问题描述

我想对Azure Functions启用身份验证.因此，我决定使用EasyAuth(平台功能下的身份验证/授权"链接)并成功配置了身份验证过程.

I wanted to enable authentication on Azure Functions. So, I decided to go with EasyAuth (Authentication/Authorization link under platform features) and was successfully able to configure the authentication process.

当我手动登录到Azure Function端点时，身份验证有效.但是，当我尝试以编程方式访问API而没有任何手动用户干预时，我遇到了身份验证问题:

The authentication works when I manually sign-in to the Azure Function endpoint. But when I try to programmatically access the API, without any manual user intervention, I'm facing authentication issue:

Status Code:401, Unauthorized

我使用以下代码从使用clientID和clientSecret的AAD获取访问令牌:

I get an access token from AAD using clientID and clientSecret using the following code:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");
string key = "<client-secret>";
ClientCredential cc = new ClientCredential("<client-id>", key);
AuthenticationResult result = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;
return result.AccessToken;

然后，我尝试将标头中收到的访问令牌发送给我的API:

Then I'm trying to send the Access Token received in the header for a new request to my API:

var content = "{\"on\":true, \"sat\":254, \"bri\":254, \"hue\":10000}";
var AADToken = GetS2SAccessToken();
HttpClient Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;
Console.WriteLine($"result: {foo}");

但是上面的代码导致未经授权的呼叫.我不确定自己在做什么错.

But the above code is resulting in unauthorized calls. I am not sure what I'm doing wrong.

推荐答案

如果您的azure函数身份验证级别为 anonymous 或，我们可以使用accesstoken直接访问you azure函数api.功能键也是必需的.

We could use the accesstoken to access the you azure function api directly, if your azure function authentication level is anonymous or function key is also required.

我用您提到的方式获得了访问令牌.根据Azure资源门户网站( https://resources.azure.com/)，默认的allowAudiences为

I get the access token with your mentioned way. According to the Azure Resources portal(https://resources.azure.com/), the default allowedAudiences is

  "https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"

所以我将https://{functionAppName}.azurewebsites.net/添加为允许的辅助对象

So I add the https://{functionAppName}.azurewebsites.net/ as allowed aduiences

然后，我可以直接使用访问令牌.我用邮递员测试.

Then I can use the access token directly. I test it with postman.

我们还可以使用以下方式获取简单身份验证令牌.访问令牌是您获得的令牌.

We also could use the following way to get easy auth token. The access token is the token that you got.

Post https://xxx.azurewebsites.net/.auth/login/aad
Content-Type:application/json
{
    "access_token":"eyJ0eXAiOix...rtf2H7lyUL-g34HVw"
}

之后，我们可以使用get令牌访问azure函数api

After that we could use the get token to access the azure function api

注意:标头为 x-zumo-auth :令牌

这篇关于使用Azure Active Directory的Azure功能身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！