CONNECTED Conference 2023 - Aufzeichnungen jetzt hier verfügbar +++                     

Suche

über alle News und Events

 

Alle News

 

Um HTML zum PDF zu konvertieren, werden wir...

Weiterlesen

Die Logic Apps-Plattform von Microsoft ermöglicht...

Weiterlesen

Du bist neugierig auf aktuelle KI-Technologien und...

Weiterlesen

Am 27.09. ab 12.30h starten die vierten QUIBIQ...

Weiterlesen

"Das Beste von SAP und Microsoft nutzen": auf dem...

Weiterlesen

Azure Bicep wird verwendet, um Ressourcen in Azure...

Weiterlesen

In einer Welt, die immer digitaler wird, ist es...

Weiterlesen

Dieser Artikel beschreibt wie JSON-Dateien anhand...

Weiterlesen

Vom 5. bis 7. Juni findet in London wieder die...

Weiterlesen

Vom 5. bis 7. Juni findet in London wieder die...

Weiterlesen

How-to: Authorization between function apps using managed identities

For authorization between functions it is possible to use different authorization levels

  • Anonymous - doesn't require any authentication and accept all valid HTTP requests.
  • Function, Admin, System - authorization levels are key based. They require function key, host key or master key to be provided in called function URL.
  • User - this authorization level isn’t key based. Instead it does mandate a valid authentication token to be provided in called function URL [1].

No one from this ways is secure since we should provide authentication information in public way or skip verification at all.

To make communication more secure is possible to use AD authentication and managed identity. In this approach any keys should be provided inside of receiver functions URL. Instead of this authorization token is build into http request and validated at the first step of receiver function.

 To implement this we need:

  • Registered active directory application data form which will be used for token verification.
  • Created and assigned to calling function application a user-assigned managed identity which will be automatically registered in AD.
  • AuthorizationLevel Anonymous in called function application. This will allow to achieve function without providing any keys in URL.
  • Implemented library with TokenProvider class for gaining and AccessValidator  class for verifying authorization token.

  1. Caller function requests authorization token. Token is requested from registered AD application by TokenProvider class using  user-assigned managed identity for verification and Application ID URI for identification of proper AD application.
  2. Active directory application validates received user-assigned managed identity and if user-assigned managed identity was successfully validated, sends authorization token as a response.
  3. Caller function sends http request with authentication token to receiver function.
  4. Receiver function tries to validate received token.
    1. It sends validation request to active directory application.
    2. Active directory application validates not only token itself but its issuer too.
  5. In case of successful validation access to receiver function will be granted and it will continue its work. Otherwise function will gain UnauthorizedAccessException and further work will be skipped.

    https://vincentlauzon.com/2017/12/04/azure-functions-http-authorization-levels/
    https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

 

Ihre Kontaktmöglichkeiten

Sie haben eine konkrete Frage an uns


 

Bleiben Sie immer auf dem Laufenden


 

Mit meinem "Ja" erkläre ich mich mit der Verarbeitung meiner Daten zur Zusendung von Informationen einverstanden. Ich weiß, dass ich diese Erklärung jederzeit durch einfache Mitteilung widerrufen kann. Bei einem Nein an dieser Stelle erhalte ich zukünftig keine Informationen mehr.

© QUIBIQ GmbH · Impressum · Datenschutz