I am trying to find a good example of how to integrate Auth0 with a .Net8 C# Azure Isolated function.
Being an isolated function, it cannot use MVC so most of the examples aren’t quite relevant. I use middleware and previously had this running with B2C which I am migrating from.
My application consists of a security nuget package which is configured by whatever API is hosting it and validates the token which is in the httpContext, creates a principle which it then enriches with user permissions from the database and then each function has attribute for security as per the following simple example
public class GetUser
{
private readonly ILogger _logger;
private readonly Security.Models.User.User _user;
public GetUser(ILoggerFactory loggerFactory, IUserAccessor userAccessor)
{
_logger = loggerFactory.CreateLogger<GetUser>();
_user = userAccessor.User;
}
[Secure(permissions: new[] { SecurityPermissions.RegisteredUser }, overridePermissions: null, userRequiredIfAvailable: true)]
[HttpGet("api/v1/user")]
[Function(nameof(GetUser))]
public async Task<HttpResponseData> RunAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "user")] HttpRequestData req)
{
_logger.LogInformation("Dummy example of a function that should have a logged in registered user");
var response = req.CreateResponse(HttpStatusCode.OK);
await response.WriteAsJsonAsync(JsonConvert.SerializeObject(_user, Formatting.Indented));
response.WriteString("logged in");
return response;
}
}
The secure attribute is defined as
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = false)]
public class SecureAttribute : Attribute
{
public SecureAttribute(string[]? permissions, string[] overridePermissions, bool userRequiredIfAvailable)
{
Permissions = permissions ?? Array.Empty<string>();
OverridePermissions = overridePermissions ?? Array.Empty<string>();
UserRequiredIfAvailable = userRequiredIfAvailable;
}
/// <summary>
/// A standard comma delimited list of permissions that can access this feature. Users have to have at least one
/// </summary>
public string[]? Permissions { get; set; } = Array.Empty<string>();
/// <summary>
/// These permissions can be used to override the permissions on a function - typically admin functions
/// </summary>
public string[] OverridePermissions { get; set; } = Array.Empty<string>();
/// <summary>
/// Some functions may want to use a user if available but are also happy in anonymous mode e.g. from an automated process
/// </summary>
public bool UserRequiredIfAvailable { get; } = true;
}
I have looked at the guides such as Auth0 ASP.NET Web API (OWIN) SDK Quickstarts: Add Authorization to an ASP.NET Owin Web API application and .NET 8: What’s New for Authentication and Authorization (auth0.com) but again that is not for isolated functions which are MS recommended approach as they automatically scale etc. That particular example is again MVC unfortunately. I don’t want to add mvc and darkloop as that seems to be a hack.
I have also added the code from Exploring the Auth0 ASP.NET Core Authentication SDK which seems great but it would be great if it showed you how to confirm things are set up and how to access the user info.
I have also updated the rules to give me back the email address in claims. Just don’t know how to validate and access the token.
Is there any examples the show me how in a .net8 isolated app, to accept the token, validate it, and extract the current principle user which I can then enhance in my api?
Thanks