I have configured an Azure AD B2C App with a SigninOrSignup Userflow called b2c_1_signupsignin. I have verified that this user flow has the this issuer policy .0/. I have checked that exactly this issuer URL is encoded in the JWT upon login. I have also made sure that the aud-claim in this JWT contains exactly the app ID of the B2C App.
Now, I have an Azure Function in my AAD Tenant. I want this Function to do the bearer token authentication for JWTs issued by the above AD B2C app before calling the Function. I have enabled in Authentication the OpenID provider and have specified the document URL to be .0/.well-known/openid-configuration.
I have verified that this is the correct document URL and it contains correct issuer URL.
The tests kept failing (with the configured 401 Unauthorized response)for hours until I have finally found the following warning in the "Authentication Configuration and Investigation Detector (EasyAuth)":
JWT validation failed: Issuer validation failure - Expected: /; Token: .0/.
Clearly, the identity provider truncates the /v.2.0/ at the end and of course fails to verify the correctly issued issuer URL despite the correct (quadruply checked) issuer URL being configured. In fact, it seems to take the correct issuer URL to derive the document URL but then truncates it when it validates the issuer URL. Clearly, this is not the intended behaviour.
I have reverted to using manual authentication mechanism.
Am I grossly missing something or is this a (possibly known) bug on the Azure side?
I have configured an Azure AD B2C App with a SigninOrSignup Userflow called b2c_1_signupsignin. I have verified that this user flow has the this issuer policy https://xxxxxx.b2clogin/tfp/xxxxxxxx-a115-4371-a79d-63b6ac71ec44/b2c_1_signupsignin/v2.0/. I have checked that exactly this issuer URL is encoded in the JWT upon login. I have also made sure that the aud-claim in this JWT contains exactly the app ID of the B2C App.
Now, I have an Azure Function in my AAD Tenant. I want this Function to do the bearer token authentication for JWTs issued by the above AD B2C app before calling the Function. I have enabled in Authentication the OpenID provider and have specified the document URL to be https://xxxxxx.b2clogin/tfp/xxxxxxxx-a115-4371-a79d-63b6ac71ec44/b2c_1_signupsignin/v2.0/.well-known/openid-configuration.
I have verified that this is the correct document URL and it contains correct issuer URL.
The tests kept failing (with the configured 401 Unauthorized response)for hours until I have finally found the following warning in the "Authentication Configuration and Investigation Detector (EasyAuth)":
JWT validation failed: Issuer validation failure - Expected: https://xxxxxx.b2clogin/tfp/xxxxxxxx-a115-4371-a79d-63b6ac71ec44/b2c_1_signupsignin/; Token: https://xxxxxx.b2clogin/tfp/xxxxxxxx-a115-4371-a79d-63b6ac71ec44/b2c_1_signupsignin/v2.0/.
Clearly, the identity provider truncates the /v.2.0/ at the end and of course fails to verify the correctly issued issuer URL despite the correct (quadruply checked) issuer URL being configured. In fact, it seems to take the correct issuer URL to derive the document URL but then truncates it when it validates the issuer URL. Clearly, this is not the intended behaviour.
I have reverted to using manual authentication mechanism.
Am I grossly missing something or is this a (possibly known) bug on the Azure side?
Share Improve this question asked Feb 2 at 9:05 MischaMischa 2261 silver badge11 bronze badges1 Answer
Reset to default 0I did grossly miss something.
I needed to disable the function-level authorization. The errors I got came from the missing function key which I didn't provide. Once I switched to Anonymous but activated the OpenID-authorization, the Function call was successfully executed when the correct bearer token was set.
I cannot explain where the EasyAuth warnings came from but I've experimented a lot, so maybe they were a legacy from some earlier experiment. Question closed.