如何使用OAuth为人和机器保护Azure功能? [英] How to secure Azure functions with OAuth for both humans and machines?

问题描述

我肯定有一个功能应用程序，机器(客户端凭据流)和人员(授权代码流)都需要能够进行授权/认证.

I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.

最初，我使用的是Easy-auth，Azure开箱即用的解决方案来保护功能应用程序.但是，根据此 https://stackoverflow.com/a/57357226/7411328 ，无法使用客户端凭据流通过简单的身份验证.虽然我不明白为什么会这样.为什么一次注册一个应用程序就无法对两个不同的流使用相同的权限?

Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?

假设(也许是错误地)上述事实是正确的，并且我必须自己实现JWT验证.

Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.

是否有可靠的方法来判断API是由机器还是由人来调用?

Is there any reliable way to tell whether an API is being called by a machine or by a human?

我应该还是通过两个单独的应用程序注册来做到这一点吗?

Should I still do it with two seperate app registrations?

我对这些技术的理解可能不足以恰当地提出问题，请让我知道我是否可以采取任何措施来澄清问题.

My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.

推荐答案

据我所知，您可以使用客户端凭据流来调用由easy-auth(AAD作为身份验证提供程序)保护的Azure函数.可以尝试以下步骤:

As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :

1. 注册Azure AD应用
2. 通过以下请求从Azure AD获取访问令牌:

URL:

POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token

标题:

Content-Type: application/x-www-form-urlencoded

身体:

client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials

结果:

使用此访问令牌来调用Azure函数:

Use this access token to call Azure function :

如果您使用的是Azure AD b2c，请向我提供更多详细信息，我将为您做一些研究.

If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .

这篇关于如何使用OAuth为人和机器保护Azure功能?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！