3

I am working with an Azure Function that needs to authenticate into an API /APP Service with using JWT.

I have been looking around a LOT of examples and settled on this as being the most appropriate

public string GenerateToken()
{
    var credential = new Azure.Identity.DefaultAzureCredential();
    var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://management.azure.com/" }));
    return token.Token;
}

Example born from here https://learn.microsoft.com/en-us/dotnet/api/azure.core.tokencredential?view=azure-dotnet

I have also tried to use this https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-c

Looking here, this is similar to my issue, but because its not using Managed Identity the company I am working for say this is a no go. Create azure bearer token from azure function

I believe the problem is the scope, but I cannot find the right scope to get into my app service.

I have also tried api:// , the resource url and more

Any and all help gratefully received.

Simon Price
  • 3,011
  • 3
  • 34
  • 98
  • you need to check the app you re trying to get access to: what is the client_id or resource_uri define in the app registration. – Thomas Jul 16 '22 at 04:43
  • @Thomas the app registration is all set up that all fine, is there anything specific i need in program.cs when registering services? – Simon Price Jul 17 '22 at 12:42
  • 1
    the scope need to be whatever you define in your app registration as resource_uri or client_id – Thomas Jul 17 '22 at 20:56

1 Answers1

2

Azure AD allows you to use .default as your scope to retrieve all access a principal has been granted.

In your case you can go by api://<commonly-api-client-id-uuid>/.default This will retrieve a token with all the roles the managed identity principal of your azure function has been granted on the target API/App

Arturo Martinez
  • 3,737
  • 1
  • 22
  • 35