Setting up Azure Functions and Azure B2C turned out to be quite easy. However finding a good guide online on how to connect the two together turned out to be a lot harder. The Azure UI updates rapidly resulting in outdated blog posts that can easily point you in the wrong direction. Something that actually happened to me recently when setting this up for a customer. So I decided to write my own how-to guide in a way that is hopefully a bit more future proof.
By default Azure Functions comes with anonymous authorization and authorization through secure keys on different levels. While this is a nice feature you wouldn't want to store a secure key on the client.
Instead it would be better to have a user actually log in to an authorization server and have them receive an access token to be used to make requests to the Function endpoints. Which is of course how oAuth works. Azure B2C uses the Authorization Code Grant so that's great.
Step 1: Create a new Azure B2C Tenant
Let's start with creating a new Azure B2C Tenant. Our identity management service. For most steps in this how-to I will suggest following the Microsoft documentation. The documentation is frequently updated and is always in sync with changes in the
Azure portal.
We can now start creating the B2C Tenant by following the tutorial supplied by Microsoft.
Note that after creation you are switched to the directory of the newly created B2C Tenant.
Step 2: Register an application
Before our Azure functions can interact with Azure B2C we will have to create an application in our newly created B2C Tenant. This application will represent the functions.
While following the next tutorial keep in mind that you will store both the Client Id as the Client Secret. The client id and secret will be needed for step 6 of this tutorial. Now start registering the application and follow the next step in the tutorial.
The client id is found in the overview of the created application registration:
Step 3: Create a user flow
In order for your users to login with Azure B2C you will need to provide them with identity tasks such as a flow for logging in or creating an account. This is done through policies. Policies can be fully customized for the desired user experience but for this tutorial we will focus on the predefined policies. Predefined policies are called user flows and are sufficient for most basic scenarios. Create and test a sign-up and sign-in user flow following this tutorial.
Note that Email signup is the only Identity provider to choose at this point. Other providers can be setup at a later time. The mentioned https://jwt.ms is a great way to decode your tokens and read your claims for testing purposes.
One piece of information needed to collect during this step is the Issuer Url which can be tricky to find. Grab it while testing the user flow:
This concludes setting up your new B2C Tenant.
Step 4: Link the B2C Tenant to your target Azure Subscription
While following the tutorial by Microsoft I noticed, when switched back to our target Azure subscription, that the newly created B2C Tenant isn’t linked to your target Azure subscription automatically. So we will have to do that first in order for
the B2C Tenant to have a subscription:
1. Switch Directories to the location of your target Azure subscription
2. Click on Create a resource, search for and select 'B2C'
3. Select Create to link this B2C Tenant to a subscription
4. Select the B2C Tenant and hit Create
Step 5: Create an Azure function
While being switched to your target Azure Subscription it is time to create an Azure Function. If you hadn't already created some Functions create a Function App with a HTTP trigger Function.
Step 6: Connect the B2C Tenant to your Azure Function
With Azure B2C setup and an Azure Function created it is now time to connect the two. In order to connect the two you should have collected three pieces of information so far.
1. ClientId (collected in Step 2 where we registered the application)
2. Issuer Url (collected in Step 3 where we created the User flow)
3. Client secret (collected in Step 2 where we registered the application)
Follow the Microsoft documentation to connect the two. The easiest way to do this is to follow the advanced settings and specify the three collected settings. The tutorials below the "Configure with advanced settings" section can be ignored. Go to the documentation.
Do not forget to set Action to take when request is not authenticated to Log in with Azure Active Directory.
Final Step: Test your Azure Function with the B2C Tenant
Congratulations you created and connected Azure B2C with Azure functions. It is now time to test your Function. I myself like to test endpoints out with the Rest Client for VS code. So lets make a simple post to our HTTP trigger function.
If everything is setup correctly you should see a 401 Unauthorized. Since we obviously aren't logged in yet. This function would need a Bearer token as Authorization.
So let’s go back to the User flow to login as mentioned in step 3 and grab the token from https://jwt.ms.
Next add the token as an Authorization headered “Authorization: Bearer [token]”. A new post should result in a 200 Ok. Great job! You successfully connected Azure Function to your B2C Tenant!
Out of the box Azure B2C is a great way to secure your Azure Functions. With only a few steps you can give your users the ability to create an account and log in.
You could now easily add other social providers such as Facebook and Google.
Or dive into Custom Policies to change the appearance and flows to your needs or add your own email service provider. While the options for customization are extensive I will have to say that the Custom Policies can take you quite some time to get right and you might run into the occasional bugs.
And do not forget that setting this up is completely free for your first 50.000 users. You will only get charged for the SMS / Phone events if you wish to setup Multi Factor Authentication.
When you are already using Functions of Web Apps within Azure and are in need of an identity management service I highly recommend securing these with Azure B2C. There are of course other solutions such as Auth0 but Azure B2C is especially nice when you are already in the Azure ecosystem.
