Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Change RequiredScope to be based on policies #1002

Closed
1 of 3 tasks
plamber opened this issue Feb 22, 2021 · 3 comments
Closed
1 of 3 tasks

[Bug] Change RequiredScope to be based on policies #1002

plamber opened this issue Feb 22, 2021 · 3 comments
Labels
Azure Functions bug Something isn't working work-around-available

Comments

@plamber
Copy link

plamber commented Feb 22, 2021
edited
Loading

Which version of Microsoft Identity Web are you using?
1.6.0

Where is the issue?

  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs

Repro
In your sample Function app application you are using the "RequiredScope" attribute to limit the access to the Function app. This does not work in this context codesnippet

To my understanding this is due to the different way Azure Functions follow the authorization life-cycle.

You can limit the access by using the deprecated "VerifyUserHasAnyAcceptedScope(ScopesRequired);"
Here an example on how to limit the required scope.

[FunctionName("token")]
[RequiredScope("Does not work")]
public async Task<IActionResult> Run(
    [HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = null)] HttpRequest req)
{
    var (authenticationStatus, authenticationResponse) =
        await req.HttpContext.AuthenticateAzureFunctionAsync();

    await req.HttpContext.AuthenticateAzureFunctionAsync();
    if (!authenticationStatus) return authenticationResponse;

    // this works
    req.HttpContext.VerifyUserHasAnyAcceptedScope(ScopesRequired);

    string requestBody = await new StreamReader(req.Body).ReadToEndAsync();

    return new OkObjectResult(requestBody);
}

Expected behavior

  • Required scope should work with Azure Functions

Actual behavior
RequiredScope is ignored. The only way is to use VerifyUserHasAnyAcceptedScope

Possible solution
Most likely you have to create a dedicated class for the Azure Functions. You can find an example how to implement this here. The challenge is that this feature is in preview a while.

Alternatively, provide a dedicated VerifyUserHasAnyAcceptedScope function intended for Azure Functions.
@jmprieur jmprieur added the bug Something isn't working label Feb 22, 2021
@jmprieur
Copy link
Collaborator

Thanks for the heads-up @plamber

@jmprieur jmprieur added this to the 1.8.0 milestone Feb 22, 2021
@jennyf19
Copy link
Collaborator

jennyf19 commented Feb 24, 2021
edited
Loading

@plamber we are removing the deprecated flag from the method VerifyUserHasAnyAcceptedScope, so that will be in our 1.7 release. thanks.

will take a look at the links you provided.

@jmprieur jmprieur mentioned this issue Feb 27, 2021
Merged
@jmprieur jmprieur modified the milestones: 1.8.0, 1.9.0 Mar 4, 2021
@jennyf19 jennyf19 modified the milestones: 1.9.0, 1.10.0 Mar 31, 2021
@jmprieur jmprieur modified the milestones: 1.10.0, 1.11.0 Apr 22, 2021
@jmprieur jmprieur modified the milestones: 1.11.0, 1.12.0 May 6, 2021
@jennyf19 jennyf19 modified the milestones: 1.12.0, 1.13.0 May 28, 2021
@jennyf19 jennyf19 removed this from the 1.13.0 milestone Jun 11, 2021
@jennyf19 jennyf19 changed the title [Bug] RequiredScope does not work with Azure Functions [Bug] Change RequiredScope to be based on policies Sep 29, 2021
@jennyf19
Copy link
Collaborator

jennyf19 commented Oct 6, 2021

Included in 1.18.0 release

@jennyf19 jennyf19 closed this as completed Oct 6, 2021
@jennyf19 jennyf19 mentioned this issue Jan 27, 2022
Open
8 tasks
@gurry gurry mentioned this issue Mar 15, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Azure Functions bug Something isn't working work-around-available
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmprieur @plamber @jennyf19