如何使用函数身份验证或Azure AD服务主体对Azure函数进行身份验证 [英] How to authenticate to an Azure Function using function auth or Azure AD service principal
问题描述
我有一个Azure函数,正在使用该函数从Azure AD获取数据,但是我想限制谁可以使用该函数,因为它将使用HTTP触发器,这样我就可以从Logic App随后问世. 因此,由于HTTP触发的Azure Functions具有公共终结点,因此我想通过将授权级别设置为Function来提高安全性,或者更可取的是使用Azure AD服务主体(预先创建). 进行更改后,我可以通过将函数放入URL进行调用.
I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by putting in the function into the URL.
基本网址:
https://something.com/api/function_name
带有令牌的URL:
https://something.com/api/function_name?code=token_here
URL with token:
https://something.com/api/function_name?code=token_here
但是,我的函数希望提供一些输入.
在匿名端点上,您可以像这样扩展基本URL:
https://something.com/api/function_name/?parameter=value
However, my function expects some input to be given.
On an anonymous endpoint you'd extend the base URL like so:
https://something.com/api/function_name/?parameter=value
其中的参数是代码期望的值,并将值传递给代码中的变量. 现在,我是这个HTTP端点的新手,并且可以通过URL传递值.我了解这是作为JSON传递的(可能)
Where parameter is what the code will expect, and the value being passed into the variable in the code. Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)
但是我不明白如何既可以进行功能授权又可以传递参数. 我尝试过:
But I don't understand how I can do both the function authorization as well as passing in the parameter. I've tried:
https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value
有人知道这应该如何工作吗?
Does anyone know how this is supposed to work?
另一方面,我也可以将Platform Features -> Authentication / Authorization设置为Azure AD服务主体.但是,如何使用该服务主体的client_id和client_secret更改URL以进行身份验证?
我实际上更喜欢使用这种方法,因为这样我就可以对令牌实施生命周期管理并对其进行轮换以使其更加安全.
On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal?
I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.
我看过这里: 使用JavaScript进行Azure AD身份验证访问的Azure功能
我在stackoverflow上发现的大多数其他主题甚至都没有结束.
And most other topics I found on stackoverflow didn't even get close.
PS:本PS不需要答案,但我会很感激.
我正在构思的东西是一个(预定的)逻辑应用程序触发的一个工作流,该应用程序触发了Get-Function. Get-Function将在何处需要触发Update-Function.而且,我正在触发Get-Function HTTP,因此我也可以将其作为API提供,以使该功能可用于自动化. (以允许通过API调用旋转机密,而无需那些需要Azure AD权限的人)
然后,更新功能将需要旋转(特定)应用程序/服务主体上的机密.
Azure Function基于v2,并使用Powershell Core作为语言.
PS: This PS doesn't need an answer, but I would appreciate any thought.
This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions)
The update function would then need to rotate secrets on (specific) applications/service principals.
The Azure Function is based on v2 and uses Powershell Core as language.
推荐答案
如果您要使用平台功能->身份验证/授权(简易身份验证)来保护您的匿名http触发功能,则可以执行以下步骤:
if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:
- 启用身份验证/授权(轻松身份验证),请使用Azure AD表达模式: 点击保存.完成此过程后,请注意您的功能广告应用程序的client_id,稍后我们将使用它.
- 创建Azure AD应用 ,并为其创建客户端密钥,记下客户端密钥值和新的Azure AD应用ID:
- Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode : Click save. And once the process is done , pls note the client_id of your function ad app, we will use it later.
- Creating an Azure AD App ,and create a client secret for it , note the client secret value and the new Azure AD app ID :
3.请求从您的Azure AD获取访问令牌,以便我们可以调用您的http触发函数:
3.Make a request to get an access token from your Azure AD so that we can call your http triggered function :
Request URL:
post https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token
Request Header:
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->
仅如下所示:
正如您在响应中看到的那样,您可以获得访问令牌,因此可以在http请求标头"Authorization"参数中使用此令牌来调用启用了简单身份验证的http触发函数,所有没有正确Authorization标头的请求都将被阻止:
As you can see in response , you can get an access token , so use this token in http request header "Authorization" param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:
如果这对您有帮助,请标记我.
Pls mark me if this is helpful for you.
这篇关于如何使用函数身份验证或Azure AD服务主体对Azure函数进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
