1

I’m trying to create an .NET console application to authenticate users for an Azure function app. I want to authenticate users using their AD credentials and then create a token based on that. I believe I need to enable “Public client flows” in order to achieve this. I’m pretty new to this, but after many failed attempts I managed to get it working after setting the Application ID URI and the scope in the “Expose an API” section. I believe the manifest refers to this property as “identifierUris”. An according to some findings both public access and identifierUris cannot be used at the same time. Is there an alternative way to achieve this? Any explanations or reasonings as to why this is not ideal would be appreciated as well.

This is the code we're using to retrieve the token and use it:

var publicClient = PublicClientApplicationBuilder
                       .Create(clientId)
                       .WithAuthority(authorityUri)
                       .WithRedirectUri(redirectUri)
                       .Build();

var accessTokenRequest = publicClient.AcquireTokenInteractive(scopes);
var accessToken = await accessTokenRequest.ExecuteAsync();
restRequest.AddHeader("authorization", "Bearer " + token);

This is the Pulumi code creating the Azure AD Application, where functionApp is the Pulumi.Azure.AppService.FunctionApp that we are trying to authorize against:

var azureApp = new AzureAD.Application(name, new AzureAD.ApplicationArgs
{
    DisplayName = name,
    AvailableToOtherTenants = false,
    Homepage = "https://VisualStudio/SPN",
    Oauth2AllowImplicitFlow = true,
    ReplyUrls = { "http://localhost" },
    IdentifierUris =
    {
       functionApp.DefaultHostname.Apply(dnsName => "https://" + dnsName)
    },
    PublicClient = true
}, new CustomResourceOptions {DependsOn = functionApp});

When PublicClient is set to false, this deploys fine. When it is set to true, the the underlying API call returns a 400 error with this text:

Property identifierUris is invalid

So we set PublicClient to false and then manually update it to true in the portal, which works fine:

Azure Portal App Registration Authentication tab

What are we missing?

Josh Gallagher
  • 5,211
  • 2
  • 33
  • 60
Mifla
  • 29
  • 5
  • Which authentication flow are you using? – Carl Zhao Mar 19 '21 at 07:19
  • Why can't use `Public client flows` and `identifierUris` at the same time? Are there any special instructions in official documents? – Carl Zhao Mar 19 '21 at 07:36
  • @CarlZhao Please take a look at the edits I've made to elaborate on the issue. I'm working with Mifla. – Josh Gallagher Mar 19 '21 at 19:11
  • @CarlZhao I don't recall any official document mentioning anything of the like, but please take a look at the following link, https://github.com/Azure/azure-cli/issues/7955#issuecomment-500265900 . Please also note that we are not using a web platform. – Mifla Mar 20 '21 at 02:06

1 Answers1

0

You don't need to set PublicClient to true because it applies to ROPC flow, Device Code Flow or Windows Integrated Auth flow as your screenshot shows.

But according to your code, I think you are not using any the three auth flows.

You should create a new app registration which represents the API/server side (your Azure function app) and do "Expose an API".

Add the scope/permission (exposed by the API/server side) in your app registration which represents the client side (.NET console application).

To use PublicClientApplicationBuilder, you just need to modify "allowPublicClient": true in the manifest file of the app registration of the client side. Don't add any IdentifierUris or set the Application ID URI and the scope in the "Expose an API" section because this should be done in the app registration which represents the API/server side.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20