Securing ASPNET Core Web API for calls from Azure Function
We have an exisiting ASP.NET Core Web Api in Azure that has endpoints that support Azure AD and Azure AD secured users
I want to create a new Azure Function with a Timed trigger that will call this same Web Api. The call will obviously not be in the context of a user but in the context of the Function App.
The AF is AzureFunctionsVersion "v3" with a TargetFramework of "netcoreapp3.1"
I have added an App Role to the App registration for the existing Web API
I have then requested access to the that API from the Azure Functions "Api Permissions" blade in Azure Portal
I am only running this Azure Function locally as yet so here are the values from local.settings.json. I've removed the real values
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"AzureAd:Instance": "https://login.microsoftonline.com/",
"AzureAd:Domain": "ourdomain.co.uk",
"AzureAd:TenantId": "aaaaaaaa-92eb-430b-b902-aaaaaaaaaaaa",
"AzureAd:ClientId": "aaaaaaaa-bd17-4e69-bdf6-aaaaaaaaaaaa",
"AzureAd:Audience": "https://ourdomain.co.uk/appid,
"AzureAd:ClientSecret": "THESECRET",
"PatientApi:BaseAddress": "https://myapi.com/api/",
"PatientApi:Scopes": "https://my-api-appiduri/.default"
},
}
I then try an get a token for the Azure Function by calling GetAccessTokenForAppAsync
var accessToken = await this.tokenAcquisition.GetAccessTokenForAppAsync(this.patientScope);
this.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
this.httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
When I call GetAccessTokenForAppAsync I get the following Exception
Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{CLIENTID_FOR_AZUREFUNCTION}'.
Is this AzureAd config and calling GetAccessTokenForAppAsync the right approach?
TL;DR
Whilst I had correctly configured the AzureAd values I must at some point have chosen to "Manage User Secrets" in the VS IDE. That had created a different ClientSecret and that was overriding the correct value in local.settings.json.
Thanks to this GitHub issue and comment from the MSAL team, https://github.com/AzureAD/microsoft-identity-web/issues/379#issuecomment-666526566
- Azure Function v2 Python deployed functions are not showing
- What is a valid binding name for azure function?
- Using ConcurrentQueue in Azure Durable Function with Dataverse interaction
- Runing a functions project locally
- Azure functions decoding error for IotHub device connection state message schema
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Unable to read local.settings.json file when running Azure Function locally
- .Net Azure Function app publish does not generate a bin folder
- Azure Function App unaccounted for time in Application Insights Timeline
- Threading Issue with DbContext in Azure Functions Using Cosmos DB Provider, and MediatR
- How to stop a ServiceBusTrigger Azure function from listening to a topic subscription?
- Azure Functions with VS Code and Python: ModuleNotFoundError: No module named 'azure.storage'
- Once reliable GitHub Action Workflow now deploys non-runnable Azure Function Apps
- Parameterize runOnStartup in function.json
- SSL/TLS error on exposing Fuction App in API Management
- Github Action Deployment of Azure Function Without Public Access from All Networks
- Can't provide NuGet package source credentials to Azure Function
- How can i put the CRON expression in a Function app parameter in the local.settings.json file?
- How escape an = when getting a value from Azure Key Vault for Azure Functions
- Deployed functions but they are not showing up in Azure Portal
- How to get the "Function Url" which is with in a Function-App deployed using Terraform?
- Azure Function App: "Exception calling ".ctor"
- How do I reference my Azure function from pytest?
- Accessing DataVerse data and running SQL statements against it from C# code on .NET 6 (Azure Function)
- Express (bodyParser) urlencoded hangs, without callback or throwing error, when running on Azure Function
- How can I access configuration, defined in `ConfigureAppConfiguration`, in `ConfigureServices`, with only the `IServiceCollection` available?
- How to get the MaxDequeueCount in the .NET function code
- Testing manually a Time Triggered Function App in the Azure Portal fails
- Why does The behavior of "replay" ensure reliable execution in Azure durable functions?
- How can we get tenant id, client id and client secret for Azure Function App?