Support overrides of token issuer from environment variables

eng/Packages.Data.props

@@ -143,6 +143,8 @@
     <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.56.0" />
 
     <!-- TODO: Make sure this package is arch-board approved -->
+    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />
+    <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
   </ItemGroup>
 

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/api/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.netstandard2.0.cs

@@ -22,6 +22,7 @@ public partial class AuthenticationEventsTriggerAttribute : System.Attribute
     {
         public AuthenticationEventsTriggerAttribute() { }
         public string AudienceAppId { get { throw null; } set { } }
+        public string AuthorityUrl { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
     }
     public partial class AuthenticationEventWebJobsStartup : Microsoft.Azure.WebJobs.Hosting.IWebJobsStartup

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventBinding.cs

@@ -94,7 +94,7 @@
                     throw new NotSupportedException(AuthenticationEventResource.Ex_Invalid_Inbound);
                 }
 
-                Dictionary<string, string> Claims = await GetClaimsAndValidateRequest(request).ConfigureAwait(false);
+                Dictionary<string, string> Claims = GetClaimsAndValidateRequest(request);
                 string payload = await request.Content.ReadAsStringAsync().ConfigureAwait(false);
                 AuthenticationEventMetadata eventMetadata = GetEventAndValidateSchema(payload);
 
@@ -216,19 +216,19 @@
         #endregion
 
         #region Validators
-        private async Task<Dictionary<string, string>> GetClaimsAndValidateRequest(HttpRequestMessage requestMessage)
+        private Dictionary<string, string> GetClaimsAndValidateRequest(HttpRequestMessage requestMessage)
         {
             ConfigurationManager configurationManager = new ConfigurationManager(_authEventTriggerAttr);
-            if (ConfigurationManager.BypassValidation)
+            if (configurationManager.BypassValidation)
             {
                 return null;
             }
 
-            TokenValidator validator = ConfigurationManager.EZAuthEnabled && requestMessage.Headers.Matches(ConfigurationManager.HEADER_EZAUTH_ICP, ConfigurationManager.HEADER_EZAUTH_ICP_VERIFY) ?
-                (TokenValidator)new TokenValidatorEZAuth() :
+            TokenValidator validator = configurationManager.EZAuthEnabled && requestMessage.Headers.Matches(ConfigurationManager.HEADER_EZAUTH_ICP, ConfigurationManager.HEADER_EZAUTH_ICP_VERIFY) ?
+                new TokenValidatorEZAuth() :
                 new TokenValidatorInternal();
 
-            (bool valid, Dictionary<string, string> claims) = await validator.GetClaimsAndValidate(requestMessage, configurationManager).ConfigureAwait(false);
+            (bool valid, Dictionary<string, string> claims) = validator.ValidateAndGetClaims(requestMessage, configurationManager);
             if (valid)
             {
                 return claims;

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventResource.resx

@@ -204,8 +204,14 @@
   <data name="Ex_Token_Version" xml:space="preserve">
     <value>Invalid token version {0}, supported versions are: {1}</value>
   </data>
-  <data name="Ex_Trigger_Required_Attrs" xml:space="preserve">
-    <value>Please supply both the TenantId and AudienceAppId in variables in your binding configuration. (Or app settings {0} and {1})</value>
+  <data name="Ex_Trigger_ApplicationId_Required" xml:space="preserve">
+    <value>Please supply the ApplicationId {0} in variables in your binding configuration.</value>
+  </data>
+  <data name="Ex_Trigger_AuthorityUrl_Required" xml:space="preserve">
+    <value>Please supply the Authority URL {0} in variables in your binding configuration.</value>
+  </data>
+  <data name="Ex_Trigger_AuthorizedPartyApplicationId_Required" xml:space="preserve">
+    <value>Please supply the AuthorizedPartyApplicationId {0} in variables in your binding configuration.</value>
   </data>
   <data name="Log_EventHandler_Url" xml:space="preserve">
     <value>Listener registered at: {0}</value>

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/AuthenticationEventsTriggerAttribute.cs

@@ -19,14 +19,19 @@ public AuthenticationEventsTriggerAttribute()
         {
         }
 
-        /// <summary>Gets or sets the tenant identifier.</summary>
-        /// <value>The tenant identifier.</value>
-        public string TenantId { get; set; }
+        /// <summary>Gets or sets the Authorized Party application identifier.</summary>
+        /// <value>The app id would default to public cloud id</value>
+        public string AuthorizedPartyAppId { get; set; } = "99045fe1-7639-4a75-9d4a-577b6ca3810f";
 
         /// <summary>Gets or sets the audience application identifier.</summary>
         /// <value>The audience application identifier.</value>
         public string AudienceAppId { get; set; }
 
+        /// <summary>
+        /// The authority is a URL that indicates the directory where the token came from
+        /// </summary>
+        public string AuthorityUrl { get; set; }
+
         internal bool IsParameterString { get; set; } = true;
     }
 }

