Azure Functions and Azure Active Directory B2C (Part 1)
Doing some work with azure functions and need authentication so I decided to try the B2C to setup an external Identity Provider.
I used [1], [2], [3] as reference.
Create a Azure AD B2C directory
Create a new AD B2C directory, you cannot use an existing AAD directory.
Once done you want to set up policies. Do not go to Azure AD, it's not there, search in services for "Azure B2C", open that up and possibly favourite it so it is pinned on the menu.
If you did this as I did, the directory is not linked to a subscription. You need to go through MarketPlace, find B2C and choose the "Link an existing B2C to my subscription". Wait for that process and then go back to the B2C blade and view the Identity Providers and associated policies
Policies
Setup a basic sign in / sign up policy, specifying the idP, custom attributes and claims. I'm still going to integrate with another Provider, just want a basic case to work first.
Link an app
The purpose of this step is to configure an app to use the B2C directory.
A GUID will be generated.
Go back to the Sign up / sign in policy and grab the metadata endpoint URL
Go to the Function App, Function App Settings, Networking, Authentication/Authorisation and turn on the Authentication. Select "Azure Active Directory", Choose advanced and enter the GUID generated previously as well as the metadata endpoint url.
Save and wait for the notification "Save App Auth Settings"
Test the function
Test the function in the test window, you will have a 401 Unauthorized returned with error "Authentication is enabled for the function app. Disable authentication before running the function.".
Great, so grab the function URL and paste into a private browser session. You will be prompted to enter your existing email address and password, or signup. I chose the latter, and was presented with this form, which matches the fields I want captured:
I verified the account and the function was executed successfully! (Note I used the sample http trigger, which will become my secured cosmos db function)
<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">Hello sgdfg</string>
I actually added the request headers to the response like this to test:
body: JSON.stringify(req.headers)
I get 4 headers, particularly this one, which has the display name I provided in signup. Not super useful
"x-ms-client-principal-name"
But I also get "x-ms-client-principal-id":"6f8132fc-..."
I will use that in the meanwhile, but want to exchange for claims.
Closing
It was easy enough to setup the B2C and the App, then linking a function so that the function can authenticate and authorise a user. Next is to read the claims within the function to ensure I can setup cosmos db documents per user.
References
[1] https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies
[2] https://blogs.msdn.microsoft.com/appserviceteam/2016/06/22/app-service-auth-and-azure-ad-b2c/
[3] https://blogs.msdn.microsoft.com/hmahrt/2017/03/07/azure-active-directory-b2c-and-azure-functions/
Cheers
Quintes