如何在 Xamarin 移动应用程序中使用功能级别授权安全地调用 Azure Function? [英] How to safely call Azure Function with function level authorization in Xamarin mobile app?
问题描述
我正在使用 Xamarin(不是 Xamarin.Forms,只是普通的 Xamarin)制作 iOS/Android 应用程序.我使用的是共享库设置而不是 PCL.我希望我的应用程序调用 Azure 函数,但我不确定处理此问题的最安全/最佳方式.我将其设置为授权级别"的功能".测试 URL 中包含?code=..."部分.我的印象是,如果我把它放在我的 C# 代码中并暴露代码"值,那么从安全角度来看,这被认为是一个坏主意.
I'm making an iOS/Android app using Xamarin (not Xamarin.Forms, just regular Xamarin). I'm using the shared library set up rather than PCL. I want my app to call an Azure function but I'm unsure of the safest/best way to handle this. I have it set to "Function" for the "Authorization level". The test URL includes the "?code=..." portion in it. I was under the impression that if I put that in my C# code with the "code" value exposed that it was considered a bad idea from a security perspective.
我不知道处理这个问题的最安全/最好的方法.我读过在 app.config 中设置它也是一个坏主意.我找到了一些建议使用 azure 门户中可用的连接字符串的网络应用程序的参考,但由于这不是网络应用程序,我不确定如何在我的代码中实际检索这些值(或如果可能的话).
I'm lost as to the safest/best way to deal with this. I've read that setting it in app.config is also a bad idea. I found some references for a web app that suggest using the connection strings that are available in the azure portal, but since this isn't a web app, I'm unsure of how I'd actually retrieve those values in my code (or if that's even possible).
那么你建议我如何处理设置代码"的值,以便我可以调用我的函数并避免安全问题?
So how would you suggest I handle setting the value for "code" so that I can call my function and avoid a security problem?
更新:根据要求提供更多信息:我正在使用 MSAL 通过 B2C 活动目录对我的用户进行身份验证.我已经让那部分工作了,并且收到了一个验证用户身份的令牌.
UPDATE: Providing more info as per request: I'm using MSAL to authenticate my users with a B2C active directory. I already have that part working and have received a token authenticating the user.
我刚刚还在我的函数中启用了身份验证.
I also just now enabled authentication in my functions.
我的印象是,要从我的移动客户端调用我的函数,我必须创建一个新的 HttpRequestMessage.我不确定我会在其中放置什么来传递我的令牌.
I was under the impression that to call my function from my mobile client I had to make a new HttpRequestMessage. I'm unsure of then what I'd place in it to pass my token along.
推荐答案
只是为了确保我理解,您关心的是在您的 iOS/Android 应用程序中嵌入秘密(?code=XXX 值),对吗?如果是这样,是的,这通常被认为是不好的安全做法.最好假设任何可以下载您的应用的人都能够发现这些秘密并以任何他们想要的方式使用它们.
Just to make sure I understand, your concern is about embedding secrets (the ?code=XXX value) in your iOS/Android app, correct? If so, yes, this is generally considered bad security practice. It's best to assume that anyone who can download your app will have the ability to discover these secrets and use them any way they want.
从移动设备向后端服务(例如 Azure Functions)进行身份验证的推荐方法是使用交互式身份验证 - 即某种 OAuth 流.您可以自己构建它,也可以使用 Azure Functions 和 Azure App Service 的内置功能来帮助您(Azure Functions 构建在 App Service 之上).这是一个可能有用的资源:
The recommended way to authenticate with a backend service, such as Azure Functions, from a mobile device is to use interactive authentication - i.e. some kind of OAuth flow. You can build it yourself, or you can use the built-in functionality of Azure Functions and Azure App Service to help you (Azure Functions is built on top of App Service). Here is a resource which might be useful:
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://contos.io/working-with-identity-in-an-azure-function-1a981e10b900#.vcjit3ntw
这篇关于如何在 Xamarin 移动应用程序中使用功能级别授权安全地调用 Azure Function?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
