Azure Web App/Function App Authentication and Authorization References

July 10, 2020August 5, 2020 JeremyBrooks

Here’s a dump of authentication related articles and blogs for Authentication and Authorization formerly known as Easy Auth. Note its always good to read through the comments of the blogs and forum post to get helpful tidbits you may have otherwise missed. If you find another article please feel free to leave a comment and I’ll add it to the list.

Main Doc:

https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

Advanced Auth concepts and features:

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

OpenID Connect Integration

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect

Blogs:
https://dev.to/azure/azure-functions-and-app-service-authentication-with-auth0-and-other-openid-connect-providers-47fg

Chris’s blog:

https://cgillum.tech/2016/02/01/architecture-of-azure-app-service-authentication-authorization/

This blog is rich with a TONNN of content and the comments are extremely useful:
https://cgillum.tech/2016/03/07/app-service-token-store/

Refreshing tokens with /.auth/Refresh

https://cgillum.tech/2016/03/07/app-service-token-store/

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#refresh-identity-provider-tokens

Understanding why refreshing with an access token doesn’t work (as of 7/2020 – could change in the future)
https://stackoverflow.com/questions/42519343/azure-ad-app-service-auth-refresh-endpoint-returns-401-71-unauthorized

Getting Access tokens and using them with /.auth/me for client side apps and headers for your server side code

https://cgillum.tech/2016/03/07/app-service-token-store/

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#access-user-claims

https://blog.brooksjc.com/2020/06/21/accessing-graph-api-with-an-azure-function-through-impersonation/

http://jsandersblog.azurewebsites.net/2020/01/17/easy-auth-using-x-ms-token-aad-access-token-as-a-bearer-token/

Advanced App Settings

Super helpful with some app settings that can make configurations work including how to have a warmup page that can bypass the authentication:

WEBSITE_WARMUP_PATH

Any relative URL path

This setting is intended for use when an unauthenticated client, such as Azure Traffic Manager or Azure App Service’s Always On feature, needs to access a specific path in the web app without requiring authentication. When set, any HTTP requests to the specified URL path will not be rejected by Easy Auth, regardless of the specified rules for unauthenticated clients.

https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings

Control the Auth Session Cookie timeout period: This app setting enables customers to control how long the cookie is valid for and when users will be forced to reauthenticate:
Name: WEBSITE_AUTH_COOKIE_EXPIRATION_TIME
Value: hh:mm:ss

Application Gateway integration with Auth/Web Apps

https://techcommunity.microsoft.com/t5/azure-app-service/setting-up-application-gateway-with-an-app-service-that-uses/ba-p/392493

Azure AD Dev Blog

This is unrelated to the app service auth but has a lot of helpful blogs from the AAD Dev Support team:
https://blogs.aaddevsup.xyz/

Authentication with other Tenants:

http://jsandersblog.azurewebsites.net/2017/06/09/azure-app-services-authentication-to-a-foreign-azure-active-directory/

Access an Azure web app behind Auth using a bearer token

http://jsandersblog.azurewebsites.net/2017/03/17/accessing-azure-app-services-using-azure-ad-bearer-token-2/
https://github.com/jcbrooks92/EasyAuthBootCampCode/blob/master/EasyAuthBootCampCode/Function1.cs

Errors

AZURE APP SERVICE ERROR: AADSTS50011: THE REPLY ADDRESS ‘HTTP://.AZUREWEBSITES.NET/SIGNIN-OIDC’ DOES NOT MATCH THE REPLY ADDRESSES CONFIGURED FOR THE APPLICATION:
http://jsandersblog.azurewebsites.net/2018/01/30/azure-app-service-error-aadsts50011-the-reply-address-http-azurewebsites-netsignin-oidc-does-not-match-the-reply-addresses-configured-for-the-application/
CORs Issues
http://jsandersblog.azurewebsites.net/2020/04/23/azure-app-service-authentication-cors-error-easy-auth/
CORs error after receiving a 401 with client side applications
https://blogs.aaddevsup.xyz/2018/05/receiving-cors-redirection-error-when-signing-into-app-service-using-azure-ad/

Random helpful hints:

If you are trying to use the /.auth/me endpoint but do not see a token in the format of ey…. make sure to add the additionalLoginParameters via Resource Explorer (see step 4-6 of my blog below)
https://blog.brooksjc.com/2020/06/21/accessing-graph-api-with-an-azure-function-through-impersonation/
In order to get access token and use the token store you must have a client secret configured
When calling /.auth/refresh, what for this call to complete with a 200 before calling /.auth/me to get the new token. You may run into a race condition otherwise if you do not wait