How to secure my function app using google identity provider

Question

Hi,

I have an OOTB function app created using maven azure function arche type

Code is similar to https://github.com/azure-samples/azure-functions-samples-java/blob/master/triggers-bindings/src/main/java/com/functions/Function.java

The code is not touched

@FunctionName("HttpExample")public HttpResponseMessage run(        @HttpTrigger(            name = "req",            methods = {HttpMethod.GET, HttpMethod.POST},            authLevel = AuthorizationLevel.ANONYMOUS)            HttpRequestMessage<Optional<String>> request,        final ExecutionContext context) {

I want to make it secure using google oauth2

The code is not updated (still has anonymous in signature)

I added identity provider and updated congiguration in google redirect url etc

redirect uri set is :htps://..s.azurewebsites.net/.auth/login/google/callback

Postman configuration:

token acquired using https://oauth.pstmn.io/v1/callback

https://oauth2.googleapis.com/token https://accounts.google.com/o/oauth2/v2/auth openid email profile state = 12345 from postman

Now when using Code + Test

supplying query param name and header: Authorization with token from postman

getting error:

Security issue: Request to send auth token to untrusted domain '<some>.azurewebsites.net'. Only a fixed set of domains should be configured to receive auth tokens. Command name: <not provided>

How to troubleshoot ? what is wrong with domain? azure domains can be seen in Gooath oAuth consent

If this not possible, is there an example function and steps to test a very basic function with google identity provider?

What urls should be in google oauth?

what configuration is required in Identity Provider? what should be added to Allowed external redirect URLs in identity provider?

what are the steps to test in Code + Test in azure portal?

How to test using postman ?

Answer 1

Hello @Venkata S (Student)

To secure your Azure Function app using Google OAuth2, you need to follow a few steps.

First, you need to register your application with Google. You can follow the instructions in this article: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-google.

Next, you need to add the Google information to your application in the Azure portal. You can follow the instructions in the same article mentioned above.

After that, you need to update your function code to require authentication. You can do this by changing the authLevel parameter in the @HttpTrigger annotation to AuthorizationLevel.Function. Regarding the error you are seeing, it seems like you are trying to send an auth token to an untrusted domain.

You need to make sure that the domain you are sending the token to is configured to receive auth tokens. You can check the allowed external redirect URLs in your Google Identity Provider configuration to make sure that the domain you are sending the token to is listed there.

To test your function in the Azure portal, you can use the Code + Test feature. You can supply the query parameter and header with the authorization token from Postman. To test using Postman, you need to make sure that you are sending the token to the correct domain.

You can also check the allowed external redirect URLs in your Google Identity Provider configuration to make sure that the domain you are sending the token to is listed there.

I hope this helps