I have created an HTTP Triggered Azure Function and exposed some endpoints. I am calling those endpoints from Salesforce Community.
https://<testing...>.azurewebsites.net/getData
https://<testing...>.azurewebsites.net/postData
https://<testing...>.azurewebsites.net/updateData
https://<testing...>.azurewebsites.net/deleteData
The Azure Functions Authorization Level is anonymous. I can access the responses from HTTP endpoints to the salesforce community site.
How can I set the authorization level so that, the endpoints can only be accessible from the Salesforce Community and the salesforce Users?
Thanks
There are quite a few options available like App Service Authentication or using API management for authorizing requests.
Have a look at Securing Azure Functions - Authentication/authorization.
While function keys can provide some mitigation for unwanted access, the only way to truly secure your function endpoints is by implementing positive authentication of clients accessing your functions. You can then make authorization decisions based on identity.
Related
I realize that AZURE APIMS has a lot out of the box. Including subscription based server-side authentication.
However, I would like to know:
What options are available for client apps which are browsers?
For example,
Assume I have a single backend API with a single endpoint. I want to expose this endpoint to external business partners who use browser based applications which make requests to the backend from client side (browser)
How can I achieve this using AZURE API management service?
APIM supports protecting your API with OAuth 2.0 which you can setup on your APIM instance and leverage in your browser-based applications.
Your application would first have to get the JWT token from your identity provider and then provide the same in requests to the APIM endpoint which are pre-validated using a policy.
Here are samples of applications using AzureAD (and its MSAL library) for authentication/authorization.
I have an Azure Functions app and in Azure Portal I have configured Easy Auth -> Azure Active Directory.
The requirement is, that the API must support both AAD and some custom JWT Authentication, so that the consumer can Authenticate either using AAD or JWT.
How can I support multiple authentication mechanisms in Azure Functions?
As Easy Auth is actually an IIS module, I believe you'll need to receive the token in your Azure Function and programatically validate against the support providers.
Do it the same way you would do it in an ASP.NET Core application by using this package: DarkLoop.Azure.Functions.Authorize for Functions V3+, or DarkLoop.Azure.WebJobs.Authorize for Functions V2.
You can read this blog post for more information.
It will allow you to configure as many authentication protocols for authentication with the power of policies for every individual HTTP triggered function.
I got a HTTP triggered azure function, which is using by one of my web applications. The user of this site would be anybody who signed up to the site. Now I want to implement authentication to the azure function in such a way that only signed up user would able access the azure function through my web site. I could see many built-in authentications like azure functions, OAuth using Azure AD and other identity providers etc. I am looking for to way to authenticate users signed-up through my website, not with identity providers.
One solution I can think of is while signing up a register that user to Azure AD. Then while calling the API pass user credentials to the API and validate against AD. Can somebody please advice this is a good solution? If not please advise the best solution for my use case.
I don't want to use any external auth provider
Just referring to the documentation:
Azure functions HTTP Trigger - Authorization keys
While keys may help obfuscate your HTTP endpoints during development, they are not intended as a way to secure an HTTP trigger in production. To learn more, see Secure an HTTP endpoint in production.
The second link Secure an HTTP endpoint in production gives more insights on how to secure HTTP triggered functions:
To fully secure your function endpoints in production, you should consider implementing one of the following function app-level security options:
Turn on App Service Authentication / Authorization for your function app. The App Service platform lets use Azure Active Directory (AAD) and several third-party identity providers to authenticate clients. You can use this to implement custom authorization rules for your functions, and you can work with user information from your function code. To learn more, see Authentication and authorization in Azure App Service and Working with client identities.
Use Azure API Management (APIM) to authenticate requests. APIM provides a variety of API security options for incoming requests. To learn more, see API Management authentication policies. With APIM in place, you can configure your function app to accept requests only from the IP address of your APIM instance. To learn more, see IP address restrictions.
Deploy your function app to an Azure App Service Environment (ASE). ASE provides a dedicated hosting environment in which to run your functions. ASE lets you configure a single front-end gateway that you can use to authenticate all incoming requests. For more information, see Configuring a Web Application Firewall (WAF) for App Service Environment.
In my opinion you can do this in following ways.
Using function level Authorization key (Not preferred but easy)
If your web app is the only one that will access the function app you may enable authorization directly on the function. Any one who wants to access the function has to pass the key else you get 401 . Since you want your function to be accessed directly by users then you have to create additonal end point in your web site that will call function app on users' behalf and pass the key. You can find more about here
Authorization Key
Using Azure B2C or AD
You are thinking on the right lines. If your website is external consumer accessed then you may consider Azure B2C. You get many out of box functionalities including sign up using social logins and you may not need to save the users separately. The flow remains the same , users get authenticated by Azure AD (or B2C) and token is issued. The token is then passed when calling azure functions.
I think I do not understand something obvious here.
If I configure an API App in API Management so that URL /B requires separate subscription/role other than basic one which enables /A URL, do I have to authorize in application itself by checking current user role?
I am confused because the API App has also its public URL and can be accessed directly. It will have also API Management URL. So even though I setup all the throttling and all policies, that can be ignored by accessing application directly.
Can't the API App be only internal, with configured identity and allow only connections from API Management? How to setup authentication so that users have to go via API Management?
Once you put your API behind API management, you should consider the backend API's URL as your own private URL that only you use if you need to.
Both you and the consumers of your API should only use the public API management URL so that you get the benefits of the API Management Gateway. Don't give external parties the public URL of your backend API.
You have various options to protect your backend API. These include using Azure AD, certificates, basic authentication and even only allowing the Azure API management IP address to connect to your backend API.
It depends on where your backend API is hosted, what tier of API Management you are using (some options are only available in Premium), and finally, what capabilities your backend API has.
See this post for more details on all of the above.
Hope this helps!
I have an API hosted in Azure (Web App). This API can't be accessed directory by every client (IP Restriction), and I am willing to use APIM to protect it.
Users will call the APIM-Gateway and the gateway should responds appropriately.
One big problem is authentication: I am protecting this API (The Backend API and not the APIM-Gateway endpoint) with AAD.
So users should authenticate themselves against AAD and access the resources with no direct access to the backend.
Is it possible to implement such a scenario?
If you're fine with users authenticating against AAD then it's perfectly supported. With that model APIM may be used to just pass-through user requests to backend or you could use validate-jwt policy somewhere in request processing pipeline to validate users' tokens and authorize invoked actions.
APIM's authorization servers feature may be used to document that your APIs require AAD token from certain server. If this is done test console on developer portal will show controls to simplify getting token to make test calls to your APIs.
Normally APIM requires clients to pass subscription keys to authenticate and authorize calls. But if you're relying on AAD that may be not something you want - then you can use Open product to make your calls anonymous to APIM. validate-jwt policy can still be used to require certain token to be present with request.
There are various ways you can ensure that your backend is reachable only via APIM:
Shared secret - set a special header in APIM policy and check it's value on backend.
Client certificate authentication - APIM may be set up to attach client certificate to each request to backend that you will check at backend side to make sure that this is APIM making a call.
VNET - APIM can join your VNET, while backend may be setup to accept calls only within VNET making it possible to be called only through APIM.
I have used below approach in my recent project and used jwt validation to validate oauth2 token in policy
Follow Microsoft document link https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.
Here is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization. (optional)
Add the validate-jwt policy to validate the OAuth token for every incoming request.