如何使用Azure Functions强制执行A​​AD应用程序角色授权? [英] How to enforce AAD Application Role authorization with Azure Functions?

问题描述

This page describes how to add Application app roles to an application in Azure Active Directory using the manifest.

页面中的代码示例:

"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "ConsumerApps",
      "id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
      "isEnabled": true,
      "description": "Consumer apps have access to the consumer data.",
      "value": "Consumer"
    }
  ],
"availableToOtherTenants": false,

从使用client_credentials授予类型进行身份验证的应用程序中调用Azure函数时，如何强制其属于应用程序角色?

When calling an an Azure Function from an application authenticated using the client_credentials grant type, how do you enforce it to belong to the application role?

我已经Google搜索过，但是找不到清晰的文档来说明如何对Azure Functions进行此授权.

I've Googled but been unable to find clear documentation that explains how this authorization is done for Azure Functions.

我的测试功能应用

我已经从邮递员打来的Azure门户中创建了一个简单的"hello< name>" Azure函数.

I've created a simple "hello <name>" Azure Function from within the Azure Portal which I call from Postman.

#r "Microsoft.Azure.WebJobs.Extensions.Http"
#r "Newtonsoft.Json"

using System.Net;
using System.Security.Claims;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;


public static IActionResult Run(HttpRequest req,  ILogger log, ClaimsPrincipal claimsPrincipal)
{
    var name = req.Query["name"];
    log.LogInformation($"C# HTTP trigger function processed a request: {name}");

    var cp = new {
        Identity = new {
            claimsPrincipal.Identity.AuthenticationType,
            claimsPrincipal.Identity.IsAuthenticated,
            claimsPrincipal.Identity.Name
        },
        Claims = claimsPrincipal.Claims.Select(claim => new
        {
            claim.Type,
            claim.Value
        })
    };
    log.LogInformation($"ClaimsPrincipal ({claimsPrincipal.GetType().FullName}): {JsonConvert.SerializeObject(cp, Formatting.Indented)}");

    return (IActionResult)new OkObjectResult($"Hello, {name}");
}

首先，我使用https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token进行身份验证并捕获access_token.

Firstly I authenticate using https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token and capture the access_token.

请求正文示例:

grant_type:client_credentials
client_id:<Application ID>
client_secret:<Client Secret>
scope:https://<Function-app-name>.azurewebsites.net/.default

示例结果:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAi......"
}

然后，我使用https://<function-app-name>.azurewebsites.net/api/hello?name=World和包含Authorization: Bearer eyJ0eXAi......的标头调用我的Azure函数.

Then I call my Azure Function using https://<function-app-name>.azurewebsites.net/api/hello?name=World and a header containing Authorization: Bearer eyJ0eXAi.......

身份验证可以正常工作，就像调用Azure函数一样.但是，我可以通过应用程序注册在Azure门户中添加新的应用程序，进行身份验证，然后自由调用Azure功能.我不知道如何将对Azure功能的访问限制为仅具有特定应用程序角色的应用程序.

Authentication works fine, as does calling the Azure Function. However, I can add a new Application via App registrations in the Azure Portal, authenticate and then call the Azure Function freely. I don't know how to restrict access the the Azure Function to only Applications that have a specific application role.

推荐答案

我不知道如何将Azure功能限制为仅具有特定应用程序角色的应用程序.

I don't know how to restrict access the Azure Function to only Applications that have a specific application role.

如果只希望拥有ConsumerApps权限的应用访问您的功能，请按照以下步骤操作.

If you just want the App who has the ConsumerApps permission access your function, follow the steps below.

1.在门户网站的Azure Active Directory中导航到功能的AD App->单击Managed application in local directory-> Properties->将User assignment required设置为Yes.

1.Navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.

2.然后，您可以尝试通过AD App再次获取令牌，您会发现该应用程序无法成功获取令牌，您将得到如下错误，因为您的客户端应用程序没有ConsumerApps许可.

2.Then you could try to get the token with your AD App again, you will find the app could not get the token successfully, you will get the error like below, because your client app does not have the ConsumerApps permission.

3.要成功访问该功能，我们只需为您使用的Client AD App添加Application权限.

3.To access the function successfully, we just need to add the Application permission for the Client AD App you used.

在门户中导航到客户端AD App-> API permissions-> Add a permission->单击APIs my organization uses->搜索您的功能AD App名称->单击该应用程序-> Application permissions->添加Consumer权限-> 单击Grant admin consent for xxx按钮.

Navigate to the client AD App in the portal -> API permissions -> Add a permission -> click APIs my organization uses -> search for your function AD App name -> click the app -> Application permissions -> add the Consumer permission -> click the Grant admin consent for xxx button.

等待一会儿，然后尝试再次获取令牌，它可以正常工作.

Wait for a while, then try to get the token again, it works fine.

使用令牌调用函数，也可以使用.

Use the token to call function, also works.

这篇关于如何使用Azure Functions强制执行A​​AD应用程序角色授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！