Suche

über alle News und Events

 

Alle News

 

Durable Function ist eine Erweiterung der...

Weiterlesen

Wir haben eine gute, vor allem spannende und hoch...

Weiterlesen

Am 09.05.2022 wurde ein Artikel von Microsoft...

Weiterlesen

Neben den altbekannten Logic Apps (Consumption),...

Weiterlesen

Im Jahr 2022 fallen eine Reihe von .Net Versionen...

Weiterlesen

SAP in die Power Platform integrieren – In einem...

Weiterlesen

Bicep Templates benutzen eine deklarative Syntax...

Weiterlesen

In BizTalk gibt es einige Alternativen, wie...

Weiterlesen

Wir sind auf ein seltsames Phänomen bei einem...

Weiterlesen

Nach der Migration konnten in VS 2019 „normale“...

Weiterlesen

How-to: Authorization between function apps using managed identities

For authorization between functions it is possible to use different authorization levels

  • Anonymous - doesn't require any authentication and accept all valid HTTP requests.
  • Function, Admin, System - authorization levels are key based. They require function key, host key or master key to be provided in called function URL.
  • User - this authorization level isn’t key based. Instead it does mandate a valid authentication token to be provided in called function URL [1].

No one from this ways is secure since we should provide authentication information in public way or skip verification at all.

To make communication more secure is possible to use AD authentication and managed identity. In this approach any keys should be provided inside of receiver functions URL. Instead of this authorization token is build into http request and validated at the first step of receiver function.

 To implement this we need:

  • Registered active directory application data form which will be used for token verification.
  • Created and assigned to calling function application a user-assigned managed identity which will be automatically registered in AD.
  • AuthorizationLevel Anonymous in called function application. This will allow to achieve function without providing any keys in URL.
  • Implemented library with TokenProvider class for gaining and AccessValidator  class for verifying authorization token.

  1. Caller function requests authorization token. Token is requested from registered AD application by TokenProvider class using  user-assigned managed identity for verification and Application ID URI for identification of proper AD application.
  2. Active directory application validates received user-assigned managed identity and if user-assigned managed identity was successfully validated, sends authorization token as a response.
  3. Caller function sends http request with authentication token to receiver function.
  4. Receiver function tries to validate received token.
    1. It sends validation request to active directory application.
    2. Active directory application validates not only token itself but its issuer too.
  5. In case of successful validation access to receiver function will be granted and it will continue its work. Otherwise function will gain UnauthorizedAccessException and further work will be skipped.

    https://vincentlauzon.com/2017/12/04/azure-functions-http-authorization-levels/
    https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

 

Ihre Kontaktmöglichkeiten

Sie haben eine konkrete Frage an uns


 

Bleiben Sie immer auf dem Laufenden


 

Mit meinem "Ja" erkläre ich mich mit der Verarbeitung meiner Daten zur Zusendung von Informationen einverstanden. Ich weiß, dass ich diese Erklärung jederzeit durch einfache Mitteilung widerrufen kann. Bei einem Nein an dieser Stelle erhalte ich zukünftig keine Informationen mehr.

© QUIBIQ GmbH · Impressum · Datenschutz