Support overrides of token issuer from environment variables (#41945)

eng/Packages.Data.props

@@ -143,6 +143,8 @@
     <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.56.0" />
 
     <!-- TODO: Make sure this package is arch-board approved -->
+    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />
+    <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
   </ItemGroup>
 

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/CHANGELOG.md

@@ -4,12 +4,20 @@
 
 ### Features Added
 
+- Updated token internal validation to utlizie Microsoft.IdentityModel.Protocols.OpenIdConnect to get OIDC configuration.
+
 ### Breaking Changes
 
+- Removing 'TeantId' from the AuthenticationEventTrigger Attribute API configuration
+- Adding 'AuthorizedPartyAppId', 'AuthorityUrl' to the AuthenticationEventTrigger Attribute API configuration
+- Adding 'AuthenticationEvents__ShowPIIDataInLogsKey` (defaults to true) to configuration manager for logging PIIData in logs
+
 ### Bugs Fixed
 
 ### Other Changes
 
+- Cleaned out unused methods.
+
 ## 1.0.0-beta.5 (2023-12-07)
 
 ### Bugs Fixed

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/api/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.netstandard2.0.cs

@@ -22,7 +22,8 @@ public partial class AuthenticationEventsTriggerAttribute : System.Attribute
     {
         public AuthenticationEventsTriggerAttribute() { }
         public string AudienceAppId { get { throw null; } set { } }
-        public string TenantId { get { throw null; } set { } }
+        public string AuthorityUrl { get { throw null; } set { } }
+        public string AuthorizedPartyAppId { get { throw null; } set { } }
     }
     public partial class AuthenticationEventWebJobsStartup : Microsoft.Azure.WebJobs.Hosting.IWebJobsStartup
     {

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventBinding.cs

@@ -12,12 +12,16 @@
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
+
 using Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.Framework;
 using Microsoft.Azure.WebJobs.Host.Bindings;
 using Microsoft.Azure.WebJobs.Host.Listeners;
 using Microsoft.Azure.WebJobs.Host.Protocols;
 using Microsoft.Azure.WebJobs.Host.Triggers;
+using Microsoft.Extensions.Logging;
+
 using static Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.Framework.EmptyResponse;
+
 using AuthenticationEventMetadata = Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.Framework.AuthenticationEventMetadata;
 
 namespace Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents
@@ -195,7 +199,12 @@ private AuthenticationEventRequestBase GetRequestForEvent(HttpRequestMessage req
             }
             else if (requestEvent.GetType() != _parameterInfo.ParameterType && ex == null && _parameterInfo.ParameterType != typeof(string))
             {
-                throw new Exception(string.Format(CultureInfo.CurrentCulture, AuthenticationEventResource.Ex_Parm_Mismatch, requestEvent.GetType(), _parameterInfo.ParameterType));
+                throw new Exception(
+                    string.Format(
+                        provider: CultureInfo.CurrentCulture,
+                        format: AuthenticationEventResource.Ex_Parm_Mismatch,
+                        arg0: requestEvent.GetType(),
+                        arg1: _parameterInfo.ParameterType));
             }
 
             requestEvent.StatusMessage = ex == null ? AuthenticationEventResource.Status_Good : ex.Message;
@@ -224,18 +233,16 @@ private async Task<Dictionary<string, string>> GetClaimsAndValidateRequest(HttpR
                 return null;
             }
 
-            TokenValidator validator = ConfigurationManager.EZAuthEnabled && requestMessage.Headers.Matches(ConfigurationManager.HEADER_EZAUTH_ICP, ConfigurationManager.HEADER_EZAUTH_ICP_VERIFY) ?
-                (TokenValidator)new TokenValidatorEZAuth() :
-                new TokenValidatorInternal();
+            TokenValidator validator = TokenValidatorHelper.IsEzAuthValid(requestMessage.Headers) ? new TokenValidatorEZAuth() : new TokenValidatorInternal();
 
-            (bool valid, Dictionary<string, string> claims) = await validator.GetClaimsAndValidate(requestMessage, configurationManager).ConfigureAwait(false);
-            if (valid)
+            try
             {
-                return claims;
+                return await validator.ValidateAndGetClaims(requestMessage, configurationManager).ConfigureAwait(false);
             }
-            else
+            catch (Exception exceptionIfFailed)
             {
-                throw new UnauthorizedAccessException();
+                _configuration.Log(exceptionIfFailed.Message, logLevel: LogLevel.Error);
+                throw;
             }
         }
 

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventConfigProvider.cs

@@ -1,10 +1,6 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using Microsoft.Azure.WebJobs.Description;
-using Microsoft.Azure.WebJobs.Host.Config;
-using Microsoft.Azure.WebJobs.Host.Executors;
-using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.Collections.Specialized;
@@ -15,6 +11,11 @@
 using System.Threading.Tasks;
 using System.Web;
 
