DurableFunctionsMonitor icon indicating copy to clipboard operation
DurableFunctionsMonitor copied to clipboard
verified publisher icon microsoft

Authentication Question

Open ParagKale-SSE opened this issue 8 months ago • 2 comments

Hi,

I have a function app in my environment where the authentication is not set via portal. The HTTP triggered functions use function key for security and we are using the tool in injected more where durable function monitor functions are there along side the application functions in the same function app.

We don't want to set up authentication with in the portal which will cover all the functions under its scope.

Is there a way to authenticate durable functions monitor considering below things

  • We want to use the same function app for our application functions and the durable functions monitor functions
  • We don't want to set up authentication using easy auth, so don't want to set up authentication from with in portal

ParagKale-SSE avatar Apr 28 '25 18:04 ParagKale-SSE

I went through the code and set these 2 environment variables , but still I get an error

WEBSITE_AUTH_OPENID_ISSUER WEBSITE_AUTH_CLIENT_ID

I get the error "Login Failed. Failed to load auth config. Request failed with status code 401"

ParagKale-SSE avatar Apr 28 '25 20:04 ParagKale-SSE

Is there a way to authenticate durable functions monitor considering below things

We want to use the same function app for our application functions and the durable functions monitor functions We don't want to set up authentication using easy auth, so don't want to set up authentication from with in portal

Using both function keys and Easy Auth within the same Function App instance is not supported. Also, DfMon does not support function keys. So your options are:

  1. Run a standalone instance of DfMon, pointed to your task hub(s). You can run that DfMon instance in the same App Service Plan with your main Function App - that would eliminate cost concerns (if any).
  2. Use DfMon as VsCode extension.

scale-tone avatar Apr 29 '25 11:04 scale-tone

Since this issue is still open - I'm currently experimenting with injecting a custom authorization middleware before DFM, and leaving DFM's built-in authorization turned off completely. @scale-tone do you think this is a viable solution?

BalassaMarton avatar Dec 04 '25 16:12 BalassaMarton

Hi @BalassaMarton , DfMon is a set of "classic" HTTP-triggered functions, so I'd say it depends on what kind of middleware that is. If it's like this (Functions middleware) - then it should cover DfMon's endpoints. If it's like this (Asp.Net Core Integration middleware) - then most likely not.

scale-tone avatar Dec 05 '25 00:12 scale-tone

Both links point to the same page. I'm trying to intercept by implementing IFunctionsWorkerMiddleware. I'll let me know how that works out.

BalassaMarton avatar Dec 05 '25 10:12 BalassaMarton

Both links point to the same page.

Not the same page. Code is similar, but one is for Functions, another is for Asp.Net Core Integration.

Come to think of it, I believe both cases can be handled in one middleware. Just DfMon's functions would not have HttpContext (functionContext.GetHttpContext() would return null).

scale-tone avatar Dec 05 '25 11:12 scale-tone