Authenticate Azure Functions

Rajamannar A K 86 Reputation points
2022-04-05T14:01:27.947+00:00

Hi

I have am using a Http Function App, I would like to authenticate it using client id and function keys (inside my function). Using Python

I have a APIM setup for the current service but would like to authenticate on function app level.

Thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,299 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,563 questions
0 comments
Accepted answer
  1. Lohith GN 511 Reputation points
    2022-04-06T00:37:43.43+00:00

    @Rajamannar A K

    Using Function Keys as an Authentication mechanism is not prescribed for the Production Scenario.

    Here is the official documentation on Function Keys: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#function-access-keys

    Notice in that documentation, it is clearly mentioned that Function Keys should not be shared around.

    The options to secure an Azure Function App is defined here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production

    If you are already on azure - then the best way is as follows:

    • Create an Azure AD App registration for your Function App. Note down the client id
    • Your clients or consumers of the Azure Function App will need to authenticate themselves with Azure AD and get a token. That token needs to be passed in the Authorization header (usually known as the Bearer token)
    • Create an Azure Function App. Make your Function auth anonymous. Then use Jwt security packages to read the token and authenticate/authorize the user using the token.

    This is the best practice.

    If you dont want to use Azure AD i.e. the consumers or users of your applications are not internal to your Azure AD, you can go with Azure AD B2C for your application. Upto 50K active users in 1 Azure AD B2C account are free - no charges levied for you. Azure function app can be protected by Azure AD B2C also.

    Do not share your function keys to any of your consumers of the function app api

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pius Satpathy 1 Reputation point
    2022-08-24T10:37:46.813+00:00

    @Lohith GN . Thanks for the answer .

    I have also similar requirement . I could see that Azure has the capability to validated the JWT access token . And we do not need to write any code . And this can be done through configuration .

    However there is no way to for fine-grained authorization like role based . For example I want my function to be invoked by user having certain application Role or else it should return FORBIDDEN . I was thinking that Azure function has this capability through configuration . But I did not find any . Then I have to handle this role based access through the code by extracting the JWT token and fetching the claims roles . And if there is a valid role then allow the request to be executed or else send a FORBIDDEN . Not sure if Microsoft has future plan to provide this capability .

    There are many confusion by introduction of "Function Keys as an Authentication " , if this can not be used in Production