本文介绍了如何使用函数身份验证或 Azure AD 服务主体对 Azure 函数进行身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个 Azure 函数,用于从 Azure AD 获取数据,但我想限制谁可以使用该函数,因为它将使用 HTTP 触发器,以便我能够从逻辑应用程序稍后.因此,由于 HTTP 触发的 Azure Functions 具有公共终结点,我想通过将授权级别设置为 Function 来提高安全性,或者更可取的是使用 Azure AD 服务主体(预先创建).进行此更改后,我可以通过将函数放入 URL 来进行调用.

I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road.So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created).Upon making this change though I can make the call by putting in the function into the URL.

基本网址:https://something.com/api/function_name

带有令牌的网址:https://something.com/api/function_name?code=token_here

但是,我的函数需要给出一些输入.在匿名端点上,您可以像这样扩展基本 URL:https://something.com/api/function_name/?parameter=value

However, my function expects some input to be given.On an anonymous endpoint you'd extend the base URL like so:https://something.com/api/function_name/?parameter=value

其中参数是代码所期望的,以及在代码中传递给变量的值.现在我是这个 HTTP 端点的新手,并通过 URL 传递值.我知道这是作为 JSON 传递的(可能)

Where parameter is what the code will expect, and the value being passed into the variable in the code.Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)

但我不明白如何同时进行功能授权和传入参数.我试过了:

But I don't understand how I can do both the function authorization as well as passing in the parameter.I've tried:

https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value

有人知道这应该如何工作吗?

Does anyone know how this is supposed to work?

另一方面,我还可以设置 Platform Features ->Azure AD 服务主体的身份验证/授权.但是,如何更改 URL 以使用该服务主体的 client_idclient_secret 进行身份验证?我实际上更喜欢使用这种方法,因为这样我就可以对令牌实施生命周期管理并对其进行轮换以使其更加安全.

On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal?I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.

我看过这里:Azure 函数与使用 JavaScript 的 Azure AD 身份验证访问

而我在 stackoverflow 上找到的大多数其他主题甚至都没有接近.

And most other topics I found on stackoverflow didn't even get close.

PS:这个 PS 不需要答案,但我会很感激任何想法.我正在制作的这个东西是一个结合了(预定)逻辑应用程序的工作流,它触发了一个Get-Function.Get-Function 需要以某种方式触发 Update-Function.我正在触发 Get-Function HTTP,以便我还能够将其作为 API 提供,以使该函数可用于自动化.(允许在不需要 Azure AD 权限的人的情况下通过 API 调用轮换机密)然后,更新功能需要轮换(特定)应用程序/服务主体上的机密.Azure Function 基于 v2 并使用 Powershell Core 作为语言.

PS: This PS doesn't need an answer, but I would appreciate any thought.This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions)The update function would then need to rotate secrets on (specific) applications/service principals.The Azure Function is based on v2 and uses Powershell Core as language.

推荐答案

如果你想使用 Platform Features ->身份验证/授权(Easy Auth)保护您的匿名http触发功能,您可以按照以下步骤操作:

if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:

  1. 启用身份验证/授权(Easy Auth),使用 Azure AD express 模式:

点击保存.完成此过程后,请记下您的功能广告应用的 client_id,我们稍后将使用它.

Click save. And once the process is done, pls note the client_id of your function ad app, we will use it later.

  1. 创建 Azure AD 应用

为其创建一个客户端密码,记下客户端密码值和新的 Azure AD 应用 ID:

Create a client secret for it, note the client secret value and the new Azure AD app ID:

  1. 发出请求以从您的 Azure AD 获取访问令牌,以便我们可以调用您的 http 触发函数:
Request URL:
POST https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token

Request Header:
Content-Type: application/x-www-form-urlencoded

Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->

如下:

正如您在响应中看到的那样,您可以获得访问令牌,因此在 http 请求标头 Authorization 参数中使用此令牌来调用启用轻松身份验证的 http 触发函数,所有请求都没有正确授权标头将被阻止:

As you can see in response, you can get an access token, so use this token in http request header Authorization param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:

如果对你有帮助,请标记我.

Plz mark me if this is helpful for you.

这篇关于如何使用函数身份验证或 Azure AD 服务主体对 Azure 函数进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-28 19:12
查看更多