quiNews

Was Sie Gutes mit uns verbinden können

Authorization between function apps using managed identities

For authorization between functions it is possible to use different authorization levels

  • Anonymous - doesn't require any authentication and accept all valid HTTP requests.
  • Function, Admin, System - authorization levels are key based. They require function key, host key or master key to be provided in called function URL.
  • User - this authorization level isn’t key based. Instead it does mandate a valid authentication token to be provided in called function URL [1].

No one from this ways is secure since we should provide authentication information in public way or skip verification at all.

To make communication more secure is possible to use AD authentication and managed identity. In this approach any keys should be provided inside of receiver functions URL. Instead of this authorization token is build into http request and validated at the first step of receiver function.

 To implement this we need:

  • Registered active directory application data form which will be used for token verification.
  • Created and assigned to calling function application a user-assigned managed identity which will be automatically registered in AD.
  • AuthorizationLevel Anonymous in called function application. This will allow to achieve function without providing any keys in URL.
  • Implemented library with TokenProvider class for gaining and AccessValidator  class for verifying authorization token.

  1. Caller function requests authorization token. Token is requested from registered AD application by TokenProvider class using  user-assigned managed identity for verification and Application ID URI for identification of proper AD application.
  2. Active directory application validates received user-assigned managed identity and if user-assigned managed identity was successfully validated, sends authorization token as a response.
  3. Caller function sends http request with authentication token to receiver function.
  4. Receiver function tries to validate received token.
    1. It sends validation request to active directory application.
    2. Active directory application validates not only token itself but its issuer too.
  5. In case of successful validation access to receiver function will be granted and it will continue its work. Otherwise function will gain UnauthorizedAccessException and further work will be skipped.

    https://vincentlauzon.com/2017/12/04/azure-functions-http-authorization-levels/
    https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

 

© QUIBIQ GmbH · Impressum · Datenschutz