如何使用 Azure Functions 强制执行 AAD 应用程序角色授权? [英] How to enforce AAD Application Role authorization with Azure Functions?

问题描述

2.然后您可以再次尝试使用您的 AD App 获取令牌，您会发现该应用无法成功获取令牌，您将收到如下错误，因为您的客户端应用程序没有 ConsumerApps 权限.

3.要成功访问该功能，我们只需要为您使用的Client AD App添加Application权限即可.

导航到门户中的客户端 AD 应用程序 -> API 权限 -> 添加权限 -> 点击我的组织使用的 API -> 搜索您的功能 AD 应用名称 -> 单击该应用 -> 应用程序权限 -> 添加 Consumer 权限 -> 单击 Grant admin 同意对于 xxx 按钮.

稍等片刻，然后再次尝试获取令牌，它工作正常.

使用token调用函数，也可以.

This page describes how to add Application app roles to an application in Azure Active Directory using the manifest.

Code sample from the page:

"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "ConsumerApps",
      "id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
      "isEnabled": true,
      "description": "Consumer apps have access to the consumer data.",
      "value": "Consumer"
    }
  ],
"availableToOtherTenants": false,

When calling an an Azure Function from an application authenticated using the client_credentials grant type, how do you enforce it to belong to the application role?

I've Googled but been unable to find clear documentation that explains how this authorization is done for Azure Functions.

---

My Test Function App

I've created a simple "hello <name>" Azure Function from within the Azure Portal which I call from Postman.

#r "Microsoft.Azure.WebJobs.Extensions.Http"
#r "Newtonsoft.Json"

using System.Net;
using System.Security.Claims;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;


public static IActionResult Run(HttpRequest req,  ILogger log, ClaimsPrincipal claimsPrincipal)
{
    var name = req.Query["name"];
    log.LogInformation($"C# HTTP trigger function processed a request: {name}");

    var cp = new {
        Identity = new {
            claimsPrincipal.Identity.AuthenticationType,
            claimsPrincipal.Identity.IsAuthenticated,
            claimsPrincipal.Identity.Name
        },
        Claims = claimsPrincipal.Claims.Select(claim => new
        {
            claim.Type,
            claim.Value
        })
    };
    log.LogInformation($"ClaimsPrincipal ({claimsPrincipal.GetType().FullName}): {JsonConvert.SerializeObject(cp, Formatting.Indented)}");

    return (IActionResult)new OkObjectResult($"Hello, {name}");
}

Firstly I authenticate using https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token and capture the access_token.

Request Body Example:

grant_type:client_credentials
client_id:<Application ID>
client_secret:<Client Secret>
scope:https://<Function-app-name>.azurewebsites.net/.default

Example Result:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAi......"
}

Then I call my Azure Function using https://<function-app-name>.azurewebsites.net/api/hello?name=World and a header containing Authorization: Bearer eyJ0eXAi.......

Authentication works fine, as does calling the Azure Function. However, I can add a new Application via App registrations in the Azure Portal, authenticate and then call the Azure Function freely. I don't know how to restrict access the the Azure Function to only Applications that have a specific application role.

解决方案

I don't know how to restrict access the Azure Function to only Applications that have a specific application role.

If you just want the App who has the ConsumerApps permission access your function, follow the steps below.

1.Navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.

2.Then you could try to get the token with your AD App again, you will find the app could not get the token successfully, you will get the error like below, because your client app does not have the ConsumerApps permission.

3.To access the function successfully, we just need to add the Application permission for the Client AD App you used.

Navigate to the client AD App in the portal -> API permissions -> Add a permission -> click APIs my organization uses -> search for your function AD App name -> click the app -> Application permissions -> add the Consumer permission -> click the Grant admin consent for xxx button.

Wait for a while, then try to get the token again, it works fine.

Use the token to call function, also works.

这篇关于如何使用 Azure Functions 强制执行 AAD 应用程序角色授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！