I am trying to use a python azure function to call an API running on an Azure app service.
(I have managed to get the webAPI to call the function-trigger (managed-identity and all that), but the function needs data that can be retrieved from the API.)
In order to simplify authentication, my thought is to use the managed-identity within the python function and create a JWT that accompanies the requests.
credential = DefaultAzureCredential()
token = credential.get_token("api://<APPLICATION_ID>/.default")
// make call to API using token as authorization
// response 200
This currently works. APPLICATION_ID is registered within Azure AD.
It feels wrong to request a token, using the functions APPLICATION_ID as a scope. When the API in reality has nothing to do with it. But my attempts at using any other scope is met with errors.
It depends on the service/resource you want to access that decides the scope.
e.g. if you want to access storage, the scope is "https://storage.azure.com/.default".
(I work in Microsoft Azure SDK team)
Related
How to get the Token from the user and we pass in its python azure HTTP trigger function app and once the status code is 200 then only it has to go to the main function code.
This is what I am thinking of:
How to get the Token from the user and we pass in its python azure HTTP trigger function app and once the status code is 200 then only it has to go to the main function code.
You can make use of Authorization Keys functionality in Azure functions (Python, .NET, etc.)
In the Http Trigger Request URL, you have to send the Authorization code and value.
That you can get it from the Azure Function App Portal:
For allowing access to all functions in your function app using a single authorization key or you need an individual key to every function in your function app, all it depends on the Authorization scopes (keys) used in the Function request URL.
Refer Working with Client Identities in Azure Functions for user authentication/authorization setting-up.
I want to do API request to my Azure cloud account (want to reset password via API). I tried to do this with Postman and it works well using Microsoft Graph API.
My question is:
Is it possible to call this API's via Ansible AWX (Tower)? Like i have few cloud accounts and i have to change the passwords on them after running a playbook. I saw that there is uri module but how can i authenticate with this via token?
Maybe another approach - moving to the shell/script commands execution? Uri module in result will not allow you to use access token - but that you probably see.
https://docs.ansible.com/ansible/latest/modules/script_module.html#examples
https://docs.ansible.com/ansible/latest/plugins/shell.html
I was already know azure functions have two types of hosting ,
Server Less
On- premises
But What i need to know is , Can i store My Login token to server less Azure functions ?
I have this doubt so i am not tried any thing i searched lot of things in google , But i am get clarification.
I need server less azure functions API 's can support session maintenance or not?
Any alternative solutions is there to store my token ? Call other Authorized API's ?
Azure Functions are Stateless
If you're wanting to store a session with data against it, you may want to take a look at something like Azure Redis Cache, you'll be able to get/set session data from Redis inside your functions.
Azure Functions offers an alternative for creating stateful functions called Durable Functions. Durable Functions is an extension to the Azure Functions runtime that enables the definition of stateful workflows in code.
For more information follow the below docs.
https://learn.microsoft.com/en-us/dotnet/standard/serverless-architecture/durable-azure-functions
https://learn.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-overview
Yes Azure functions support session storage in this way. If you need to authenticate a user you will need some mechanism of doing that.
So for example if you're token exchange mechanism is AAD or B2C or a social like Facebook or Google or an open id connect authentication mechanism they would all be the mechanisms to authenticate/authorize a user and obtain a token and then store that as a user session.
An Azure function can certainly be apart of that process.
App services and functions use what is called "Easy Auth" or AuthZ middleware type functionality for handling incoming requests.
The authentication and authorization middleware component is a feature of the platform that runs on the same VM as your application. When it's enabled, every incoming HTTP request passes through it before being handled by your application.
The platform middleware handles several things for your app:
Authenticates users and clients with the specified identity provider(s)
Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s)
Manages the authenticated session
Injects identity information into HTTP request headers
Calls from a trusted browser app in App Service to another REST API in App Service or Azure Functions can be authenticated using the server-directed flow. For more information, see Customize sign-ins and sign-outs.
So all in all, yes, there is a way to have a user session with azure functions. Now if you were comparing to express.js or fastify or asp.net you're not going to get the fine grained control as you may want on the call level. But it would be there on the IDP (identity provider level.)
So, if you were to define roles access and other things you could do that all through your IDP situation and then the token upon request would check your token to see if it were still valid and or see if you had to re-sign in.
As someone mentioned the primary driver of the session isn't from the api really but rather the client login. This would just be an extension of that client user journey. i.e. did you already do it if not you need to. SSO and other things regarding user session and auth come into those factors as well.
Azure AD B2C with UWP sample on GitHub requires some optional steps as described on the GitHub readme which asks for us to create a web API in step 4 and hence use API scopes for that web API in the code written in app.xaml.cs
public static string[] ApiScopes = { "https://fabrikamb2c.onmicrosoft.com/demoapi/demo.read" };
Problem : I don't have a backend API for my project yet and I don't want to make a traditional web API for my project, I will be using Azure Functions for a serverless API.
But the Sign In button leads to getting authenticationToken with following method:
authResult = await App.PublicClientApp.AcquireTokenAsync(App.ApiScopes, GetUserByPolicy(App.PublicClientApp.Users, App.PolicySignUpSignIn), UIBehavior.SelectAccount, string.Empty, null, App.Authority);
As you can see above that App.ApiScopes are provided here which is a must parameter in this method, if I provide a list of string[] with an empty string only here, I am able to login but I don't see any token in the output in my UWP UI.
So how can I bypass this API scope problem and have a working sample for myself, or do I have to create a web API for some kind of security reason I mean is that a mandatory part?
You can use your app's client_id as the scope in order to get a token issued to itself.
This approach is fine if you want to tightly couple your client and API, however if you end up having multiple Azure functions, multiple clients and don't want all clients to be able to call all functions, you'll need to start splitting up their app registrations and define scopes accordingly.
Let's say I have Instagram connector inside my Logic App workflow, authenticated and authorized to perform actions on my behalf.
I can see this connection stored in "$connections": sections but there is no access token or anything that really makes this connection work with instagram API.
The problem here is that available Logic App actions for Instagram are way from complete and for some API calls I have to use plain HTTP action and inject my access token manually.
My question - where is in general this information is stored by Logic App (OAuth tokens and so on) and how to access it inside workflow?
This is not available. I see what you want to do - if Instagram introduced a new API Logic Apps doesn't support, it would be cool to use a generic HTTP action, but use the token Logic Apps already retrieved for auth.
This is not possible because, it would be a violation of the terms of use for third party services to make token available so end users can make any arbitrary call, since it may be abused. And this would risk all Logic Apps user lossing the ability to communicate with said service when our API key is revoked.