Why does the EasyAuth not accept my request for my function app with a OIDC identity provider?

Martin Rosin 5

I have an API that exposes a few endpoints, from which some user details and data can be fetched. The API is a function app with authentication enabled and restrict access set to "Require authentication". My app uses azure B2C for a subset of users and has been configured as a Microsoft identity provider and works fine. But my other subset of users uses Keycloak as a identity provider. I have configured Keycloak as an identity provider and can see it in my list. When I use postman and get my access token and try to call my function app API the EasyAuth does not let the request through (HTTP 401). When troubleshooting (from the authentication tab) the auth settings JSON does not show my keycloak identity provider. Also there are a lot of JWT validation errors from Easy Auth (e.g. Issuer validation failure etc.). It seems that EasyAuth is trying to validate my request against the Microsoft/B2C identity provider and not my Keycloak. Does EasyAuth support multiple identity providers?

Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-14T14:32:20.49+00:00

I haven't done this in a long time - but short answer is yes you can add more than one IDP to easy auth and KeyCloak should be covered under the generic OIDC provider option....

With that in mind , I think you MIGHT be missing a bit of configuration about how easyauth deals with unauthenticated requests

I found a few resources explaining this but this is the most recent and concise https://www.youtube.com/watch?v=a83jaOHAFMM

Can you check this out and compare it to what you configured ?
Martin Rosin 5 Reputation points

2024-05-14T15:42:38.8733333+00:00
Thank you for the link. There are a few differences though to my problem.

In the video Benjamin is configuring his own application running on an App Service. He is using the AspNetCore.Authentication libraries in conjunction with azure app service security to handle authentication and (probably) authorization. Also the authentication configuration looks different, maybe because not function app? In function app there is only Authentication tab and not Authentication / Authorization...

My need is a bit different. I have a Azure function app with a few REST endpoints, implemented using node/typescript, one of which is /api/me to fetch some details by use of access token. This endpoint is mostly called by a desktop app (developed using QT). The desktop app is initiating a browser based OIDC/OAUTH flow. Depending on the configuration the users either use azure b2c (subset of users) or keycloak (a bigger subset of users), which handles everything relating to authentication and authorization (flows, reset pw, token mgmt, etc.). I thought I could configure my identity providers in the Authentication settings and the function app would be able to validate the access tokens given when calling my REST endpoints (signature/token validation, certificate validation etc.).

I have tried to configure and find the EasyAuth logs, through configuring Diagnostic settings for my function app to send them to Log Analytics workspace but for some reason the granularity of the logs are not enough to pinpoint exactly what goes wrong. In the Authentication tab when I press the troubleshoot button I get more info but it´s also a bit obscure, since filtering is not possible. In any case what catches my eye is that the troubleshoot says my auth settings (as of today a few hours ago) are:

{ "enabled": True, "runtimeVersion": "~1", "unauthenticatedClientAction": "RedirectTo401", "tokenStoreEnabled": True, "allowedExternalRedirectUrls": , "defaultProvider": , "clientId": "MY_AZURE_B2C_CLIENTID_REDACTED", "clientSecret": , "clientSecretCertificateThumbprint": , "issuer": "MY_AZURE_B2C_ISSUER_URL_REDACTED", "allowedAudiences": "[ "MY_AZURE_B2C_UUID_REDACTED" ]", "isAadAutoProvisioned": False, "googleClientId": , "googleClientSecret": , "googleOAuthScopes": , "facebookAppId": , "facebookAppSecret": , "facebookOAuthScopes": , "twitterConsumerKey": , "twitterConsumerSecret": , "microsoftAccountClientId": , "microsoftAccountClientSecret": , "microsoftAccountOAuthScopes": , "openIdConnectProviders": ""{}"" }

This seems strange since I clearly see that I have configured my Keycloak as an OIDC provider through the portal...

Also there are some hints in the troubleshoot section: Easy Auth Errors/Warnings:

JWT validation failed: Issuer validation failure - Expected: MY_AZURE_B2C_ISSUER_URL_REDACTED ; Token: MY_KEYCLOAK_ISSUER_URL_REDACTED

and a few other related to claim validations.

It seems that EasyAuth is not able to handle validation of my access token for my keycloak identity provider but trying to validate it against by B2C provider, even though both are configured (atleast in the portal). This is why I asked if EasyAuth is supposed to support validating tokens using multiple providers? When I call my endpoints using tokens given by B2C everything works but validation fails when I attempt to call my endpoints using tokens given by keycloak.

Naturally I can, and probably have to, code my own token validations etc. for all my REST endpoints/functions but would be nice if Azure would support validating tokens from different identity providers, especially since the configuration setting is there?
Martin Rosin 5 Reputation points

2024-05-14T15:46:59.6366667+00:00

In terms of configuration I have double checked that the OIDC config for my keycloak provider is valid. I have also tried configuring the provider with metadataURL as well as entering the metadata urls manually.
Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-14T16:23:40.2533333+00:00

Ah OK . So to ensure I understand. The requirement here is simply to have easy auth validate the access tokens for the API - but it needs to handle access tokens from both B2C and KeyCloak , you dont need to use the functionality to expose login endpoints to the client app as that's handling the authentication part (user sign in and related actions) is that correct?

Unless anyone else can comment sooner I may need some time to dig into this further (if you could confirm i now understand correct)

In the interim you should be able to view the config by using the ARM REST API to verify the keycloak config is correct
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-auth-settings-v2?view=rest-appservice-2023-12-01&tabs=HTTP

Martin Rosin 5

Yes exactly. The flow is that depending on the desktop app (or why not also web app) the user will authenticate against b2c or keycloak and recieve tokens. These tokens are than required by function app endpoints. B2C has a custom scope defined to query graph api for user data whilst keycloak token will include openid & profile scope (and query userinfo from time to time) and than fetch data based on users information from various places.

I thought and was hoping (maybe wrongly) that the EasyAuth/Authentication tab was meant to be used to validate token signature and some basic claims before having to spin up my actual function and process the REST request. Basically an introspect to validate that the token included in the header is valid. Since it seems to work like this with b2c I thought the same would apply to any OIDC provider but it behaves differently.

ARM REST API interesting parts:

      
"identityProviders": {
  "azureActiveDirectory": {
    "enabled": true,
    "registration": {
      "openIdIssuer": "B2C_WELL_KNOWN_CONFIG_URL_REDACTED",
      "clientId": "B2C_CLIENT_ID_REDACTED",
      "clientSecretSettingName": "B2C_CLIENT_SECRET_REDACTED"
    },
    "login": {
      "disableWWWAuthenticate": false
    },
    "validation": {
      "jwtClaimChecks": {},
      "allowedAudiences": [
        "B2C_AUDIENCE_REDACTED"
      ],
      "defaultAuthorizationPolicy": {
        "allowedPrincipals": {}
      }
    }
  },
	... Other empty providers ...
  ,
  "customOpenIdConnectProviders": {
    "ridakc": {
      "registration": {
        "clientId": "KEYCLOAK_CLIENT_ID_REDACTED",
        "clientCredential": {
          "clientSecretSettingName": "KEYCLOAK_CLIENT_SECRET_REDACTED"
        },
        "openIdConnectConfiguration": {
          "wellKnownOpenIdConfiguration": "KEYCLOAK_WELL_KNOWN_CONFIG_URL_REDACTED"
        }
      }
    }
  },
   ... More empty providers 

    "login": {},
    "validation": {}
  },
  "apple": {
    "enabled": true,
    "registration": {},
    "login": {}
  }
},

So evidently there my keycloak OIDC is configured, even though it contains a lot less than the b2c configuration...

Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-15T11:26:28.8333333+00:00

I believe the validation settings for the OIDC provider are inferred (as in easyauth checks this against the provider) that's why you dont see them

For various reasons due to the internal subscription I use and security policy I cant fully repro this but I can prove a point at least. I can setup a consumption function app with easy auth and 2x providers to check access token

In my case I used the default ms tenant against an MSDN sub and added a b2c tenant (but through OIDC )

And now easy auth will let me through with a valid access token from each
Martin Rosin 5 Reputation points

2024-05-16T08:49:10.19+00:00

I can confirm that configuring a b2c OIDC provider does work. I did the same what you did and configured a new b2c tenant. When I initiate the OIDC flow and get my access token EasyAuth does validate correctly when using Microsoft provider or myb2c (custom provider) and I am able to call my azure functions rest endpoint. My keycloak (ridakc) provider does not work though. I´ve attached some screenshots.

I´ve checked and b2c and my keycloak should be configured exactly the same (confidential, all possible flows etc.). But still the validation seems to fail. This got me thinking. How does EasyAuth determine which provider to validate? One big difference seems to be that keycloak allows me to create App Client Ids that are not UUID formatted (as evident from my screenshot). Since the documentation also states:
"The OpenID provider name can't contain symbols like "-" because an appsetting will be created based on this and it doesn't support it. Use "_" instead."
(source: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect)
Might there be some other non-allowed things regarding configs, urls etc.? As you can see my current keycloak clientId is rida. I am currently hosting my test environment keycloak thorugh a container and the url is pretty long containing hyphens, dots, forward slashes, and only lowercase characters.
Martin Rosin 5 Reputation points

2024-05-16T09:33:09.5266667+00:00

I created a new client in keycloak with a UUID formatted clientId... and now it seems to be working. This feels like a bug... or a feature, that is missing some documentation. The format rules could be clarified in: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect
Martin Rosin 5 Reputation points

2024-05-16T11:21:10.13+00:00

And now new keycloak client with UUID as clientId stopped working without any explanation. I have not touched the configuration for said client. Would be really interesting to access the EasyAuth logs. Is this possible?
Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-16T13:33:19.0433333+00:00

I dont think the format should matter (I mean it may do here, but it should not)
In this situation easyauth is doing very little

You point it towards an addressable meta data endpoint and provide it with a client id and secret (generally, I cant speak for keycloak specifically, the secret is not actually required for access token validation)

The logic is simply going to check the issuer (this value should be returned with the meta data) the token signature (via the public keys available in the meta data)
And the audience - which is the client id you configured
So long as the token you are sending has an aud claim which matches what you put into the config for easyauth (under clientid) then there's not reason it should not work - should be a straight string match (same with iss claim and the issuer info from meta data)

A few more things will be checked - but that's the gist of it

I cant access the full backend logs as I'm not working in the support org - but if you mail me direct begim@microsoft.com - I'll do what I can to help
Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-16T13:38:55.1+00:00

Easyauth can output logs which can be captured on the customer end. However if you're using functions it may depend on which plan you're using
One thing that does work is to go to "diagnose and solve problems" menu item and when that blade opens in the search bar search for "authentication" - this should give you a snapshot of the backend logs related to easyauth. from memory it's not very detailed tho
Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-16T13:39:59.86+00:00

This generally works https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#logging-and-tracing but not for consumption functions as I dont believe you can enable app logging on a consumption func
Martin Rosin 5 Reputation points

2024-05-17T06:37:39.2966667+00:00

Thanks for the clarifications. I now found the problem:
"And the audience - which is the client id you configured"

By default Keycloak does not strictly enforce the clientId as the audience (aud) claim in tokens. There are reasons for this, which is outside the scope of this problem. In this case though, when there is federation and EasyAuth is used, one must make sure to map the clientId to the audience claim or else the token will be deemed invalid.

1 answer

Martin Rosin 5 Reputation points

2024-05-17T06:39:00.7133333+00:00

By default Keycloak does not strictly enforce the clientId as the audience (aud) claim in tokens. There are reasons for this, which is outside the scope of this problem. In this case though, when there is federation and EasyAuth is used, one must make sure to map the clientId to the audience claim or else the token will be deemed invalid.

There are multiple ways to resolve audience in keycloak: https://www.keycloak.org/docs/latest/server_admin/#audience-support
Please sign in to rate this answer.

1 person found this answer helpful.
Ben Gimblett 3,655 Reputation points Microsoft Employee

2024-05-17T08:11:36.5633333+00:00

That's great insight - thanks for posting the update!
Sign in to comment

Share via

Why does the EasyAuth not accept my request for my function app with a OIDC identity provider?

1 answer