OpenID Connect with Okta and Azure Functions
You can access your Azure Function API through OpenID client credentials managed by Okta.
In a previous article I showed how to authenticate client credentials with additional code in an Azure Function. In this article we will use a configuration based approach in the Azure Portal, with no changes required to the Azure Function at all.
Details of the Okta Client Credential Flow are here: Implement authorization by grant type | Okta Developer
Step 1: Setup
Get an Okta Developer account. You can also use a 1-month trial, but Developer will stay with you.
Step 2: Azure Setup
Setup an Azure Function with no authorization (anonymous execution) and check it runs in Postman (or similar):
Step 3: Setup your Okta App
In Okta, o to ‘Applications’ and click the ‘Create App integration’ button.
Then create a new OIDC sign-in method for a Web Application:
On the next screen, give your App a name, specify ‘Client Credentials and tell it to ‘Skip group assignment for now’. Optionally you can also check ‘Allow wildcard * in sign-in URI redirect’, to help trouble shooting with Postman or similar, although obviously not for Production use.
The App is now created. Take note of the values on the following screen which has both Client ID and Secret specified.
Step 3: Setup your Okta Authorization Server
Go to ‘Security’ and ‘API’. Click ‘Add Authorization Server’
Give the server a name and define the Audience with the same value as your Client ID from earlier:
Note the Metadata URI on the next screen:
On the next screen, add a scope:
Give it a name and set it as the default scope:
Add a new Policy under the Authorization Server:
Under the new Policy, add add a new rule:
Define the rule as per the screenshot below:
Step 4: Configure Azure Function App
Go to the Azure Functions App and click on ‘Authentication’ and then ‘Add identity provider’:
Select ‘OpenID Connect’ and ‘Next’:
Define your identity provider with the Okta values similar to this and click ‘Add’. (we can ignore ‘scopes’):
The Okta Authentication is now Configured:
Step 5: Test it out
Try to run Postman again. It should fail:
Add OAuth 2.0 to the Authorization tab, and configure the token as below. Get the ‘Access Token Url’ from the .wellknown URI (such as ‘https://dev-123.okta.com/oauth2/aus91odm0c1Z5AM6O5d7/v1/token’) from Okta:
Click ‘Get Access Token’ and in the following popup click ‘Use Token’:
Send the request again, and it should succeed:
