I have an Azure Function that is a Http trigger that is taking a parameter, querying a Cosmos DB using this parameter, and returning a json object result. I have a Web API (does NOT reside in Azure) that needs to forward calls to this Azure function without any user login/intervention. I have followed the following guide:
https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
I let the Azure Portal create my app registration for my function app automatically. The only change I made to this app registration was setting the Application ID URI to be the URL of my function app as follows: https://{functionapp}.azurewebsites.net
For the function app authentication settings, Authentication is set to 'Require authentication' and 'Return HTTP 302 Found (Redirect to identity provider)'.
The actual Azure Function is configured for Anonymous Authorization level.
I then followed the steps at "Daemon client application (service-to-service calls)" to create another app registration for my Web API.
I am obtaining the token as follows, where clientId and secret are the values from the Web API app registration, and the resource is the URL of my function app:
var client = new RestClient("https://login.microsoftonline.com/" + tenantId + "/oauth2/token");
var request = new RestRequest(Method.POST);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded",
$"grant_type=client_credentials&client_id={clientId}&client_secret={secret}&resource={resource}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
var jObject = JObject.Parse(response.Content);
string token = jObject.GetValue("access_token").ToString();
return token;
I am then calling my Azure Function with the token from above set as follows:
var client = new RestClient($"{baseUrl}api/videos/versionvideos?versionId={versionId}");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", $"Bearer {token}");
IRestResponse response = client.Execute(request);
List<CosmosMedia> media = JsonConvert.DeserializeObject<List<CosmosMedia>>(response.Content);
I get the following response:
"You do not have permission to view this directory or page."
I've spent quite a bit of time troubleshooting this, but am at a loss as to why the token is not getting authenticated. Any assistance is greatly appreciated. Hoping I'm missing a simple step somewhere!
