Bypassing Easy Auth for a Specific v4 Azure Function Endpoint in Node.js 22

ShawnPOWER 0

To recreate my exact issue, create 2 new HTTP triggered function endpoints for a node.js 22 Azure Function v4 (latest version). Nothing fancy in the code, you can use the boiler plate code. One is public and the other is private (name them as such). Publish those to a web app (on Azure App Service) since we want to use Easy Auth. You need to have the Authentication tab (this is Easy Auth) of the web app configured with at least one identity provider and make sure it requires authentication. The web app should have an environment variable called WEBSITE_WARMUP_PATH set to a value of /api/public,/api/public/,/api/public*,/api/public/* (in my testing it seems the *'s don't act as wildcards like you think they might). Now test by hitting these new function endpoints in the browser. The private endpoint should give you a 401 as expected. The public endpoint should give you a normal response which is great.

Now add something like this to the public function route: 'public/{*id}'. Route can of course can change the name of the function in the URL but notice we didn't do that here since we called it public. I also made id optional (that's the * next to id). Deploy that code and test again in your browser, all is good like it was before except when you do .../api/public/1 you get a 401 unauthorized response. Interestingly you can get a good response by going to ../api/public/* so the environment variable is very specific it seems. However, that is not my desired result.

What is the proper way to format my environment variable to allow this route option code to function properly?

I could create another Azure Function and not use Easy Auth on my public function but that makes it more code for me and more things to manage which is unfortunate. Or is there a better more effective way I am missing?

1 answer

Khadeer Ali 1,790 Reputation points Microsoft Vendor

2024-12-26T22:00:50.51+00:00

@ShawnPOWER ,

Welcome to the Microsoft Q&A Platform!

Thank you for reaching out about Bypassing Easy Auth for a Specific v4 Azure Function Endpoint.

We can consider setting the authLevel for this specific function to anonymous. This configuration is designed to bypass Easy Auth for that endpoint, allowing unauthenticated access as intended.

Could you give this a try and see if it resolves the issue? While this approach aligns with Azure Function configurations, there might still be edge cases depending on your setup. If it doesn’t work as expected, I’d be happy to explore other options with you.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
ShawnPOWER 0 Reputation points

2024-12-27T16:20:32.7733333+00:00

Hi @Khadeer Ali :

I appreciate your response. I failed to mention that the public function is currently set to authLevel: 'anonymous'. Easy Auth is set to always require authentication as I mentioned. My get request to the public function never actually makes it to the function itself I presume because Easy Auth is responding first with a 401 prior to the function actually running.

Khadeer Ali 1,790 Reputation points Microsoft Vendor

2024-12-27T17:51:50.96+00:00

Thank you for clarifying the details—this helps narrow down the issue. I understand how frustrating it can be when a solution doesn’t work as expected, and I genuinely appreciate your patience.
If modifying the WEBSITE_WARMUP_PATH doesn't solve the issue, you can take control of authorization within your function code.

Disable Easy Auth (built-in authentication) for your function app.

Implement your own custom authorization logic within the function code. This allows you to define which routes require authentication and handle access control checks.

Benefits: This approach offers greater control over authentication but requires additional development effort.

ShawnPOWER 0 Reputation points

2024-12-27T17:59:11.81+00:00

Hi @Khadeer Ali :

I appreciate the provided workaround, I had thought about that as well. However, I would prefer to leave Easy Auth in place to lessen the amount of development work needed to authenticate requests to my functions.

Khadeer Ali 1,790 Reputation points Microsoft Vendor

2025-01-07T10:21:14.52+00:00

@ShawnPOWER ,

Thank you for your patience!

After consulting with the internal Easy Auth team, I confirmed that, based on the documentation, it is possible to exclude specific paths from authentication by using the excludedPaths setting in the configuration file. You can refer to the example in the documentation for guidance:

For more details, you can review the Microsoft documentation on Easy Auth configuration.

Let me know if you’d like further assistance!

ShawnPOWER 0 Reputation points

2025-01-07T17:47:26.2933333+00:00

Hi @Khadeer Ali :

I appreciate you continuing to assist on this issue.

I didn't attempt the config file approach yet from the link you provided but I did attempt updating the "excludedPaths" using https://resources.azure.com/. However, I ran into an issue where my changes are not saved.

The process I am going through to re-create the issue saving is below. Is it possible to do it this way without the configuration file approach in the link you provided?

Locate the URI in https://resources.azure.com/ which for me is https://management.azure.com/subscriptions/<removed>/resourceGroups/<removed>/providers/Microsoft.Web/sites/<removed>/config/authsettingsV2/list?api-version=2020-12-01 and then click edit (make sure you are in read/write mode up top and signed in).

#2. What is see before I make any changes is below: "globalValidation": { "requireAuthentication": true, "unauthenticatedClientAction": "Return401", "id": "(String)", "name": "(String)", "kind": "(String)", "type": "(String)", "properties": { "requireAuthentication": "(Boolean)", "unauthenticatedClientAction": "(String)", "redirectToProvider": "(String)", "excludedPaths": [ {} ] } },

#3. What I see before I hit PUT to save the changes: "globalValidation": { "requireAuthentication": true, "unauthenticatedClientAction": "Return401", "id": "(String)", "name": "(String)", "kind": "(String)", "type": "(String)", "properties": { "requireAuthentication": "(Boolean)", "unauthenticatedClientAction": "(String)", "redirectToProvider": "(String)", "excludedPaths": [ "/api/public", "/api/public/", "/api/public*", "/api/public/*" ] } },

#4. What I see after hitting PUT (my changes didn't get saved, even though there was no error message or issue I could see): "globalValidation": { "requireAuthentication": true, "unauthenticatedClientAction": "Return401", "id": "(String)", "name": "(String)", "kind": "(String)", "type": "(String)", "properties": { "requireAuthentication": "(Boolean)", "unauthenticatedClientAction": "(String)", "redirectToProvider": "(String)", "excludedPaths": [ {} ] } },

Khadeer Ali 1,790 Reputation points Microsoft Vendor

2025-01-13T11:13:45.1433333+00:00

Thank you for detailing the steps you followed; it’s really helpful to understand the issue.

From what you’ve described, it seems the changes to excludedPaths are not being saved after the PUT request.

There is a possibility to update these changes using Azure CLI or PowerShell if Azure Resource Explorer does not work as expected.

I’m also verifying this on my end using the configuration file-based approach to ensure everything works as intended.

ShawnPOWER 0 Reputation points

2025-01-13T19:29:42.65+00:00

Hi @Khadeer Ali :

Welcome and thank you for your assistance on this issue. Correct, they are not saved. I appreciate you verifying things on your end.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Bypassing Easy Auth for a Specific v4 Azure Function Endpoint in Node.js 22

1 answer

Your answer