes.Role);
72 | var appHasAcceptedRole = appRoles.Any(ur => acceptedAppRoles.Contains(ur.Value));
73 | return appHasAcceptedRole;
74 | }
75 |
76 | private static (List scopes, List userRoles) GetAcceptedScopesAndUserRoles(MethodInfo targetMethod)
77 | {
78 | var attributes = GetCustomAttributesOnClassAndMethod(targetMethod);
79 | // If scopes A and B are allowed at class level,
80 | // and scope A is allowed at method level,
81 | // then only scope A can be allowed.
82 | // This finds those common scopes and
83 | // user roles on the attributes.
84 | var scopes = attributes
85 | .Skip(1)
86 | .Select(a => a.Scopes)
87 | .Aggregate(attributes.FirstOrDefault()?.Scopes ?? Enumerable.Empty(), (result, acceptedScopes) =>
88 | {
89 | return result.Intersect(acceptedScopes);
90 | })
91 | .ToList();
92 | var userRoles = attributes
93 | .Skip(1)
94 | .Select(a => a.UserRoles)
95 | .Aggregate(attributes.FirstOrDefault()?.UserRoles ?? Enumerable.Empty(), (result, acceptedRoles) =>
96 | {
97 | return result.Intersect(acceptedRoles);
98 | })
99 | .ToList();
100 | return (scopes, userRoles);
101 | }
102 |
103 | private static List GetAcceptedAppRoles(MethodInfo targetMethod)
104 | {
105 | var attributes = GetCustomAttributesOnClassAndMethod(targetMethod);
106 | // Same as above for scopes and user roles,
107 | // only allow app roles that are common in
108 | // class and method level attributes.
109 | return attributes
110 | .Skip(1)
111 | .Select(a => a.AppRoles)
112 | .Aggregate(attributes.FirstOrDefault()?.UserRoles ?? Enumerable.Empty(), (result, acceptedRoles) =>
113 | {
114 | return result.Intersect(acceptedRoles);
115 | })
116 | .ToList();
117 | }
118 |
119 | private static List GetCustomAttributesOnClassAndMethod(MethodInfo targetMethod)
120 | where T : Attribute
121 | {
122 | var methodAttributes = targetMethod.GetCustomAttributes();
123 | var classAttributes = targetMethod.DeclaringType.GetCustomAttributes();
124 | return methodAttributes.Concat(classAttributes).ToList();
125 | }
126 | }
127 | }
128 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Middleware/FunctionContextExtensions.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.Azure.Functions.Worker;
2 | using System;
3 | using System.Linq;
4 | using System.Net;
5 | using System.Reflection;
6 |
7 | namespace IsolatedFunctionAuth.Middleware
8 | {
9 | public static class FunctionContextExtensions
10 | {
11 | public static void SetHttpResponseStatusCode(
12 | this FunctionContext context,
13 | HttpStatusCode statusCode)
14 | {
15 | // Terrible reflection code since I haven't found a nicer way to do this...
16 | // For some reason the types are marked as internal
17 | // If there's code that will break in this sample,
18 | // it's probably here.
19 | var coreAssembly = Assembly.Load("Microsoft.Azure.Functions.Worker.Core");
20 | var featureInterfaceName = "Microsoft.Azure.Functions.Worker.Context.Features.IFunctionBindingsFeature";
21 | var featureInterfaceType = coreAssembly.GetType(featureInterfaceName);
22 | var bindingsFeature = context.Features.Single(
23 | f => f.Key.FullName == featureInterfaceType.FullName).Value;
24 | var invocationResultProp = featureInterfaceType.GetProperty("InvocationResult");
25 |
26 | var grpcAssembly = Assembly.Load("Microsoft.Azure.Functions.Worker.Grpc");
27 | var responseDataType = grpcAssembly.GetType("Microsoft.Azure.Functions.Worker.GrpcHttpResponseData");
28 | var responseData = Activator.CreateInstance(responseDataType, context, statusCode);
29 |
30 | invocationResultProp.SetMethod.Invoke(bindingsFeature, new object[] { responseData });
31 | }
32 |
33 | public static MethodInfo GetTargetFunctionMethod(this FunctionContext context)
34 | {
35 | // More terrible reflection code..
36 | // Would be nice if this was available out of the box on FunctionContext
37 |
38 | // This contains the fully qualified name of the method
39 | // E.g. IsolatedFunctionAuth.TestFunctions.ScopesAndAppRoles
40 | var entryPoint = context.FunctionDefinition.EntryPoint;
41 |
42 | var assemblyPath = context.FunctionDefinition.PathToAssembly;
43 | var assembly = Assembly.LoadFrom(assemblyPath);
44 | var typeName = entryPoint.Substring(0, entryPoint.LastIndexOf('.'));
45 | var type = assembly.GetType(typeName);
46 | var methodName = entryPoint.Substring(entryPoint.LastIndexOf('.') + 1);
47 | var method = type.GetMethod(methodName);
48 | return method;
49 | }
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Middleware/JwtPrincipalFeature.cs:
--------------------------------------------------------------------------------
1 | using System.Security.Claims;
2 |
3 | namespace IsolatedFunctionAuth.Middleware
4 | {
5 | ///
6 | /// Holds the authenticated user principal
7 | /// for the request along with the
8 | /// access token they used.
9 | ///
10 | public class JwtPrincipalFeature
11 | {
12 | public JwtPrincipalFeature(ClaimsPrincipal principal, string accessToken)
13 | {
14 | Principal = principal;
15 | AccessToken = accessToken;
16 | }
17 |
18 | public ClaimsPrincipal Principal { get; }
19 |
20 | ///
21 | /// The access token that was used for this
22 | /// request. Can be used to acquire further
23 | /// access tokens with the on-behalf-of flow.
