search

Azure / azure-functions-host

The host/runtime that powers Azure Functions
https://functions.azure.com
MIT License
1.95k stars 442 forks source link

How to get access to the id token after client-directed sign-in #8897

Open rumkit opened 2 years ago

rumkit commented 2 years ago

Is your question related to a specific version? If so, please specify:

v4 Out-of-process (isolated)

What language does your question apply to? (e.g. C#, JavaScript, Java, All)

C#

Question

I'm running a function app with EasyAuth enabled and set up to use B2C AD as an OpenID provider. In case of server-directed sign-in after the user has completed the authentication, I check X-MS-CLIENT-PRINCIPAL header and get access to the token containing claims collection, including B2C userId and emails. But when using client-directed sign-in flow the same header contains a different set of claims (actually there is only sid that is somehow related to the user). It looks like the token in the second case is based on X-ZUMO-AUTH header, but not on the id_token I had provided earlier during the authentication flow.

I found previously there was a similar issue #4212. There was mentioned a feature that properly filled in the ClaimsPrincipal disregarding which flow (client-directed or server-directed) had been selected. However, the same comment mentions the feature was rolled back somewhen in 2019.

The actual question is: is there a way to get access to the client id token and its claims from the functions app code after the client completed the client-directed sign-in?

The token I get from the header in case of client-directed sing-in:

 {

    "auth_typ": "AuthenticationTypes.Federation",
    "claims": [
        {
            "typ": "stable_sid",
            "val": "sid:2bb0133b***"
        },
        {
            "typ": "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/nameidentifier",
            "val": "sid:2bb0133b***
        },
        {
            "typ": "http:\/\/schemas.microsoft.com\/identity\/claims\/identityprovider",
            "val": "b2c_ropc"
        },
        {
            "typ": "ver",
            "val": "3"
        },
        {
            "typ": "nbf",
            "val": "1667839027"
        },
        {
            "typ": "exp",
            "val": "1667842627"
        },
        {
            "typ": "iat",
            "val": "1667839027"
        },
        {
            "typ": "iss",
            "val": "https:\/\/***.com\/"
        },
        {
            "typ": "aud",
            "val": "https:\/\/***.com\/"
        }
    ],
    "name_typ": "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name",
    "role_typ": "http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role"
}
ramya894 commented 2 years ago

@rumkit We are investigating the this issue and let you know the findings soon.