Azure
EasyAuth broken – Cannot add "loginParameters" (except for provider "aad")
The current implementation of EasyAuth on Azure Functions is broken. It is not possible to add loginParameters to the configuration for identity providers (except for Microsoft / "azureActiveDirectory").
Controlling the additional query parameters for the OAuth authentication flows is extremely important when creating great user experiences. In our case we need to add prompt=select_account such that the user is always prompted to select the correct Microsoft or Google account (when the user has multiple Microsoft/Google accounts, e.g. work and personal).
This can be done for Microsoft ("azureActiveDirectory") by adding the query parameters under loginParameters in Resource Explorer: https://resources.azure.com/subscriptions/{{subscription}}/resourceGroups/{{resource-group}}/providers/Microsoft.Web/sites/{{func-name}}/config/authsettingsV2/list
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "...",
"clientId": "...",
"clientSecretSettingName": "..."
},
"login": {
"loginParameters": [
"prompt=select_account"
]
}
},
...
}
This works as expected. However it does not work for "google" (or the other built-in providers). Trying to add loginParameters under "google" is rejected by Resource Explorer:
"identityProviders": {
...
"google": {
"enabled": true,
"registration": {
"clientId": "...",
"clientSecretSettingName": "..."
},
"login": {
"loginParameters": [
"prompt=select_account"
]
}
},
...
}
The Resource Explorer simply strips the parameter and the result is:
"identityProviders": {
...
"google": {
"enabled": true,
"registration": {
"clientId": "...",
"clientSecretSettingName": "..."
},
"login": {}
},
...
}
I have even tried to add Google as a custom OpenID provider and then tried to set "loginParameters":
"identityProviders": {
...
"customOpenIdConnectProviders": {
"google2": {
"registration": {
"clientId": "...",
"clientCredential": {
"clientSecretSettingName": "..."
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://accounts.google.com/.well-known/openid-configuration"
}
},
"login": {
"loginParameters": [
"prompt=select_account"
]
}
}
},
...
}
But this is also rejected by Resource Explorer.
I have even tried the badly named loginParameterNames parameter that is used when configuring custom authentication for Static Web Apps (https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-in-azure-static-app#31-add-an-openid-connect-identity-provider). This works for SWA (when configured by staticwebapp.config.json). But this badly named parameter (loginParameterNames) is also rejected by the Resource Explorer for Azure Functions.
@cr3wdayt5p we will check this issue with our next level team and update you.
@Hamster-Huey Could you please a have look and help on the above issue for solution.
I too need to be able to force the select account screen from my static web app.
I've added my feature request here: https://github.com/Azure/static-web-apps/issues/1079
Hi is there any Update on the issue. I also want to use loginparameters for the scope offlice_access to get the refreshtoken. I setup Azure B2C as CustomProvider but need to get the refreshtoken to make full use of easy auth on my azure function. Without the Scope = offlice_access I do not get a refreshtoken :-( For any help I would be more then appreciated. The main goal is I providing an API and want to outsource the token handling to azure function
