问题
I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by putting in the function into the URL.
Base URL:
https://something.com/api/function_name
URL with token:
https://something.com/api/function_name?code=token_here
However, my function expects some input to be given.
On an anonymous endpoint you'd extend the base URL like so:
https://something.com/api/function_name/?parameter=value
Where parameter is what the code will expect, and the value being passed into the variable in the code. Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)
But I don't understand how I can do both the function authorization as well as passing in the parameter. I've tried:
https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value
Does anyone know how this is supposed to work?
On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal?
I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.
I've looked here: Azure function with Azure AD authentication access using JavaScript
And most other topics I found on stackoverflow didn't even get close.
PS: This PS doesn't need an answer, but I would appreciate any thought.
This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions)
The update function would then need to rotate secrets on (specific) applications/service principals.
The Azure Function is based on v2 and uses Powershell Core as language.
回答1:
if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:
- Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode : Click save. And once the process is done , pls note the client_id of your function ad app, we will use it later.
- Creating an Azure AD App ,and create a client secret for it , note the client secret value and the new Azure AD app ID :
3.Make a request to get an access token from your Azure AD so that we can call your http triggered function :
Request URL:
post https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token
Request Header:
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->
Just as below :
As you can see in response , you can get an access token , so use this token in http request header "Authorization" param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:
Pls mark me if this is helpful for you.
来源:https://stackoverflow.com/questions/57587054/how-to-authenticate-to-an-azure-function-using-function-auth-or-azure-ad-service