24 | ///
25 | public string AccessToken { get; }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Program.cs:
--------------------------------------------------------------------------------
1 | using IsolatedFunctionAuth.Middleware;
2 | using Microsoft.Extensions.Hosting;
3 |
4 | namespace IsolatedFunctionAuth
5 | {
6 | public class Program
7 | {
8 | public static void Main()
9 | {
10 | var host = new HostBuilder()
11 | .ConfigureFunctionsWorkerDefaults(builder =>
12 | {
13 | builder.UseMiddleware();
14 | builder.UseMiddleware();
15 | })
16 | .Build();
17 |
18 | host.Run();
19 | }
20 | }
21 | }
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Properties/serviceDependencies.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": {
3 | "appInsights1": {
4 | "type": "appInsights"
5 | },
6 | "storage1": {
7 | "type": "storage",
8 | "connectionId": "AzureWebJobsStorage"
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/Properties/serviceDependencies.local.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": {
3 | "appInsights1": {
4 | "type": "appInsights.sdk"
5 | },
6 | "storage1": {
7 | "type": "storage.emulator",
8 | "connectionId": "AzureWebJobsStorage"
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/TestFunctions.cs:
--------------------------------------------------------------------------------
1 | using IsolatedFunctionAuth.Authorization;
2 | using Microsoft.Azure.Functions.Worker;
3 | using Microsoft.Azure.Functions.Worker.Http;
4 | using System.Net;
5 |
6 | namespace IsolatedFunctionAuth
7 | {
8 | // If an Authorize attribute is placed at class-level,
9 | // requests to any function within the class
10 | // must pass the authorization checks
11 | [Authorize(
12 | Scopes = new[] { Scopes.FunctionsAccess },
13 | UserRoles = new[] { UserRoles.User, UserRoles.Admin },
14 | AppRoles = new[] { AppRoles.AccessAllFunctions })]
15 | public static class TestFunctions
16 | {
17 | // This function can be called with both scopes and app roles
18 | // We don't need another Authorize attribute since it would just
19 | // contain the same values.
20 | [Function("ScopesAndAppRoles")]
21 | public static HttpResponseData ScopesAndAppRoles(
22 | [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequestData req,
23 | FunctionContext executionContext)
24 | {
25 | return CreateOkTextResponse(
26 | req,
27 | "Can be called with scopes or app roles");
28 | }
29 |
30 | // This function can only be called with scopes
31 | [Authorize(
32 | Scopes = new[] { Scopes.FunctionsAccess },
33 | UserRoles = new[] { UserRoles.User, UserRoles.Admin })]
34 | [Function("OnlyScopes")]
35 | public static HttpResponseData OnlyScopes(
36 | [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequestData req,
37 | FunctionContext executionContext)
38 | {
39 | return CreateOkTextResponse(req, "Can be called with scopes only");
40 | }
41 |
42 | // This function can only be called with app roles
43 | [Authorize(AppRoles = new[] { AppRoles.AccessAllFunctions })]
44 | [Function("OnlyAppRoles")]
45 | public static HttpResponseData OnlyAppRoles(
46 | [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequestData req,
47 | FunctionContext executionContext)
48 | {
49 | return CreateOkTextResponse(req, "Can be called with app roles only");
50 | }
51 |
52 | // This function can only be called with scopes + admin role
53 | [Authorize(
54 | Scopes = new[] { Scopes.FunctionsAccess },
55 | UserRoles = new[] { UserRoles.Admin })]
56 | [Function("OnlyAdmin")]
57 | public static HttpResponseData OnlyAdmin(
58 | [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequestData req,
59 | FunctionContext executionContext)
60 | {
61 | return CreateOkTextResponse(
62 | req,
63 | "Can be called with scopes and admin user only");
64 | }
65 |
66 | private static HttpResponseData CreateOkTextResponse(
67 | HttpRequestData request,
68 | string text)
69 | {
70 | var response = request.CreateResponse(HttpStatusCode.OK);
71 | response.Headers.Add("Content-Type", "text/plain; charset=utf-8");
72 | response.WriteString(text);
73 | return response;
74 | }
75 | }
76 | }
77 |
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/host.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "2.0",
3 | "logging": {
4 | "applicationInsights": {
5 | "samplingSettings": {
6 | "isEnabled": true,
7 | "excludedTypes": "Request"
8 | }
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/IsolatedFunctionAuth/local.settings.sample.json:
--------------------------------------------------------------------------------
1 | {
2 | "IsEncrypted": false,
3 | "Values": {
4 | "AzureWebJobsStorage": "UseDevelopmentStorage=true",
5 | "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",
6 | "AuthenticationAuthority": "https://login.microsoftonline.com/your-aad-tenant-id/v2.0",
7 | "AuthenticationClientId": "your-aad-app-id"
8 | }
9 | }
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Joonas Westlin
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Sample .NET 6 Azure Function with AAD authentication and authorization through middleware
2 |
3 | Usage instructions:
4 |
5 | 1. Register app in your Azure AD with needed scopes, user roles and app roles
6 | 1. Rename local.settings.sample.json to local.settings.json
7 | 1. Put your Azure AD tenant id in the authority setting
8 | 1. Put your app client ID in the client ID setting
9 |
10 | There are a couple reflection hacks here that are bound to break at some point if the internals change.
11 | It was the only way I found to set the response status code from within a middleware since all the relevant classes are marked internal.
12 |
--------------------------------------------------------------------------------