Securing Azure AD B2C API Connector (Function App) without Error

Securing Azure AD B2C API Connector (Function App) without Error

I was recently working with a customer who is using Azure AD B2C API Connector to enrich tokens with claims from external sources. They are using Azure Function App as the external source. As this setup demands, they exposed Azure Function App over public IP to work with B2C. But due to enterprise security restriction policy they must remove public endpoint from Function App and use private endpoints to VNET.


They thought of 2 options to expose the Function App securely over internet – using Azure API Management instance to a virtual network - external mode APIM in external mode or using Azure Application Gateway. But in both the cases B2C auth process errors out after adding the API Connector in the user flow:






Initially I investigated on the error messages collected at the B2C, and APIM or Azure Application Gateway end. But later realized the main source of problem lies somewhere else. It is the ASP.NET Core framework used in building the Function App.


We need to modify default FowardedHeaders middleware settings. Otherwise, it will ignore the X-Forwarded headers being sent by APIM or Application Gateway because it isn’t in the list of KnownProxies and KnownNetworks. Please see the following links to understand the concept better:



So, I did the following changes:


1. Added ASPNETCORE_FORWARDEDHEADERS_ENABLED application setting to my Function App Configuration:




2. Added a Startup.cs file in my function app code.


using System.Collections.Generic;

using Microsoft.AspNetCore.Builder;

using Microsoft.Azure.Functions.Extensions.DependencyInjection;

using Microsoft.Extensions.DependencyInjection;


[assembly: FunctionsStartup(typeof(TestAPIFunctionApp.Startup))]

namespace TestAPIFunctionApp


    public class Startup : FunctionsStartup


        public override void Configure(IFunctionsHostBuilder builder)


            builder.Services.Configure<ForwardedHeadersOptions>(options =>


                options.ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost;



                // Put your front door, application gateway, APIM, b2clogin FQDN here and any other hosts that will send headers you want respected

                options.AllowedHosts = new List<string>() { "<yourfunctionappname>.azurewebsites.net", "<yourb2cservicename>.b2clogin.com", "<yourAPIMservicename>.azure-api.net”};






That solves our problem. We can now see the “augmented claims”:



Published on:

Learn more
Azure Architecture Blog articles
Azure Architecture Blog articles

Azure Architecture Blog articles

Share post:

Related posts

Announcing Azure Monitoring Agent support in Azure Landing Zones

Introduction   Hello and welcome to another blog post about Azure Landing Zones, the best practice framework for accelerating your cloud...

10 hours ago

Out-of-band updates to address Azure Synapse SQL issue caused by Windows updates

Microsoft has issued an out-of-band update to resolve an issue with Azure Synapse SQL Serverless Pool databases entering a "Recovery pending" ...

13 hours ago

[Mitigated] Azure Lab Services - Lab Plan Outage

Azure Lab Service is experiencing an outage that is affecting Lab Plans, but not Lab Accounts. This outage intermittently impacts all operatio...

22 hours ago

Azure Lab Services Tutorial Video

This is a complete tutorial about Azure Lab Services' features. It walks through the steps of setting up a Lab Account, creating a Lab, and ac...

22 hours ago

What's new in the Azure Lab Services

This is a presentation highlighting the new features introduced in the latest preview for Azure Lab Services.

22 hours ago

Update to Azure Lab Services

The product team has been busy working on fundamental improvements for the service to boost performance, reliability, and scalability. It has ...

23 hours ago

Build scalable cross-subscription applications with Azure Load Balancer

We are thrilled to announce that Azure cross-subscription Load Balancer is now available for public preview in all Azure public and national c...

1 day ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy