How to authenticate to an Azure Function using function auth or Azure AD service principal

喜你入骨 提交于 2020-02-07 05:41:51

问题


I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by putting in the function into the URL.

Base URL: https://something.com/api/function_name

URL with token: https://something.com/api/function_name?code=token_here

However, my function expects some input to be given. On an anonymous endpoint you'd extend the base URL like so: https://something.com/api/function_name/?parameter=value

Where parameter is what the code will expect, and the value being passed into the variable in the code. Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)

But I don't understand how I can do both the function authorization as well as passing in the parameter. I've tried:

https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value

Does anyone know how this is supposed to work?

On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal? I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.

I've looked here: Azure function with Azure AD authentication access using JavaScript

And most other topics I found on stackoverflow didn't even get close.

PS: This PS doesn't need an answer, but I would appreciate any thought. This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions) The update function would then need to rotate secrets on (specific) applications/service principals. The Azure Function is based on v2 and uses Powershell Core as language.


回答1:


if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:

  1. Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode : Click save. And once the process is done , pls note the client_id of your function ad app, we will use it later.
  2. Creating an Azure AD App ,and create a client secret for it , note the client secret value and the new Azure AD app ID :

3.Make a request to get an access token from your Azure AD so that we can call your http triggered function :

Request URL:
post https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token

Request Header:
Content-Type: application/x-www-form-urlencoded

Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->

Just as below :

As you can see in response , you can get an access token , so use this token in http request header "Authorization" param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:

Pls mark me if this is helpful for you.



来源:https://stackoverflow.com/questions/57587054/how-to-authenticate-to-an-azure-function-using-function-auth-or-azure-ad-service

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!