Once the user authenticates with Azure AD you'll be presented an AppServiceAuthSessoin
cookie. It's an opaque cookie but you can exchange it for a readable id token by calling
https://yourFunctionApp.azurewebsites.net/.auth/me
and passing in the opaque cookie as Cookie
header. Moreover, the id_token
you get back is good for use as Bearer
token.
Actually it just looks right to me, i haven't really tested it as a Bearer, so a little caution there.
![Get claims](https://i.stack.imgur.com/d7hq5.png)
The mechanism is called Easy Auth, it's easier to Google for that name.
More on the token store here —
https://cgillum.tech/2016/03/07/app-service-token-store/
...which says you can grab the claims just by reading the HTTP headers coming in from the user's browser:
Accessing the Tokens
From within your backend code, accessing these tokens is as easy as reading an HTTP request header. The headers are named like X-MS-TOKEN-{provider}-{type}
. The possible token header names are listed below:
Azure Active Directory Token Request Headers:
X-MS-TOKEN-AAD-ID-TOKEN
X-MS-TOKEN-AAD-ACCESS-TOKEN
X-MS-TOKEN-AAD-EXPIRES-ON
X-MS-TOKEN-AAD-REFRESH-TOKEN
I actually just found that out right now, so thanks for the question!
UPDATE:
My hunch was correct, the id_token
is also good as Bearer:
$ curl -isk https://{funcApp}.azurewebsites.net/api/{someFunc}
-H "Authorization: Bearer eyJ0eXAiOi....oEU-Q"
HTTP/1.1 200 OK
Cache-Control: no-cache
Server: Microsoft-IIS/8.0
...
The main difference between the two ways of reading claims (reading headers vs. calling /.auth/me
from the backend with user's Cookie) is the amount of detail you get. There's way more in the latter.
Here's the set of headers you get from Easy Auth for a Twitter authenticated user:
{
"cookie": "AppServiceAuthSession=Lx43...xHDTA==",
...
"x-ms-client-principal-name": "evilSnobu",
"x-ms-client-principal-id": "35....",
"x-ms-client-principal-idp": "twitter",
"x-ms-token-twitter-access-token": "35...Dj",
"x-ms-token-twitter-access-token-secret": "OK3...Jx",
}
and the claims you get by calling /.auth/me
:
{
"access_token": "35...FDj",
"access_token_secret": "OK3...sJx",
"provider_name": "twitter",
"user_claims": [
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"val": "352660979"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"val": "evilSnobu"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"val": "Safarihat Hacker"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage",
"val": "..."
},
{
"typ": "urn:twitter:description",
"val": "GENIUS. HAVE BRAIN. WILL TRAVEL."
},
{
"typ": "urn:twitter:location",
"val": ""
},
{
"typ": "urn:twitter:time_zone",
"val": "London"
},
{
"typ": "urn:twitter:lang",
"val": "en"
},
{
"typ": "urn:twitter:verified",
"val": "False"
},
{
"typ": "urn:twitter:profile_image_url_https",
"val": "https://pbs.twimg.com/profile_images/867473646876545024/1elebfK1_normal.jpg"
}
],
"user_id": "evilSnobu"
}