I am using a HTTP Function App, I would like to authenticate it using client id and function keys (inside my function) using python.
I have a API Management setup for the current service but would like to authenticate on function app level.
Thanks
For this one of the workaround is that you can set its Authorization level to Function.
Note: Make sure you are providing function key as a URL query string parameter in code property (i.e., https://< Your Function App>.azurewebsites.net/api/< Your Function Name>?code=< Your Function Key>). Alternatively, If you are calling function from postman you can just add x-functions-key header and set function key to it.
You can find all the function keys from Trigger >> Function Keys
but from the Official Documention you can see that it is not a good practice to distribute shared secret in public apps.
If your function is being called from a public client, you may want to consider implementing another security mechanism
Alternatively, you can use AAD to authenticate your Function App (i.e., Through App registration).
For more information, you can refer Azure Function authentication using Azure Active Directory
Related
I implement this to login the user using WASM standalone app.
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);}
It works great. When I try to add the scope for the graph and my api. It does not allow the login.
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://graph.microsoft.com/User.Read");
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://xsc.com/xxEmployees.Read.All");
)
The error says AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. How do I get this to work?
I looked at AcquireTokenSilent it uses a Microsoft.Identity.Client is this my only option. If it is my next question is how to I take my authenticated user AuthenticationStateprovider and create a IAccount for the AcquireTokenSilent method. Any ideas or other ways to try this would be greatly appreciated.
Msal is based on azure ad so that along the policy of azure ad, you can't generate an access token for two or more types of scopes at the same time.
This page also mentioned it, the only way seems to generate token seperately and call api for 2 times.
My front end is using ReactJS and when I was testing locally I was using axios to make the calls. e.g.
axios.defaults.baseURL = process.env.REACT_APP_API_URL;
axios.get('/me').then((resp) => {
this.setState({identity: resp.data});
}).catch(() => {
console.log('Failed to retrieve identity');
});
I have now moved my API behind Azure API Management which is set up to require a subscription to use.
Part of the APIM policy checks the Active Directory group to validate the user is in the right group.
Therefore, I need to add 2 parts to my javascript
authenticate against Active Directory
send the Ocp-Apim-Subscription-Key in the header
react-adal looks like it might handle the login.
However, I can't work out how to modify my existing code to use it and send the header.
Its also not clear whether it is a security risk to hard code the Ocp-Apim-Subscription-Key in the javascript or if it should be retrieved on the fly.
If it should be retrieved on the fly, where should I store it and how should I retrieve it securely?
After you handle the login with react-adal, you can also modify how you send the subscription key to APIM.
APIM lets you define how you want to send the subscription key - custom HTTP header or the query string:
Both fields are text fields with pre-defined values which you can freely change (well keep in mind these are either HTTP header name or query string variable names).
To the question weather you should keep that secret. Well, you subscription key is your secret. And it is not short lived like the access token. So you should keep that as secret as possible and do not just put it in your JS code.
However I am not really convinced that a SPA application should use APIM subscription key to invoke the API. APIM subscription keys are just a symmetric keys used to authentication/authorization. As such (being symmetric keys) using these in a SPA application be would like using your username and password for the database in your SPA app. It doesn't really matter in what stage you put that key in the browser. The moment you put APIM subscription key in the browser, you cannot longer trust that key. Users can modify it, completely remove it, or use another valid subscription key if they find one.
For SPA application I would just use the Azure AD Authentication and shape the authorizations based on the bearer token. I suppose you already perform JWT validation checks in your policy? You can extract any and all claims form the token and you can make authorization decisions based on claim values.
If the React app is hosted in Azure App Service, then you should be able to register the React app with managed identity and use Azure KeyVault to keep the secret.
https://learn.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
I'm using IdentityServer4 and have a scenario where I need to initiate a call to a secured API during a password reset process. IdentityServer4 does provide IdentityServerTools for the purpose of calling a secured resource from an extensibility point, however there is currently no documentation or examples for the indented usage.
How does one go about creating the necessary token using the provided methods in IdentityServerTools?
IdentityServerTools is available from DI. Simply inject it into your class and call the method to create a client token.
https://docs.identityserver.io/en/latest/topics/tools.html
according to Google cloud endpoint documentation, in #Api annotation (or #ApiMethod), we can use a "scope" parameter, that is:
If not supplied, the default is the email scope (https://www.googleapis.com/auth/userinfo.email), which is required for OAuth. You can override this to specify more OAuth 2.0 scopes if you wish. However, if you do define more than one scope, note that the scope check will pass if the token is minted for any of the specified scopes. To override the scopes specified here for a particular API method, specify different scopes in the #ApiMethod annotation.
Reading this docs seems that we can ask, for example, for drive scopes.
In fact, if we put here https://www.googleapis.com/auth/drive.file, the endpoint will ask the user for the drive auth.
But, how can I get the valid token to make a call to the google api? I mean, this scope parameter is intended only for login purpose, or I can use it to obtain Oauth2 tokens to call Google Apis?
I think is only for login purpose (just because I haven't found something about using endpoint to connect to google api) but I need a confirmation.
Thanks in advance
How does Google allow userService.getCurrentUser() to be called without having it passed HttpServletRequest request param? I am looking to extend UserService but it does not allow me to do that easily.
I have created my own authentication mechanism which overlaps UserService so that I can allow Google supported users and users who will login automatically. But I am interested in knowing how can I send the getCurrentUser when called from any function.
This is the current workflow
Request to secure resource -> Filter -> set current user somewhere but I am not sure WHERE so that I can call it from the rest of the application without passing httprequests..
in my code
GetCurrentUser() should return the user set in the filter. Note that I will not be passing the original HttpServletRequest
Thanks.
After few days of research, we can safely save the session info in the ThreadLocal. This is set in the servlet filter.
Static ThreadLocal variable in a WebApp - Are there any Security/Performance issues?
Since each servlet is executed in a single thread, we can safely call getCurrentUser from the code which then reads from the threadlocal.
Caveat though. Threads are recycled. So you can get a thread which has threadlocal set for a different user. You have to make sure that it is reset everytime.