Using Function Keys to secure UrlList

[sk-bln]

I want to secure the functions, especially UrlList with Function Keys.
Does anybody have sample code on how to do this (including in the front end TinyBlazorAdmin)?

[FBoucher]

Now that the functions are unified, we definitely need something.
It should be too hard to add by default in the code.

[WhiteTomX]

I thought about using function keys as well. I went to use the built in authentication of the static web app. I built it quick and dirty by implementing a Utility function decoding the header x-ms-client-principal and checking if it contains the role admin. As far as I know, this header is overridden by the AuthN middle ware. I couldn't just send a copied header at least.
The problem is, that you are basically stuck to use TinyBlazorAdmin or StorageExporer, as using it without it is probably quite cumbersome. Anyway I wanted to link my implementation.

[FBoucher]

Thank you @WhiteTomX I'll have a look.

[ahelland]

Apart from the "lock-in" angle to SWA I think your approach makes sense @WhiteTomX so I had a crack at implementing this in my own deployment. For reasons unknown to me there's just no way I'm able to get the x-ms-client-principal to be a part of the request sent to the backend though. (I know the docs says it should be there, but it's not.)

However, instead I have a header called x-ms-auth-token which has the Base64-encoded claims-principal as a claim in a JWT. Initially I thought this would be even better since it should allow for actual token validation. This proves to be trickier as the JWT says it is issued by the SWA and I'm not able to find the keys for verifying the signature. (I tried the regular AAD JWKS endpoints.)

But building on your code and adding a few lines extra one can stil check the roles:
`else if (request.Headers.TryGetValues("x-ms-auth-token", out var headerAuth))
{
var jwt = request.Headers.GetValues("x-ms-auth-token");

JwtSecurityToken token = new();
JwtSecurityTokenHandler handler = new();
token = handler.ReadJwtToken(jwt.First().Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)[1]);

var claims = token.Payload;
string prn = string.Empty;

foreach (var c in claims)
{                    
    if(c.Key == "prn")
    {
        prn = c.Value.ToString();                        
    }
}

var decoded = Convert.FromBase64String(prn);
var json = Encoding.UTF8.GetString(decoded);
principal = JsonSerializer.Deserialize<ClientPrincipal>(json, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });                
return principal.UserRoles.Any(role => role.Equals("admin"));

}`

I'm guessing it would be fairly easy to build out config options that would handle different mechanisms. (If you don't want to use a SWA you can use "proper" AAD JWTs.) But I left that as an exercise for another time :)