dark-loop · artmasa · May 22, 2024 · May 21, 2024 · May 21, 2024
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -81,4 +81,6 @@ The package for Azure Functions V3+ In-Proc mode is now called `DarkLoop.Azure.F
 
 - #### Remove Functions bult-in JwtBearer configuration by default
   Azure Functions recently [added configuration](https://github.com/Azure/azure-functions-host/pull/9678) for issuer and audience validation for the default authentication flows, not the one supported by this package through `FunctionAuthorizeAttribute`, which interferes with token validation when using our own Bearer scheme token configuration.
-  In prior versions, this package has functionality to clear Functions built-in configuration, but it was not enabled by default when using `AddJwtBearer(Action<JwtBearerOptions> configure, bool removeBuiltInConfig = false)`. Since the use of this package is commonly used for custom JWT token, the default value of `removeBuiltInConfig` is now `true`.
+  In prior versions, this package has functionality to clear Functions built-in configuration, but it was not enabled by default when using `AddJwtBearer(Action<JwtBearerOptions> configure, bool removeBuiltInConfig = false)`. Since the use of this package is commonly used for custom JWT token, the default value of `removeBuiltInConfig` is now `true`.
+  > This functionality is now deprecated and no longer supported starting in version 4.1.0. It will be removed in future versions.
+  > Bearer scheme is now used by the Functions runtime and another one should be used for your functions.
diff --git a/README.md b/README.md
@@ -3,6 +3,14 @@ Extension bringing AuthorizeAttribute Behavior to Azure Functions In-Proc and Is
 
 It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way  ASP.NET Core does.
 
+> **Breaking for current package consumers** <br/>
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.<br/>
+> Use `AddJwtFunctionsBearer(Action<JwtBearerOptions>)` instead of `AddJwtBearer(Action<JwtBearerOptions>)` when setting up authentication.
+Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. 
+We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.<br/>
+No changes should be required if already using a custom scheme name.<br/>
+> Refer to respective README documentation for isolated and in-process for more information.
+
 ## Getting Started
 - [Azure Functions V3+ In-Proc mode](./src/in-proc/README.md)
 - [Azure Functions V4 Isolated mode with ASPNET Core integration](./src/isolated/README.md)

diff --git a/src/in-proc/README.md b/src/in-proc/README.md
@@ -3,6 +3,13 @@ Bringing AuthorizeAttribute Behavior to Azure Functions v3 and v4 (In-Process)
 
 It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way  ASP.NET Core does.
 
+> **Breaking for current package consumers** <br/>
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.<br/>
+> Use `AddJwtFunctionsBearer(Action<JwtBearerOptions>)` instead of `AddJwtBearer(Action<JwtBearerOptions>)` when setting up authentication.
+Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. 
+We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.<br/>
+No changes should be required if already using a custom scheme name.
+
 ## Using the package
 ### Installing the package
 `dotnet add package DarkLoop.Azure.Functions.Authorize`
@@ -31,7 +38,8 @@ namespace MyFunctionAppNamespace
           options.ClientId = "<my-client-id>";
           // ... more options here
         })
-        // This is important as Bearer scheme is used by the platform
+        // This is important as Bearer scheme is used by the runtime
+        // and no longer supported by this framework.
         .AddJwtFunctionsBearer(options =>
         {
           options.Audience = "<my-audience>";

diff --git a/src/isolated/README.md b/src/isolated/README.md
@@ -3,6 +3,13 @@ Bringing AuthorizeAttribute Behavior to Azure Functions v4 in Isolated mode.
 
 It hooks into .NET Core dependency injection container to enable authentication and authorization in the same way  ASP.NET Core does.
 
+> **Breaking for current package consumers** <br/>
+> Starting with version 4.1.0, due to security changes made on the Functions runtime, the Bearer scheme is no longer supported for your app functions.<br/>
+> Use `AddJwtFunctionsBearer(Action<JwtBearerOptions>)` instead of `AddJwtBearer(Action<JwtBearerOptions>)` when setting up authentication.
+Using `AddJwtBearer` will generate a compilation error when used against `FunctionsAuthenticationBuilder`. 
+We are introducing `JwtFunctionsBearerDefaults` to refer to the suggested new custom scheme name.<br/>
+No changes should be required if already using a custom scheme name.
+
 ## Using the package
 ### Installing the package
 `dotnet add package DarkLoop.Azure.Functions.Authorization.Isolated`
@@ -28,7 +35,8 @@ var host = new HostBuilder()
     {
         services
             .AddFunctionsAuthentication(JwtBearerDefaults.AuthenticationScheme)
-            // This is important as Bearer scheme is used by the platform
+            // This is important as Bearer scheme is used by the runtime
+            // and no longer supported by this framework.
             .AddJwtFunctionsBearer(options =>
             {
                 options.Authority = "https://login.microsoftonline.com/your-tenant-id";