DurableFunctionsMonitor icon indicating copy to clipboard operation
DurableFunctionsMonitor copied to clipboard
verified publisher icon microsoft

Implement auth code flow for the custom endpoint

Open ParagKale-SSE opened this issue 8 months ago • 3 comments

Hi,

I implemented a custom endpoint for the durable functions monitor as explained below

`namespace DurableFunctionsMonitor.DotNetIsolated { public class MyCustomDfMonEndpoint: ServeStatics { public MyCustomDfMonEndpoint(DfmSettings dfmSettings, DfmExtensionPoints extensionPoints, ILoggerFactory loggerFactory) : base(dfmSettings, extensionPoints, loggerFactory) { }

    [Function(nameof(MyCustomDfMonEndpoint))]
    public Task<HttpResponseData> ServeDfMonStatics(
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
        string p1,
        string p2,
        string p3
    )
    {
        return this.DfmServeStaticsFunction(req, p1, p2, p3);
    }
}

}`

I am trying to set up authentication as explained in https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow for this specific endpoint. For some reasons, we can't set up a dedicated function app just for the durable functions monitor and also in our main function app , we don't want to set up easy auth authentication .

What we are trying to achieve is get a auth code and access token via a app registration and then authenticate this specific custom end point.

What I noticed is , when the statement return this.DfmServeStaticsFunction(req, p1, p2, p3); is executed , the http triggered function is called again. This results in the auth code used again to get the token and the exception is generated that the auth code has already been redeemed for the access token

Is there any workaround to provide authentication just for this custom end point ? Or anyway to implement auth code flow for this end point in the function app ?

Thanks

ParagKale-SSE avatar May 05 '25 17:05 ParagKale-SSE

  • @scale-tone - Any ideas on this issue ?

ParagKale-SSE avatar May 05 '25 23:05 ParagKale-SSE

@scale-tone - Any ideas on this issue ?

The only authentication mechanisms supported by DfMon are:

  1. [Most recommended and easiest to use] Server-directed login flow, aka driven by Easy Auth. How to configure.
  2. [When not hosted on an Azure App Service or when avoiding Easy Auth] Client-directed login flow, aka using msal.js and (currently) implicit grant. How to configure.
  3. [When running as a VsCode ext or when running on a devbox] Custom nonce-based, including a special magic constant DFM_NONCE="i_sure_know_what_i_am_doing", which disables auth completely.

Any other auth mechanisms, including any combinations of the above with Function Keys and/or any customizations, are NOT supported by this codebase.

If you are trying to use one of the above supported auth mechanisms with DfMon and running into issues, then please provide full details of the isssue and precise list of steps you are making.

The best place to report any other, DfMon-unrelated, concerns or suggestions is azure-functions-host repo.

scale-tone avatar May 06 '25 13:05 scale-tone

Hi @scale-tone

Is there an example of how to use client directed flow using msal.js . I am looking for how to integrate it with the existing injected mode deployment of the durable functions monitor that we have done in our environment.

Is it like we use MSAL library to get the token and then attach the token in the headers to the api request for the durable functions monitor endpoint from our front end code?

I understand we can use this library to authenticate the users , but I am trying to understand how to integrate it with the existing durable functions monitor

ParagKale-SSE avatar May 12 '25 10:05 ParagKale-SSE