Azure OAuth解决应用程序问题 [英] Azure OAuth to function app issues

问题描述

我有一个非常基本的功能应用程序，它需要一个GET并返回一些静态文本.最终，我希望将POST正文写入队列，但为了保持简单，该函数仅返回文本.如果我不进行身份验证，则可以加载该URL并在浏览器或邮递员中获得响应.如果在功能应用程序中启用aad auth并创建一个简单的应用程序注册表，然后在浏览器中转到该站点，则系统会提示我进行身份验证，并且可以交互方式登录；到目前为止没有后顾之忧.

我想使用一个秘密密钥来访问该功能以进行应用程序使用，而无需进行交互式登录，因此在应用程序注册中，我进入了Keys并生成了一个.这是我的问题开始的地方.如果我使用邮递员并使用我的应用程序ID和密钥配置oauth，则可以获取令牌，我也通过对

I have a very basic function app that takes a GET and returns some static text. Eventually I would like it to write a POST body to a queue but to keep it simple the function just returns text. If I keep auth off, I can load the url and get a response in my browser or postman. If I enable aad auth within the function app and create a simple app reg then goto the site in my browser I get prompted for auth and I can login interactively; no worries so far.

I would like to access the function using a secret key for application usage with no interactive login, so within the app reg I go to Keys and generate one. This is where my problems start. If I use postman and configure oauth using my app id and key I can get a token, I have verified this also by doing a POST to https://login.microsoftonline.com//oauth2/token directly and noting the bearer token reply. However when I try an access my function app using the bearer token (either by manually adding an Authorization header or letting postman add it from the oauth 2.0 form) I am always denied with a 401 stating 'You do not have permission to view this directory or page.' when I do a GET to my function app. Can someone point me in the right direction? Thanks in advance.

Example reply from login url

{
    "token_type": "Bearer",
    "expires_in": "3599",
    "ext_expires_in": "0",
    "expires_on": "1525312644",
    "not_before": "1525308744",
    "resource": "https://<siteaddress>.azurewebsites.net/",
    "access_token": "eyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx..etc..."
}

Response from get against function app with token

GET /api/t2 HTTP/1.1
> Host: <sitename>.azurewebsites.net
> Authorization: Bearer eyxxxxxxxxxxxxxxxxxxxxxxxxxxxx.....etc....
> Accept: */*
< HTTP/1.1 401 Unauthorized
< Content-Length: 58
< Content-Type: text/html
< WWW-Authenticate: Bearer realm="<sitename>.azurewebsites.net" authorization_uri="https://login.windows.net/<tenantid>/oauth2/authorize" resource_id="<app reg id>"
< X-Powered-By: ASP.NET
< Date: Thu, 03 May 2018 01:12:43 GMT

解决方案

I believe you're mixing Azure AD integration with function keys (API key authorization).

The latter is a self-contained authorization mechanism and works by appending

?code=<func-key-from-portal>

to the function URL, or by passing a

x-functions-key: <func-key-from-portal>

header with every request to the function. No OAuth is involved when using function keys.

Example:

GET /api/get-issues HTTP/1.1
Host: {funcapp}.azurewebsites.net
User-Agent: ajax-library-of-the-day
x-functions-key: rkW0PqT.....zcUBQ==

or

GET /api/get-issues?code=rkW0PqT.....zcUBQ== HTTP/1.1
Host: {funcapp}.azurewebsites.net
User-Agent: ajax-library-of-the-day

这篇关于Azure OAuth解决应用程序问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！