API Authorization for HTTP triggered Azure Functions with OIDC and OAuth 2.0
(Source code updated Feb. 16, 2022, to .NET 6 and Azure Functions v4) I implemented a sample serverless API as an HTTP triggered Azure Function that is protected to ensure that only authorized apps can access that API. The sample Azure Function works when used with an authorization server that supports OpenID Connect (OIDC) and OAuth 2.0 protocols. Service providers that support compatible authorization servers include Auth0 , okta and many others. The complete sample code is in GitHub here . What follows is my high-level description of the concepts and API-side implementation of the mechanisms used to protect an API implemented as an HTTP triggered Azure Function using the OAuth 2.0 Client Credentials Flow. Here’s the breakdown of what follows: What’s in the sample code. Some context, a high-level description of the OIDC and OAuth 2.0 flows used. How to make a call to a protected API. How the code that protects the API is called within an HTTP triggered Azure Function. Th