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/ConfigurationManager.cs

@@ -2,77 +2,167 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Collections.Generic;
 using System.Globalization;
-using System.Linq;
+
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents
 {
+    /// <summary>
+    /// Configuration manager for loading up token validations.
+    /// </summary>
     internal class ConfigurationManager
     {
-        public static Dictionary<string, ServiceInfo> SERVICES = new Dictionary<string, ServiceInfo>()
-        {
-            { "99045fe1-7639-4a75-9d4a-577b6ca3810f", new ServiceInfo("https://login.microsoftonline.com","https://sts.windows.net/{0}/","https://login.microsoftonline.com/{0}/v2.0"){DefaultService=true } } //Public cloud
-        };
-
-        private const string BYPASS_VALIDATION = "AuthenticationEvents__BypassTokenValidation";
-        private const string CUSTOM_CALLER_APPID = "AuthenticationEvents__CustomCallerAppId";
-        internal const string TENANT_ID = "AuthenticationEvents__TenantId";
-        internal const string AUDIENCE_APPID = "AuthenticationEvents__AudienceAppId";
-        internal const string TOKEN_V1_VERIFY = "appid";
-        internal const string TOKEN_V2_VERIFY = "azp";
+        private const string OpenIdConfigurationPath = "/.well-known/openid-configuration";
+        private const string OpenIdConfigurationPathV2 = "/v2.0/.well-known/openid-configuration";
+
+        private const string AuthorityUrlKey = "AuthenticationEvents__AuthorityUrl";
+        private const string AuthorizedPartyAppIdKey = "AuthenticationEvents__AuthorizedPartyAppId";
+        private const string AudienceAppIdKey = "AuthenticationEvents__AudienceAppId";
+
         private const string EZAUTH_ENABLED = "WEBSITE_AUTH_ENABLED";
+        private const string BYPASS_VALIDATION_KEY = "AuthenticationEvents__BypassTokenValidation";
+
+        internal const string AppIdKey = "appid";
+        internal const string AzpKey = "azp";
+
         internal const string HEADER_EZAUTH_ICP = "X-MS-CLIENT-PRINCIPAL-IDP";
         internal const string HEADER_EZAUTH_ICP_VERIFY = "aad";
         internal const string HEADER_EZAUTH_PRINCIPAL = "X-MS-CLIENT-PRINCIPAL";
 
+        /// <summary>
+        /// Annotation for the trigger attribute.
+        /// </summary>
         private readonly AuthenticationEventsTriggerAttribute triggerAttribute;
+
         internal ConfigurationManager(AuthenticationEventsTriggerAttribute triggerAttribute)
         {
             this.triggerAttribute = triggerAttribute;
         }
 
-        internal static bool BypassValidation => GetConfigValue(BYPASS_VALIDATION, false);
-        internal static bool EZAuthEnabled => GetConfigValue(EZAUTH_ENABLED, false);
-        internal static string CallerAppId => GetConfigValue(CUSTOM_CALLER_APPID, null);
-        internal string TenantId => GetConfigValue(TENANT_ID, triggerAttribute.TenantId);
-        internal string AudienceAppId => GetConfigValue(AUDIENCE_APPID, triggerAttribute.AudienceAppId);
-
-        internal static bool GetService(string serviceId, out ServiceInfo serviceInfo)
+        /// <summary>
+        /// Get the audience app id from the environment variable or use the default value from the trigger attribute.
+        /// REQUIRED FEILD
+        /// </summary>
+        internal string AudienceAppId
         {
-            serviceInfo = null;
-            if (serviceId is null)
+            get
             {
-                throw new ArgumentNullException(nameof(serviceId));
-            }
+                string value = GetConfigValue(AudienceAppIdKey, triggerAttribute?.AudienceAppId);
 
-            if (CallerAppId != null && serviceId.Equals(CallerAppId))
-            {
-                serviceInfo = SERVICES.Values.FirstOrDefault(x => x.DefaultService);
+                if (string.IsNullOrEmpty(value))
+                {
+                    throw new MissingFieldException(
+                        string.Format(
+                            provider: CultureInfo.CurrentCulture,
+                            format: AuthenticationEventResource.Ex_Trigger_ApplicationId_Required,
+                            arg0: AudienceAppIdKey));
+                }
+
+                return value;
             }
-            else if (SERVICES.ContainsKey(serviceId))
+        }
+
+        /// <summary>
+        /// Get the OpenId connection host from the environment variable or use the default value.
+        /// REQUIRD FEILD
+        /// </summary>
+        internal string AuthorityUrl
+        {
+            get
             {
-                serviceInfo = SERVICES[serviceId];
-            }
+                string value = GetConfigValue(AuthorityUrlKey, triggerAttribute?.AuthorityUrl);
 
-            return serviceInfo != null;
+                if (string.IsNullOrEmpty(value))
+                {
+                    throw new MissingFieldException(
+                        string.Format(
+                            provider: CultureInfo.CurrentCulture,
+                            format: AuthenticationEventResource.Ex_Trigger_AuthorityUrl_Required,
+                            arg0: AuthorityUrlKey));
+                }
+
+                return value;
+            }
         }
 
