remove scope attribute from the templates for azure function (#1030)

AzureAD · Feb 27, 2021 · 0bae831 · 0bae831
1 parent fd1cffe
commit 0bae831
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs b/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs
@@ -20,6 +20,10 @@ namespace Company.FunctionApp1
     public class SampleFunc
     {
         private readonly ILogger<SampleFunc> _logger;
+#if (!NoAuth)
+        // The web API will only accept tokens 1) for users, and 2) having the "api-scope" scope for this API	
+        static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
+#endif
 #if (GenerateApi)
         private readonly IDownstreamWebApi _downstreamWebApi;
 
@@ -31,7 +35,6 @@ public SampleFunc(ILogger<SampleFunc> logger,
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -41,6 +44,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             using var response = await _downstreamWebApi.CallWebApiForUserAsync("DownstreamApi").ConfigureAwait(false);
 
             if (response.StatusCode == System.Net.HttpStatusCode.OK)
@@ -74,7 +79,6 @@ public SampleFunc(ILogger<SampleFunc> logger,
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -84,6 +88,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             var user = await _graphServiceClient.Me.Request().GetAsync();
 
             string responseMessage = string.IsNullOrEmpty(user.DisplayName)
@@ -100,7 +106,6 @@ public SampleFunc(ILogger<SampleFunc> logger)
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -110,6 +115,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             string name = req.HttpContext.User.Identity.IsAuthenticated ? req.HttpContext.User.GetDisplayName() : null;
 
             string responseMessage = string.IsNullOrEmpty(name)