使用 Azure Active Directory 的 Azure Function 身份验证 [英] Azure Function authentication using Azure Active Directory

问题描述

我想在 Azure Functions 上启用身份验证.因此，我决定使用 EasyAuth(平台功能下的身份验证/授权链接)并成功配置身份验证过程.

当我手动登录到 Azure Function 端点时，身份验证工作.但是，当我尝试以编程方式访问 API 时，无需任何手动用户干预，就会遇到身份验证问题:

状态码:401，未授权

我使用以下代码使用 clientID 和 clientSecret 从 AAD 获取访问令牌:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");字符串键=<客户端密码>";ClientCredential cc = new ClientCredential("<client-id>", key);AuthenticationResult 结果 = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;返回结果.AccessToken;

然后我尝试将在标头中收到的访问令牌发送到我的 API 的新请求:

var content = "{"on":true, "sat":254, "bri":254, "hue":10000}";var AADToken = GetS2SAccessToken();HttpClient 客户端 = 新 HttpClient();Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;Console.WriteLine($"result: {foo}");

但是上面的代码会导致未经授权的调用.我不确定我做错了什么.

解决方案

如果你的 azure function 认证级别是 anonymous 或 ，我们可以使用 accesstoken 直接访问你的 azure function api功能键也是必需的.

我通过您提到的方式获得了访问令牌.根据 Azure 资源门户 (

然后我可以直接使用访问令牌.我用邮递员测试它.

我们也可以通过以下方式获取easy auth token.访问token就是你拿到的token.

发布 https://xxx.azurewebsites.net/.auth/login/aad内容类型:应用程序/json{access_token":eyJ0eXAiOix...rtf2H7lyUL-g34HVw"}

之后我们就可以使用get token来访问azure函数api了

注意:标头是x-zumo-auth:token

I wanted to enable authentication on Azure Functions. So, I decided to go with EasyAuth (Authentication/Authorization link under platform features) and was successfully able to configure the authentication process.

The authentication works when I manually sign-in to the Azure Function endpoint. But when I try to programmatically access the API, without any manual user intervention, I'm facing authentication issue:

Status Code:401, Unauthorized

I get an access token from AAD using clientID and clientSecret using the following code:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");
string key = "<client-secret>";
ClientCredential cc = new ClientCredential("<client-id>", key);
AuthenticationResult result = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;
return result.AccessToken;

Then I'm trying to send the Access Token received in the header for a new request to my API:

var content = "{"on":true, "sat":254, "bri":254, "hue":10000}";
var AADToken = GetS2SAccessToken();
HttpClient Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;
Console.WriteLine($"result: {foo}");

But the above code is resulting in unauthorized calls. I am not sure what I'm doing wrong.

解决方案

We could use the accesstoken to access the you azure function api directly, if your azure function authentication level is anonymous or function key is also required.

I get the access token with your mentioned way. According to the Azure Resources portal(https://resources.azure.com/), the default allowedAudiences is

  "https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"

So I add the https://{functionAppName}.azurewebsites.net/ as allowed aduiences

Then I can use the access token directly. I test it with postman.

We also could use the following way to get easy auth token. The access token is the token that you got.

Post https://xxx.azurewebsites.net/.auth/login/aad
Content-Type:application/json
{
    "access_token":"eyJ0eXAiOix...rtf2H7lyUL-g34HVw"
}

After that we could use the get token to access the azure function api

Note: Header is x-zumo-auth: token

这篇关于使用 Azure Active Directory 的 Azure Function 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！