-        internal static bool VerifyServiceId(string testId)
+        /// <summary>
+        /// Get the OpenId connection host from the environment variable or use the default value.
+        /// OPTIONAL FEILD, defaults to public cloud id.
+        /// </summary>
+        internal string AuthorizedPartyAppId
         {
-            return GetService(testId, out _);
+            get
+            {
+                string value = GetConfigValue(AuthorizedPartyAppIdKey, triggerAttribute?.AuthorizedPartyAppId);
+
+                if (string.IsNullOrEmpty(value))
+                {
+                    throw new MissingFieldException(
+                        string.Format(
+                            provider: CultureInfo.CurrentCulture,
+                            format: AuthenticationEventResource.Ex_Trigger_AuthorizedPartyApplicationId_Required,
+                            arg0: AuthorizedPartyAppIdKey));
+                }
+
+                return value;
+            }
         }
 
+        /// <summary>
+        /// If we should bypass the token validation.
+        /// Use only for testing and development.
+        /// </summary>
+        internal bool BypassValidation => GetConfigValue(BYPASS_VALIDATION_KEY, false);
+
+        /// <summary>
+        /// If the EZAuth is enabled.
+        /// </summary>
+        internal bool EZAuthEnabled => GetConfigValue(EZAUTH_ENABLED, false);
+
+        /// <summary>
+        /// Get config value from environment variable or use the default value.
+        /// </summary>
+        /// <param name="environmentVariable">Definied Azure function application settings</param>
+        /// <param name="defaultValue">Default value, most likely from auth trigger anotation</param>
+        /// <returns></returns>
         private static string GetConfigValue(string environmentVariable, string defaultValue)
         {
             return Environment.GetEnvironmentVariable(environmentVariable) ?? defaultValue;
         }
 
         private static T GetConfigValue<T>(string environmentVariable, T defaultValue) where T : struct
         {
-            return Environment.GetEnvironmentVariable(environmentVariable) == null ?
+            string value = GetConfigValue(environmentVariable, null);
+
+            return value == null ?
                 defaultValue :
-                (T)Convert.ChangeType(Environment.GetEnvironmentVariable(environmentVariable), typeof(T), CultureInfo.CurrentCulture);
+                (T)Convert.ChangeType(
+                    value: Environment.GetEnvironmentVariable(environmentVariable),
+                    conversionType: typeof(T),
+                    provider: CultureInfo.CurrentCulture);
+        }
+
+        /// <summary>
+        /// Get the issuer string based on the token schema version.
+        /// </summary>
+        /// <param name="tokenSchemaVersion">v2 will return v2 odic url, v1 will return v1</param>
+        /// <returns></returns>
+        internal string GetOpenIDConfigurationUrlString(SupportedTokenSchemaVersions tokenSchemaVersion)
+        {
+            return tokenSchemaVersion == SupportedTokenSchemaVersions.V2_0 ?
+                AuthorityUrl + OpenIdConfigurationPathV2 :
+                AuthorityUrl + OpenIdConfigurationPath;
+        }
+
+        /// <summary>
+        /// Validate the authorization party is accurate to the one in configuration.
+        /// </summary>
+        /// <param name="authoizedPartyValueFromTokenOrHeader">The value from either the token or the header.</param>
+        /// <returns>True if azp/appid value matches the configured value.</returns>
+        internal bool ValidateAuthorizationParty(string authoizedPartyValueFromTokenOrHeader)
+        {
+            return  AuthorizedPartyAppId.EqualsOic(authoizedPartyValueFromTokenOrHeader);
         }
     }
 }

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.csproj

@@ -9,6 +9,8 @@
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Azure.WebJobs" />
 		<PackageReference Include="Microsoft.AspNetCore.Http" />
+		<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect"/>
+		<PackageReference Include="Microsoft.IdentityModel.Tokens"/>
 		<PackageReference Include="System.IdentityModel.Tokens.Jwt" />
 	</ItemGroup>
 

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/SupportedTokenSchemaVersions.cs

@@ -9,8 +9,11 @@ namespace Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents
     internal enum SupportedTokenSchemaVersions
     {
         /// <summary>Version 1.</summary>
-        [Description("1.0")] V1_0,
+        [Description("1.0")]
+        V1_0,
+
         /// <summary>Version 2.</summary>
-        [Description("2.0")] V2_0
+        [Description("2.0")]
+        V2_0
     }
 }

sdk/entra/Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents/src/TokenValidator.cs

@@ -9,6 +9,6 @@ namespace Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents
 {
     internal abstract class TokenValidator
     {
-        internal abstract Task<(bool Valid, Dictionary<string, string> Claims)> GetClaimsAndValidate(HttpRequestMessage request, ConfigurationManager configurationManager);
+        internal abstract Task<(bool Valid, Dictionary<string, string> Claims)> ValidateAndGetClaims(HttpRequestMessage request, ConfigurationManager configurationManager);
     }
 }