diff --git a/ChangeLog.md b/ChangeLog.md index a69cff9..dfc3db3 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -81,4 +81,6 @@ The package for Azure Functions V3+ In-Proc mode is now called `DarkLoop.Azure.F - #### Remove Functions bult-in JwtBearer configuration by default Azure Functions recently [added configuration](https://github.com/Azure/azure-functions-host/pull/9678) for issuer and audience validation for the default authentication flows, not the one supported by this package through `FunctionAuthorizeAttribute`, which interferes with token validation when using our own Bearer scheme token configuration. - In prior versions, this package has functionality to clear Functions built-in configuration, but it was not enabled by default when using `AddJwtBearer(Action configure, bool removeBuiltInConfig = false)`. Since the use of this package is commonly used for custom JWT token, the default value of `removeBuiltInConfig` is now `true`. \ No newline at end of file + In prior versions, this package has functionality to clear Functions built-in configuration, but it was not enabled by default when using `AddJwtBearer(Action configure, bool removeBuiltInConfig = false)`. Since the use of this package is commonly used for custom JWT token, the default value of `removeBuiltInConfig` is now `true`. + > This functionality is now deprecated and no longer supported starting in version 4.1.0. It will be removed in future versions. + > Bearer scheme is now used by the Functions runtime and another one should be used for your functions. \ No newline at end of file diff --git a/README.md b/README.md index 07f706e..ba4bd49 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,14 @@ Extension bringing AuthorizeAttribute Behavior to Azure Functions In-Proc and Is It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way ASP.NET Core does. +> **Breaking for current package consumers**
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.
+> Use `AddJwtFunctionsBearer(Action)` instead of `AddJwtBearer(Action)` when setting up authentication. +Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. +We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.
+No changes should be required if already using a custom scheme name.
+> Refer to respective README documentation for isolated and in-process for more information. + ## Getting Started - [Azure Functions V3+ In-Proc mode](./src/in-proc/README.md) - [Azure Functions V4 Isolated mode with ASPNET Core integration](./src/isolated/README.md) diff --git a/src/in-proc/README.md b/src/in-proc/README.md index 9e7b852..45ee525 100644 --- a/src/in-proc/README.md +++ b/src/in-proc/README.md @@ -3,6 +3,13 @@ Bringing AuthorizeAttribute Behavior to Azure Functions v3 and v4 (In-Process) It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way ASP.NET Core does. +> **Breaking for current package consumers**
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.
+> Use `AddJwtFunctionsBearer(Action)` instead of `AddJwtBearer(Action)` when setting up authentication. +Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. +We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.
+No changes should be required if already using a custom scheme name. + ## Using the package ### Installing the package `dotnet add package DarkLoop.Azure.Functions.Authorize` @@ -31,7 +38,8 @@ namespace MyFunctionAppNamespace options.ClientId = ""; // ... more options here }) - // This is important as Bearer scheme is used by the platform + // This is important as Bearer scheme is used by the runtime + // and no longer supported by this framework. .AddJwtFunctionsBearer(options => { options.Audience = ""; diff --git a/src/isolated/README.md b/src/isolated/README.md index dd2c018..3af9f89 100644 --- a/src/isolated/README.md +++ b/src/isolated/README.md @@ -3,6 +3,13 @@ Bringing AuthorizeAttribute Behavior to Azure Functions v4 in Isolated mode. It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way ASP.NET Core does. +> **Breaking for current package consumers**
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.
+> Use `AddJwtFunctionsBearer(Action)` instead of `AddJwtBearer(Action)` when setting up authentication. +Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. +We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.
+No changes should be required if already using a custom scheme name. + ## Using the package ### Installing the package `dotnet add package DarkLoop.Azure.Functions.Authorization.Isolated` @@ -28,7 +35,8 @@ var host = new HostBuilder() { services .AddFunctionsAuthentication(JwtBearerDefaults.AuthenticationScheme) - // This is important as Bearer scheme is used by the platform + // This is important as Bearer scheme is used by the runtime + // and no longer supported by this framework. .AddJwtFunctionsBearer(options => { options.Authority = "https://login.microsoftonline.com/your-tenant-id";