I've read a lot of documentation on Azure about working with Shared Access Signatures, and I don't believe it's possible to have webhooks delivered straight to Evenhtubs. I believe an intermediate service like a an Azure Function or Logic App currently needs to act as a middleman.
Is it correct to say that the service generating the webhook would have to choose to implement the signing scheme used by Azure Shared Access Signatures for Eventhubs to receive such a webhook?
Furthermore, is there any Azure PAAS service such as document DB or Azure SQL which has an API authentication scheme which a fairly simple webhook could write directly to?
It's been awhile since this question was asked but I'll put the answer here for anyone who needs it.
Yes, you can have a webhook send directly to an Event Hub. The client needs to send a post request with the Shared Access Signature (SAS) in the Authorization header and data in the body.
Here is Microsoft's documentation on the process.
https://learn.microsoft.com/en-us/rest/api/eventhub/send-event
Related
We want to call a REST API endpoint of a SaaS application. i.e. system to system interaction.
We are using Azure Data Factory to call and we could see that ADF support(Web client activity) client certificate authentication.
We have the certificate with us. Added the certificate to AKV, configured ADF to use the certificate.
Question:
Do we need an app registration to be able to use?
What details do we need to send to the SaaS vendor so that they can recognize that our call is a legit call?
Are there any other steps in the process?
From the way you're describing this issue, it sounds like the SaaS isn't an application that is protected using Azure AD. In that case, the SaaS determines what credentials are suitable - likely a username and client certificate. I can't think of a reason for you to need to create an app registration. All of this said - you need to talk to the vendor to ask them what credentials are necessary for access.
I am new to Azure API Management and will be happy to receive suggestion and advise on my implementation.
I am developing a B2B Api Channel for 3rd parties to call my services via the API Management (APIM) Gateway. On the APIM developers portal I can onboard new clients and generate API key. My struggle is how best to figure out at the underlying services who is calling?
I have considered add the API Key generated in the APIM to a database which the underlying service will call to authenticate, however, the implementation will be manual and will not be in sync when the 3rd party client goes to APIM and regenerate a new API key.
What I want is a solution that auto syncs authorization and authentication between APIM and the underlying services.
Since API keys can be replaced, you better rely on IDs to identify clients.
You can pass a client ID to a backend in a header: https://stackoverflow.com/a/42277313/2579733
Now how do you correlate APIM's client IDs with your backend's client IDs?
If there are only a few clients, you can probably update that association in your backend's database manually. If you can use the clients's email to connect the APIM client and your backend client, that's even easier (you're done).
If you will need to register many clients and the manual approach is not feasible... One way to do it is with Delegated Authentication:
Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. It enables your website to own the user data and perform the validation of these steps in a custom way.
I never used it but it seems you can transfer the responsibility of creating new clients to a backend service (developed by you).
This way you have access to client emails, you generate IDs and can store the ID relationship in the backend as necessary.
So, I have an API in Azure-API-Management, which is attached to a function. I want to expose one the method in API as Web-hook for another application CRM. It will be an inbound web-hook.
Is it possible ?
A webhook endpoint is like any other HTTP endpoint that usually expects a POST request from an external system. So, yes.
Depending on the CRM Application, you could leverage APIMs built-in security features to authenticate the webhook call without having to validate credentials in your function as a bonus for using APIM.
I have created an azure signalr service with serverless option.
The negotiate function is able to generate JWT token with 'x-ms-client-principal-name' and the connection gets established without issues.
I have referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-concept-serverless-development-config and the function is able to send events to a particular userid/groups.
I have been asked to secure the client - server communication.
I am new to security domain. I referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-tutorial-authenticate-azure-functions this link but I am not able to configure the given sample app and not able to understand the concept.
My scenario is: I have a Client .net web app in which user can login using organization account as well as using google.
This app calls azure signlar negotiate function with userID and the deviceId in which it is interested to receive events through signalR function.
Signalr function gets events from the azure eventhub trigger and sends it to the groups.
Please help me to increase the security of this application. Is the token received from negotiate function sufficient as far as security is concerned?
Can any unauthorized user connect to my azure subscribeToGroup/sendEvent functions with the acquired jwt token from negotiate?
I am trying to use this https://github.com/Azure/azure-functions-signalrservice-extension in which idToken and claimTypeList are additional parameters along with x-ms-client-principal-name(userid). But I am not able to understand this with respect to security.
The client in this sample is index.html with auth.js. But how it is said to be secure is not understandable.
Please help and direct me for the correct setup and code.
I have configured Azure Application Insight for monitoring our systems and was trying to enable the alerting. I'm using app insight availability test which provides a functionality to call a webhook URL.
I wrote a webhook using HTTP triggered Azure function, but the problem is it exposes a public URL which if called will raise an alarm on our internal alerting system. So I plan to authenticate the call to webhook.
Is there any way I can authenticate the call possibly using OAUTH.I don't want to provide the token in URL, looking for something secure. Another problem with manually using token in URL is that token rotation will require manual work.
Any suggestions on I can automate this task which will take care of secret rotation will be appreciated.
I believe token based authentication is the only possible route as of today as documented here.
But I think you should still be able to use a Function App without worrying about key rotation since the function keys can be read through the Functions API if the AzureWebJobsSecretStorageType app setting is set to files as documented here.