Integrating Auth0 with a .Net8 C# Azure Isolated Function app

I am trying to find a good example of how to integrate Auth0 with a .Net8 C# Azure Isolated function.
Being an isolated function, it cannot use MVC so most of the examples aren’t quite relevant. I use middleware and previously had this running with B2C which I am migrating from.
My application consists of a security nuget package which is configured by whatever API is hosting it and validates the token which is in the httpContext, creates a principle which it then enriches with user permissions from the database and then each function has attribute for security as per the following simple example

    public class GetUser
    {
        private readonly ILogger _logger;
        private readonly Security.Models.User.User _user;

        public GetUser(ILoggerFactory loggerFactory, IUserAccessor userAccessor)
        {
            _logger = loggerFactory.CreateLogger<GetUser>();
            _user = userAccessor.User;
        }

        [Secure(permissions: new[] { SecurityPermissions.RegisteredUser }, overridePermissions: null, userRequiredIfAvailable: true)]
        [HttpGet("api/v1/user")]
        [Function(nameof(GetUser))]
        public async Task<HttpResponseData> RunAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "user")] HttpRequestData req)
        {

            _logger.LogInformation("Dummy example of a function that should have a logged in registered user");

            var response = req.CreateResponse(HttpStatusCode.OK);
            await response.WriteAsJsonAsync(JsonConvert.SerializeObject(_user, Formatting.Indented));

            response.WriteString("logged in");

            return response;
        }
    }

The secure attribute is defined as :-1:

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = false)]
    public class SecureAttribute : Attribute
    {
        public SecureAttribute(string[]? permissions, string[] overridePermissions, bool userRequiredIfAvailable)
        {
            Permissions = permissions ?? Array.Empty<string>();
            OverridePermissions = overridePermissions ?? Array.Empty<string>();
            UserRequiredIfAvailable = userRequiredIfAvailable;
        }

        /// <summary>
        /// A standard comma delimited list of permissions that can access this feature.  Users have to have at least one
        /// </summary>
        public string[]? Permissions { get; set; } = Array.Empty<string>();

        /// <summary>
        /// These permissions can be used to override the permissions on a function - typically admin functions
        /// </summary>
        public string[] OverridePermissions { get; set; } = Array.Empty<string>();

        /// <summary>
        /// Some functions may want to use a user if available but are also happy in anonymous mode e.g. from an automated process
        /// </summary>
        public bool UserRequiredIfAvailable { get; } = true;
    }

I have looked at the guides such as Auth0 ASP.NET Web API (OWIN) SDK Quickstarts: Add Authorization to an ASP.NET Owin Web API application and .NET 8: What’s New for Authentication and Authorization (auth0.com) but again that is not for isolated functions which are MS recommended approach as they automatically scale etc. That particular example is again MVC unfortunately. I don’t want to add mvc and darkloop as that seems to be a hack.

I have also added the code from Exploring the Auth0 ASP.NET Core Authentication SDK which seems great but it would be great if it showed you how to confirm things are set up and how to access the user info.

I have also updated the rules to give me back the email address in claims. Just don’t know how to validate and access the token.

Is there any examples the show me how in a .net8 isolated app, to accept the token, validate it, and extract the current principle user which I can then enhance in my api?

Thanks

bump to see if anyone has done this before?

DarkLoop is not a hack at all.

For in process uses a preview feature that doesn’t seem will ever get out of preview. But for Isolated with ASP.NET Core integration is only a middleware that relies on all the ASP.NET-Core infrastructure, which is already loaded by your application. DarkLoop uses all the authentication and authorization modules from ASP.NET-Core, meaning you have access to all policy based authorization infrastructure.
You are not loading MVC, you are only loading ASP.NET Core AuthNZ.

Auth0 SDK doesn’t use default Bearer and is already invoking AddAuthentication internally when referencing services.AddAuth0WebAppAuthentication(.... All you have to do now is to add the middleware.

var host = new HostBuilder()
    .ConfigureFunctionsWebApplication(builder =>
    {
        builder.UseFunctionsAuthorization();
    })
    .ConfigureServices(services =>
    {
        services.AddAuth0WebAppAuthentication(options =>
        {
            options. Domain = Configuration["Auth0:Domain"];
            options.ClientId = Configuration["Auth0:ClientId"];
            options. Organization = Configuration["Auth0:Organization"];
        });

        // optionally you can configure policies for fine-grained functions access
        services
            .AddFunctionsAuthorization(options =>
            {
                // Add your policies here
            });
    })
    .Build();

host. Run();

As you can see, DarkLoop is routing everything through ASP.NET-Core security modules. All it adds is the missing middleware for functions; you even use [Authorize] attribute from ASP.NET-Core. [FunctionAuthorize] was left only to make it easy for teams moving from In-Process to Isolated and not having to touch their code.

Give it a try you won’t be disappointed with the results.

thank you - I will try it. It would be nice if it could be officially adopted as it always worries me relying on 3rd parties for packages - particularly when it comes to security!