Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,745 questions
passing authentication token from 1 HTTP triggered function to another
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 30%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Parag Kale
20
Reputation points
Hi
I am using durable functions monitor in injected mode and not using the inbuilt authentication provided in function app. Rather I am generating auth code and auth token using Microsoft identity platform auth code flow.
I have below function that when accessed presents the sign in screen
[Function("Function1")]
public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req)
{
string tenant = "tenantId"; // or use your tenant ID
string clientId = "clientId";
// Ensure this redirect URI matches what is in your app registration
string redirectUri = "http://localhost:7267/api/Function2";
// Define the scopes you need (openid, profile, offline_access, etc.)
string scope = "openid profile email";
string authUrl = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize" +
$"?client_id={clientId}" +
$"&response_type=code" +
$"&redirect_uri={WebUtility.UrlEncode(redirectUri)}" +
$"&response_mode=query" +
$"&scope={WebUtility.UrlEncode(scope)}" +
$"&state=12345&prompt=login"; // ideally, generate a dynamic state value
var response = req.CreateResponse(HttpStatusCode.Redirect);
response.Headers.Add("Location", authUrl);
return response;
}
This redirects me to Function2 where I get the auth token as below
[Function("Function2")]
public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req)
{
string code = req.Query["code"]!;
string tenant = "tenantId"; // or your tenant-specific ID
string clientId = "clientId";
string clientSecret = "secret";
string redirectUri = "http://localhost:7267/api/Function2";
// Build the MSAL confidential client application
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret)
.WithRedirectUri(redirectUri)
.WithAuthority($"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token")
.Build();
AuthenticationResult result = app.AcquireTokenByAuthorizationCode(
new string[] { "openid", "profile", "email" }, code)
.ExecuteAsync().Result;
if (result.AccessToken != null)
{
var response = req.CreateResponse(HttpStatusCode.Redirect);
response.Headers.Add("Location", "http://localhost:7267/api/DFM");
response.Headers.Add("Authorization", result.AccessToken);
return response;
}
else
{
return req.CreateResponse(HttpStatusCode.BadRequest);
}
}
The endpoint http://localhost:7267/api/DFM is my custom endpoint for the durable function monitor in injected mode
[Function(nameof(MyCustomDfMonEndpoint))]
public Task<HttpResponseData> ServeDfMonStatics(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
string p1,
string p2,
string p3
)
{
if (!req.Headers.TryGetValues("Authorization", out var authHeaders))
{
var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);
unauthorizedResponse.WriteStringAsync("Missing Authorization header.");
return Task.FromResult(unauthorizedResponse);
}
return this.DfmServeStaticsFunction(req, p1, p2, p3);
}
Currently what I am seeing is the endpoint for DFM doesn't get the token in headers passed from Function2 using response.Headers.Add("Authorization", result.AccessToken);
What I am looking for is getting the token in the headers when it is redirected from Function2 and maintaining that token when the links on the durable function monitor are hit. so that the below check always prevents unauthorized access
if (!req.Headers.TryGetValues("Authorization", out var authHeaders))
{
var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);
unauthorizedResponse.WriteStringAsync("Missing Authorization header.");
return Task.FromResult(unauthorizedResponse);
}
Azure Functions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Khadeer Ali 5,055 Reputation points Microsoft External Staff Moderator2025-05-09T17:04:50.62+00:00 @Parag Kale ,
It looks like you're trying to pass an authentication token from one Azure Function to another, but you're running into issues with the token not being included in the headers when redirecting to your Durable Function Monitor.
What you're encountering is a well-known limitation due to browser security constraints:Custom headers like Authorization are not carried forward across browser redirects (e.g., 302/301).
This is by design and ensures that sensitive information is not unintentionally forwarded. As a result, setting the
Authorizationheader in Function2 and expecting it to persist through the redirect to the Durable Function Monitor endpoint will not work.Here's what you can do to resolve this:
Add the Token to the Redirect URL: Instead of trying to pass the Authorization token through headers during a redirect, consider sending it as a query parameter when redirecting to the Durable Function Monitor. For example, modify your redirection in
Function2like this:response.Headers.Add("Location", $"http://localhost:7267/api/DFM?access_token={result.AccessToken}");Modify Function to Accept Token: Update your durable function endpoint to check for the token in the query parameters:
string token = req.Query["access_token"]; if (string.IsNullOrEmpty(token)) { var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized); unauthorizedResponse.WriteStringAsync("Missing access token."); return Task.FromResult(unauthorizedResponse); }Include Token in Further Calls: If your Durable Function Monitor needs to make other API calls, make sure you validate the token, and extract it accordingly.
This way, when you hit the Durable Function Monitor endpoint, you’ll have the token available and can validate it as needed.
-
Parag Kale 20 Reputation points
2025-05-09T18:22:33.96+00:00 Thank you for the reply
I see that on my target HTTP triggered function
[Function(nameof(MyCustomDfMonEndpoint))]public Task<HttpResponseData> ServeDfMonStatics([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,string p1,string p2,string p3){string token = req.Query["access_token"]!;if (string.IsNullOrEmpty(token)){var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);unauthorizedResponse.WriteStringAsync("Missing access token.");return Task.FromResult(unauthorizedResponse);}return this.DfmServeStaticsFunction(req, p1, p2, p3);}
I see that the access_token query parameter is lost when it again gets executed. Basically when I debugged it , the below statement gets called multiple times and I get null in access_token. How can I maintain the value of access_token once I reach the endpoint of MyCustomEndpoint
return this.DfmServeStaticsFunction(req, p1, p2, p3); -
Parag Kale 20 Reputation points
2025-05-09T18:24:36.67+00:00 Basically the statement return this.DfmServeStaticsFunction(req, p1, p2, p3) is resulting in the HTTP triggered azure function getting called multiple times and hence results in the query parameter getting lost.
I want to maintain the value of access_token for the session
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 5%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Praveen Kumar Gudipudi 265 Reputation points Microsoft External Staff Moderator2025-05-09T23:37:51.0233333+00:00 We are reproducing issue from our end; we will let you know with an update.
Sign in to comment
Sign in to answer