I have an Azure Functions app and in Azure Portal I have configured Easy Auth -> Azure Active Directory.
The requirement is, that the API must support both AAD and some custom JWT Authentication, so that the consumer can Authenticate either using AAD or JWT.
How can I support multiple authentication mechanisms in Azure Functions?
As Easy Auth is actually an IIS module, I believe you'll need to receive the token in your Azure Function and programatically validate against the support providers.
Do it the same way you would do it in an ASP.NET Core application by using this package: DarkLoop.Azure.Functions.Authorize for Functions V3+, or DarkLoop.Azure.WebJobs.Authorize for Functions V2.
You can read this blog post for more information.
It will allow you to configure as many authentication protocols for authentication with the power of policies for every individual HTTP triggered function.
Related
We have on-prem sql server database which is connected to a legacy application. The on-prem database contains the username and password for the users. We are in process of migrating the existing solution to Cloud, and using Azure AD B2C for Authentication.
As the existing system is very big, so there is a phased transition we need to do which means keeping the both system running, allowing the users to login to the existing app as well as through Azure AD B2C in the cloud app.
I stumbled across API connectors for Azure AD B2C. I want to know if its possible to implement API connector for Sign In flow, in a way that it does the authentication against the external database store (legacy database) instead of Azure AD B2C.
From whatever I researched on google, it seems that API connector is called after authentication only. Also all the samples were related to Sign up flow. Can someone please guide me for a sample to achieve the login through external database using API connector ?
B2C supports integrating external identity providers. You can find a full list of them here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-local?pivots=b2c-custom-policy
However, you are seeking to use a custom (generic) identity provider (IDP). This scenario is supported if the custom IDP supports either the OpenID Connector (OIDC) or SAML protocols. Please check that list in the URL above to review these options.
Regarding using the API connector, you can invoke the API connector before the authentication occurs in B2C using a validation technical profile in a custom policy. However, that does not achieve the actual authentication based on OIDC. Instead, it would be considered a validation step.
An overview of when you can use API Connectors is here.
You might be able to achieve a type of workaround using a custom policy to invoke your API connector to authenticate before authenticating in B2C and returning a success flag.
However, I think a better idea is to implement password synchronization. This seems like a perfect fit for you based on what you described. Users would be able to log into both your local system and Azure B2C simultaneously until you decommission your legacy authentication mechanism.
Your main requirement is that you have use a Microsoft Graph API SDK to update the B2C account password via your application backend. The bottom line is that you just need to keep the passwords the same in both systems. This is very easy to achieve with the Graph API, especially if you are developing in C# / .NET.
You also have to figure out how the B2C accounts get provisioned in the first place. This can happen in several different ways depending on your business requirements: Graph API, user sign up flow, import operation, etc.
API connectors only work for sign-up.
There's an example here but you will have to use custom policies.
I'm developing an application that have a web front and an azure function in the backend. I have protect the azure function using easyauth. The application is multitenant and i want to call the azure function on-behalf of authenticated user on the web. I want to use MSAL. I obtain a token on be-half of the user, i check it with jwt.io and all the informations are correct, scope is ok but when i call the function adding the Authentication token "Bearer:xxxxxxxxxxx" i obtain a 401. Seems to me that the problem is on the Function side: same parameter, compatibility with MSAL...
Is there a racomandated architecture for this scenario. I found many but nothing specific about Azure Functions, EasyAuth, on-behalf msal token
Unfortunately, we cannot use v2 endpoint(msal) to authenticate Azure function in Azure Portal for now.
Currently, authentication providers in Azure Web App service contain Azure Active Directory and it use v1 ednpoint to redirect.
You can find more details here.
I'm not sure if it'd meet all your requirements, but you could front the web app with API management using OAuth2 and then set headers to appropriate values and redirect to an HTTP Trigger for your function using one of the AuthorizationLevel options available.
Sounds like EasyAuth is on people's minds already and there may be a solution for you somewhere in the comments on the github ticket.
I got a HTTP triggered azure function, which is using by one of my web applications. The user of this site would be anybody who signed up to the site. Now I want to implement authentication to the azure function in such a way that only signed up user would able access the azure function through my web site. I could see many built-in authentications like azure functions, OAuth using Azure AD and other identity providers etc. I am looking for to way to authenticate users signed-up through my website, not with identity providers.
One solution I can think of is while signing up a register that user to Azure AD. Then while calling the API pass user credentials to the API and validate against AD. Can somebody please advice this is a good solution? If not please advise the best solution for my use case.
I don't want to use any external auth provider
Just referring to the documentation:
Azure functions HTTP Trigger - Authorization keys
While keys may help obfuscate your HTTP endpoints during development, they are not intended as a way to secure an HTTP trigger in production. To learn more, see Secure an HTTP endpoint in production.
The second link Secure an HTTP endpoint in production gives more insights on how to secure HTTP triggered functions:
To fully secure your function endpoints in production, you should consider implementing one of the following function app-level security options:
Turn on App Service Authentication / Authorization for your function app. The App Service platform lets use Azure Active Directory (AAD) and several third-party identity providers to authenticate clients. You can use this to implement custom authorization rules for your functions, and you can work with user information from your function code. To learn more, see Authentication and authorization in Azure App Service and Working with client identities.
Use Azure API Management (APIM) to authenticate requests. APIM provides a variety of API security options for incoming requests. To learn more, see API Management authentication policies. With APIM in place, you can configure your function app to accept requests only from the IP address of your APIM instance. To learn more, see IP address restrictions.
Deploy your function app to an Azure App Service Environment (ASE). ASE provides a dedicated hosting environment in which to run your functions. ASE lets you configure a single front-end gateway that you can use to authenticate all incoming requests. For more information, see Configuring a Web Application Firewall (WAF) for App Service Environment.
In my opinion you can do this in following ways.
Using function level Authorization key (Not preferred but easy)
If your web app is the only one that will access the function app you may enable authorization directly on the function. Any one who wants to access the function has to pass the key else you get 401 . Since you want your function to be accessed directly by users then you have to create additonal end point in your web site that will call function app on users' behalf and pass the key. You can find more about here
Authorization Key
Using Azure B2C or AD
You are thinking on the right lines. If your website is external consumer accessed then you may consider Azure B2C. You get many out of box functionalities including sign up using social logins and you may not need to save the users separately. The flow remains the same , users get authenticated by Azure AD (or B2C) and token is issued. The token is then passed when calling azure functions.
The Authentication/Authorization settings for my API app only provide AAD, FB, Google and Twitter. I want to use different authorization provider (different chat app such as Kakaotalk/LINE) and eventhough their API also give me token I don't know how I can make my backend authorize those tokens.
I wonder if it's possible to have custom authorization based on different OAuth token provided by different service? If not can you suggest what steps should I take to do authorization for my api app service?
Thanks
Yes, it is possible to use custom identity providers if you're using .NET for your API app. Some useful references:
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-backend-how-to-use-server-sdk#custom-auth
https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.