+using Microsoft.Azure.WebJobs.Description;
+using Microsoft.Azure.WebJobs.Host.Config;
+using Microsoft.Azure.WebJobs.Host.Executors;
+using Microsoft.Extensions.Logging;
+
 namespace Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents
 {
     /// <summary>The main configuration provider, this also handles the initial HTTP requests and response via IAsyncConverter.</summary>
@@ -46,13 +47,12 @@ public void Initialize(ExtensionConfigContext context)
                     .BindToTrigger(new AuthenticationEventBindingProvider(this));
 
             _base_uri = context.GetWebhookHandler();
-            //LogInformation(string.Format(AuthenticationEventResource.Log_EventHandler_Url, Uri));
         }
 
-        internal void LogInformation(string message)
+        internal void Log(string message, LogLevel logLevel = LogLevel.Information, params object[] args)
         {
             Console.WriteLine(message);
-            _logger.LogInformation(message);
+            _logger.Log(logLevel, message, args);
         }
 
         internal void DisplayAzureFunctionInfoToConsole(string functionName)

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventResource.resx

@@ -138,6 +138,9 @@
   <data name="Ex_Invalid_Action" xml:space="preserve">
     <value>The action '{0}' is invalid, please use one of the following actions: '{1}'</value>
   </data>
+  <data name="Ex_Invalid_AuthorizedPartyApplicationId" xml:space="preserve">
+    <value>Authorized Party Application ID '{0}' from token does match Authentication Event Trigger configuration AuthorizedPartyAppId '{1}'.</value>
+  </data>
   <data name="Ex_Invalid_Event" xml:space="preserve">
     <value>Invalid event type.</value>
   </data>
@@ -159,6 +162,9 @@
   <data name="Ex_Invalid_JsonPayload" xml:space="preserve">
     <value>Invalid Json Payload</value>
   </data>
+  <data name="Ex_Invalid_OIDC" xml:space="preserve">
+    <value>Not able to retrive Open ID Configuration with configured Authority URL '{0}'. Please verify Authority URL.</value>
+  </data>
   <data name="Ex_Invalid_Response" xml:space="preserve">
     <value>Response validation failed, see inner exceptions.</value>
   </data>
@@ -168,6 +174,9 @@
   <data name="Ex_Invalid_SchemaVersion" xml:space="preserve">
     <value>Invalid version on Schema</value>
   </data>
+  <data name="Ex_Invalid_Token" xml:space="preserve">
+    <value>No Access Token in request found.</value>
+  </data>
   <data name="Ex_Leg_payload" xml:space="preserve">
     <value>Cannot assign legacy payload to cloud events.</value>
   </data>
@@ -204,8 +213,14 @@
   <data name="Ex_Token_Version" xml:space="preserve">
     <value>Invalid token version {0}, supported versions are: {1}</value>
   </data>
-  <data name="Ex_Trigger_Required_Attrs" xml:space="preserve">
-    <value>Please supply both the TenantId and AudienceAppId in variables in your binding configuration. (Or app settings {0} and {1})</value>
+  <data name="Ex_Trigger_ApplicationId_Required" xml:space="preserve">
+    <value>Please supply the ApplicationId {0} in variables in your binding configuration.</value>
+  </data>
+  <data name="Ex_Trigger_AuthorityUrl_Required" xml:space="preserve">
+    <value>Please supply the Authority URL {0} in variables in your binding configuration.</value>
+  </data>
+  <data name="Ex_Trigger_AuthorizedPartyApplicationId_Required" xml:space="preserve">
+    <value>Please supply the AuthorizedPartyApplicationId {0} in variables in your binding configuration.</value>
   </data>
   <data name="Log_EventHandler_Url" xml:space="preserve">
     <value>Listener registered at: {0}</value>

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventsTriggerAttribute.cs

@@ -19,14 +19,19 @@ public AuthenticationEventsTriggerAttribute()
         {
         }
 
-        /// <summary>Gets or sets the tenant identifier.</summary>
-        /// <value>The tenant identifier.</value>
-        public string TenantId { get; set; }
+        /// <summary>Gets or sets the Authorized Party application identifier.</summary>
+        /// <value>The app id would default to public cloud id</value>
+        public string AuthorizedPartyAppId { get; set; } = "99045fe1-7639-4a75-9d4a-577b6ca3810f";
 
         /// <summary>Gets or sets the audience application identifier.</summary>
         /// <value>The audience application identifier.</value>
         public string AudienceAppId { get; set; }
 
+        /// <summary>
+        /// The authority is a URL that indicates the directory where the token came from
+        /// </summary>
+        public string AuthorityUrl { get; set; }
+
         internal bool IsParameterString { get; set; } = true;
     }
 }