Protect Azure Function App with OAuth 2.0 and Azure Active Directory B2C
This article describes how to protect Azure function app with OAuth 2.0 and Azure AD B2C configured in a different tenant.
I will give step by step explanation of configuring Authentication / Authorization using Azure AD B2C advanced settings to secure the Azure Function API.
Let us begin with Azure B2C App registration. I assume you’ve already registered an App in AD B2C.
A) Follow the steps below to create a Sign-up and Sign-in user flow and capture “well-known” URL for later usage.
1) Login to Azure Active Directory tenant and select Azure AD B2C service.
2) Go to Policies → User flows
3) Click on “New user flow”
4) Select “Sign up and sign in” user flow and click on Create.
5) Give an appropriate policy name
6) Select required identity providers
7) Configure multifactor authentication (Optional)
8) Select required user attributes and token claims
9) And, finally, click on Create button to have a “Sign up and sign in” policy.
10) Click on Run Sign up and sign in policy to copy well-known URL for later usage: https://xxxxxxxx.b2clogin.com/xxxxxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Signup_Signin_Policy
11) Run the flow to copy the JWT token.
12) When testing your applications in Azure AD B2C, it is useful to have the Azure AD B2C token returned to https://jwt.ms to review the claims in it.
B) Follow the steps below to capture Application (client) ID from registered application for later usage.
1) Login to Azure Active Directory tenant and select Azure AD B2C service.
2) Go to Manage → App registrations → All application
3) Copy Application (client) ID. It’s GUID.
4) Go to Registered application → Certificates & secrets
5) Create “New client secret” and copy the value for later usage.
C) Follow the steps below to configure Azure function app “Authentication / Authorization”
1) Login to Azure portal and create an azure function app
2) Under settings GO to “Authentication / Authorization”
3) Turn “App Service Authentication” to ON
4) Select “Log in With Azure Active Directory” option for “Action to take when request is not authenticated”
5) Configure Azure Active Directory under “Authentication Providers”
6) Select Management mode to “Advanced”
7) Client ID: Copy Application (client) ID from section B → step 2.
8) Issuer Url: Copy “well-known” URL from section A à step 9 “https://xxxxxxxx.b2clogin.com/xxxxxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Signup_Signin_Policy”
9) Client Secret (Optional): Copy client secret value created at section B → step 4.
10) Click on “OK” and “Save” buttons to finish the configuration.
Now your Azure function app is ready to be invoked with a bearer token as shown in below image. Without a valid token, 401 Unauthorized Error will be returned in the response.
Happy coding!!!