Suche

über alle News und Events

 

Alle News

 

Wir haben während unseres...

Weiterlesen

Azure Functions benötigen oft einen...

Weiterlesen

In der heutigen Zeit nehmen Erreichbarkeit,...

Weiterlesen

Viele unserer Kunden überlegen derzeit, was sie in...

Weiterlesen

Lösungsansatz – was benötigt man dafür:

  • Einen...
Weiterlesen

Es gibt im Preview die Möglichkeit Azure Blob...

Weiterlesen

Die wichtigste Konferenz zu Integration auf der...

Weiterlesen

In diesem Blogeintrag werden wir drei sichere und...

Weiterlesen

Im vergangenen Jahr war bei uns in Hamburg viel in...

Weiterlesen

Heutzutage werden Token für die Authentifizierung...

Weiterlesen

How-to: Authorization between function apps using managed identities

For authorization between functions it is possible to use different authorization levels

  • Anonymous - doesn't require any authentication and accept all valid HTTP requests.
  • Function, Admin, System - authorization levels are key based. They require function key, host key or master key to be provided in called function URL.
  • User - this authorization level isn’t key based. Instead it does mandate a valid authentication token to be provided in called function URL [1].

No one from this ways is secure since we should provide authentication information in public way or skip verification at all.

To make communication more secure is possible to use AD authentication and managed identity. In this approach any keys should be provided inside of receiver functions URL. Instead of this authorization token is build into http request and validated at the first step of receiver function.

 To implement this we need:

  • Registered active directory application data form which will be used for token verification.
  • Created and assigned to calling function application a user-assigned managed identity which will be automatically registered in AD.
  • AuthorizationLevel Anonymous in called function application. This will allow to achieve function without providing any keys in URL.
  • Implemented library with TokenProvider class for gaining and AccessValidator  class for verifying authorization token.

  1. Caller function requests authorization token. Token is requested from registered AD application by TokenProvider class using  user-assigned managed identity for verification and Application ID URI for identification of proper AD application.
  2. Active directory application validates received user-assigned managed identity and if user-assigned managed identity was successfully validated, sends authorization token as a response.
  3. Caller function sends http request with authentication token to receiver function.
  4. Receiver function tries to validate received token.
    1. It sends validation request to active directory application.
    2. Active directory application validates not only token itself but its issuer too.
  5. In case of successful validation access to receiver function will be granted and it will continue its work. Otherwise function will gain UnauthorizedAccessException and further work will be skipped.

    https://vincentlauzon.com/2017/12/04/azure-functions-http-authorization-levels/
    https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

 

Ihre Kontaktmöglichkeiten

Sie haben eine konkrete Frage an uns


 

Bleiben Sie immer auf dem Laufenden


 

Mit meinem "Ja" erkläre ich mich mit der Verarbeitung meiner Daten zur Zusendung von Informationen einverstanden. Ich weiß, dass ich diese Erklärung jederzeit durch einfache Mitteilung widerrufen kann. Bei einem Nein an dieser Stelle erhalte ich zukünftig keine Informationen mehr.

© QUIBIQ GmbH · Impressum · Datenschutz