Testing your secured Azure Function with Postman

-

In my previous blogpost I described how to secure your Azure Function using EasyAuth. In this blogpost I will describe how you can test your secured Azure Function using Postman.

If you didn’t read the previous blog post, you can find it here.

At the end of this blog post, you will find a link to download the Postman collection with the different request.

Update your Application Registration in Azure Active Directory

To be able to test the authentication, you need to add http://localhost:4200 to the redirect urls of the application registation in Azure Active Directory. You could use the built-in OAuth-flow of Postman (see links in the end of this blog for more details) to get a token, but we had some bad experience with the audience-id received in the jwt-token. So we will mimic the OAuth authorization-code flow as used by the Authentication libraries and as described here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code.

Retrieve Authentication Code

The first step you need to make is retrieve the Authentication Code. This can be done by constructing the login-URL based on the following template:

 https://login.microsoftonline.com/<TenantId>/oauth2/authorize?client_id=<ClientId>&response_type=code&response_mode=query&prompt=admin_consent&resource_id=<ClientId>&redirect_uri=http://localhost:4200.

The variables TenantId and ClientId should sound familiar by now. Copy the URL to your browser and execute the request. You will be prompted to login, after logging in, the consent screen is shown. Click ‘Accept’ and you will be redirected to localhost:4200. No problem if there is nothing running. You need the code from the URL to be able to continue.

Using the authentication token to get a bearer token

This step will be done in Postman. Use the authentication code just received and make the following request.

After pressing ‘Send’, you will get the token details as response. Validate the ‘scope’ you received in the response. It should be the same as the scope created earlier in Azure AD. If it looks like “profile openid email 00000003-0000-0000-c000-000000000000/User.Read”, you probably forgot to register or pass the scope. Grab the access_token and use it as Bearer token for your request to your Azure Function.

Useful links

Learn from our experts:
-

Training: Azure Application Insights

With applications increasingly running in the Cloud, the way we monitor and maintain them is changing. Where we used to log in to a VM to gain access to all logging and tooling services of our monolith, the information is...