Azure功能的身份验证 [英] Authentication for Azure Functions
问题描述
过去24个小时中,我一直在阅读有关如何创建Azure Functions的所有知识,并已成功将MVC WebApi转换为具有多个功能的新Function App.我的问题是我还没有找到任何清晰的文档或教程,以了解如何使用它们进行最基本的身份验证.
I've spent the past 24 hours reading all about how to create Azure Functions and have successfully converted a MVC WebApi over to a new Function App with multiple functions. My problem is that I've not found any clear documentation or tutorials on how to do the most basic of authentication with them.
我的情况很简单.在我的AAD中预配用户,然后授予这些用户访问特定功能的权限.网站上的用户将单击UI元素,这些UI元素又会触发调用我的Azure函数的Javascript.在该函数中,我需要能够以某种方式验证其身份,因为我会将其传递给与SQL实例进行交互的其他函数.
My scenario is pretty straight forward. Provision users in my AAD, then grant those users access to specific functions. Users on a website will click on UI elements that in turn trigger Javascript that calls my Azure Functions. In the function I need to be able to verify their identity somehow as I'll be passing that along to other functions that interact with a SQL instance.
有人可以指点我看文档,文章,示例或某些东西来说明我如何实现这一目标吗?
Can someone please point me at docs, articles, an example, something, that shows how I can achieve this?
为便于记录,我在门户网站中找到了功能应用程序的身份验证"配置,并选择了AAD作为我的身份验证提供程序.我已经添加了我的功能应用程序,并配置了一些用户.然后,我编写了以下测试功能:
For the record I've found in the portal the "Authentication" config for my Function App and have chosen AAD as my Authentication Provider. I've added my Function App to it and have provisioned a few users. I've then wrote the following test function:
[FunctionName("GetThings")]
public static HttpResponseMessage Run([HttpTrigger(AuthorizationLevel.User, "GET", Route = null)]HttpRequestMessage req, TraceWriter log)
{
log.Info("Getting all the things");
var identity = ClaimsPrincipal.Current.Identity;
return identity.IsAuthenticated ?
req.CreateResponse(HttpStatusCode.Unauthorized, "Not authenticated!") :
req.CreateResponse(HttpStatusCode.OK, $"Hi {identity.Name}!");
}
当前,当尝试直接击中终结点时,我被重定向到登录页面...所以我认为那部分在起作用.但是,我不清楚如何生成/检索用户令牌,将其随请求发送至函数或在服务器上进行处理.
Currently when trying to hit the endpoint directly I get redirected to a login page... so I guess that part is working. How I generate / retrieve user tokens, send them along on the request to the functions, or process them on the server isn't clear to me though.
帮助?
推荐答案
用户通过Azure AD进行身份验证后,将显示一个AppServiceAuthSessoin cookie.这是一个不透明的Cookie,但您可以通过致电来交换它
Once the user authenticates with Azure AD you'll be presented an AppServiceAuthSessoin cookie. It's an opaque cookie but you can exchange it for claims by calling
https://yourFunctionApp.azurewebsites.net/.auth/me
,并将不透明的cookie作为Cookie标头传递.而且,您取回的id_token可用作Bearer令牌.
and passing in the opaque cookie as Cookie header. Moreover, the id_token you get back is good for use as Bearer token.
实际上,它只是对我而言正确,我还没有真正将其作为承载者进行测试,因此在此要谨慎一些.
Actually it just looks right to me, i haven't really tested it as a Bearer, so a little caution there.
该机制称为轻松身份验证,该名称对于Google来说更容易.
The mechanism is called Easy Auth, it's easier to Google for that name.
更多关于令牌存储的信息—
https://cgillum.tech/2016/03/07/app-服务令牌存储/
More on the token store here —
https://cgillum.tech/2016/03/07/app-service-token-store/
...这表示您只需阅读来自用户浏览器的HTTP标头即可抓取声明:
...which says you can grab the claims just by reading the HTTP headers coming in from the user's browser:
访问令牌
从您的后端代码中,访问这些令牌就像读取HTTP请求标头一样容易.标头的名称类似于X-MS-TOKEN-{provider}-{type}.可能的令牌头名称在下面列出:
From within your backend code, accessing these tokens is as easy as reading an HTTP request header. The headers are named like X-MS-TOKEN-{provider}-{type}. The possible token header names are listed below:
Azure Active Directory令牌请求标头:
Azure Active Directory Token Request Headers:
X-MS-TOKEN-AAD-ID-TOKEN
X-MS-TOKEN-AAD-ACCESS-TOKEN
X-MS-TOKEN-AAD-EXPIRES-ON
X-MS-TOKEN-AAD-REFRESH-TOKEN
我实际上是现在才发现的,所以谢谢你提出这个问题!
I actually just found that out right now, so thanks for the question!
我的预感是正确的,id_token也和Bearer一样好:
My hunch was correct, the id_token is also good as Bearer:
$ curl -isk https://{funcApp}.azurewebsites.net/api/{someFunc} \
-H "Authorization: Bearer eyJ0eXAiOi....oEU-Q"
HTTP/1.1 200 OK
Cache-Control: no-cache
Server: Microsoft-IIS/8.0
...
读取声明的两种方式(读取标头与使用用户的Cookie从后端调用/.auth/me)之间的主要区别在于您获得的详细信息数量.后者还有更多方法.
The main difference between the two ways of reading claims (reading headers vs. calling /.auth/me from the backend with user's Cookie) is the amount of detail you get. There's way more in the latter.
以下是您从Easy Auth获得的,用于Twitter身份验证用户的标头:
Here's the set of headers you get from Easy Auth for a Twitter authenticated user:
{
"cookie": "AppServiceAuthSession=Lx43...xHDTA==",
...
"x-ms-client-principal-name": "evilSnobu",
"x-ms-client-principal-id": "35....",
"x-ms-client-principal-idp": "twitter",
"x-ms-token-twitter-access-token": "35...Dj",
"x-ms-token-twitter-access-token-secret": "OK3...Jx",
}
以及通过致电/.auth/me获得的索赔:
and the claims you get by calling /.auth/me:
{
"access_token": "35...FDj",
"access_token_secret": "OK3...sJx",
"provider_name": "twitter",
"user_claims": [
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"val": "352660979"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"val": "evilSnobu"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"val": "Safarihat Hacker"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage",
"val": "..."
},
{
"typ": "urn:twitter:description",
"val": "GENIUS. HAVE BRAIN. WILL TRAVEL."
},
{
"typ": "urn:twitter:location",
"val": ""
},
{
"typ": "urn:twitter:time_zone",
"val": "London"
},
{
"typ": "urn:twitter:lang",
"val": "en"
},
{
"typ": "urn:twitter:verified",
"val": "False"
},
{
"typ": "urn:twitter:profile_image_url_https",
"val": "https://pbs.twimg.com/profile_images/867473646876545024/1elebfK1_normal.jpg"
}
],
"user_id": "evilSnobu"
}
这篇关于Azure功能的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
