如何在Xamarin移动应用程序中使用功能级别授权安全地调用Azure Function? [英] How to safely call Azure Function with function level authorization in Xamarin mobile app?
问题描述
我正在使用Xamarin(不是Xamarin.Forms,而是常规Xamarin)制作iOS/Android应用.我使用的是共享库而不是PCL.我希望我的应用程序调用Azure函数,但是我不确定处理此问题的最安全/最佳方法.我已将其设置为功能"作为授权级别".测试网址中包含?code = ..."部分.我给人的印象是,如果将它放在C#代码中并带有代码"值,那么从安全角度来看,这是一个坏主意.
I'm making an iOS/Android app using Xamarin (not Xamarin.Forms, just regular Xamarin). I'm using the shared library set up rather than PCL. I want my app to call an Azure function but I'm unsure of the safest/best way to handle this. I have it set to "Function" for the "Authorization level". The test URL includes the "?code=..." portion in it. I was under the impression that if I put that in my C# code with the "code" value exposed that it was considered a bad idea from a security perspective.
我不知道最安全/最佳的处理方式.我读过在app.config中设置它也是一个坏主意.我找到了一些有关Web应用程序的参考,这些参考建议使用Azure门户中提供的连接字符串,但是由于这不是Web应用程序,因此我不确定如何在代码中实际检索这些值(或甚至有可能).
I'm lost as to the safest/best way to deal with this. I've read that setting it in app.config is also a bad idea. I found some references for a web app that suggest using the connection strings that are available in the azure portal, but since this isn't a web app, I'm unsure of how I'd actually retrieve those values in my code (or if that's even possible).
那么您如何建议我处理代码"的设置,以便我可以调用函数并避免安全性问题?
So how would you suggest I handle setting the value for "code" so that I can call my function and avoid a security problem?
更新:根据请求提供更多信息: 我正在使用MSAL通过B2C活动目录对用户进行身份验证.我已经可以使用该部分了,并且已经收到验证用户身份的令牌.
UPDATE: Providing more info as per request: I'm using MSAL to authenticate my users with a B2C active directory. I already have that part working and have received a token authenticating the user.
我也刚刚在我的功能中启用了身份验证.
I also just now enabled authentication in my functions.
给我的印象是,要从移动客户端调用函数,我必须创建一个新的HttpRequestMessage.我不确定然后将其放置在什么地方以传递令牌.
I was under the impression that to call my function from my mobile client I had to make a new HttpRequestMessage. I'm unsure of then what I'd place in it to pass my token along.
推荐答案
请确保我理解,您担心的是在iOS/Android应用中嵌入机密(?code = XXX值),对吗?如果是这样,是的,通常认为这是不良的安全做法.最好假设可以下载您的应用程序的任何人都有能力发现这些秘密,并以他们想要的任何方式使用它们.
Just to make sure I understand, your concern is about embedding secrets (the ?code=XXX value) in your iOS/Android app, correct? If so, yes, this is generally considered bad security practice. It's best to assume that anyone who can download your app will have the ability to discover these secrets and use them any way they want.
从移动设备向诸如Azure功能之类的后端服务进行身份验证的推荐方法是使用交互式身份验证-即某种OAuth流.您可以自己构建它,也可以使用Azure Functions和Azure App Service的内置功能来帮助您(Azure Functions构建在App Service之上).这是一个可能有用的资源:
The recommended way to authenticate with a backend service, such as Azure Functions, from a mobile device is to use interactive authentication - i.e. some kind of OAuth flow. You can build it yourself, or you can use the built-in functionality of Azure Functions and Azure App Service to help you (Azure Functions is built on top of App Service). Here is a resource which might be useful:
https://docs.microsoft. com/en-us/azure/app-service/app-service-authentication-overview
https://contos.io/working身份中的蓝色功能1a981e10b900#.vcjit3ntw
这篇关于如何在Xamarin移动应用程序中使用功能级别授权安全地调用Azure Function?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
