I have an Azure function App which I have authenticated from Azure AD. Now every function of my function app require credentials to execute. However, for few functions I want to execute without authentication or providing credentials.
Is there any way by which I can enable authentication for few Azure functions in an App and for others no authentication is required?
In FunctionApps, authentication is done at the AppService level, so it applies to every function within your FunctionApp.
If you want some of your functions to require AAD (Azure Active Directory) authentication, and others not, you can either split the functions that do not require authentication into their own functionapp without AAD (turned off), and leave the others as is.
Otherwise, you can implement authentication yourself via code using the libraries available from Microsoft.
Documentation. If you're using Javascript, here the SDKs:
MSAL for Javascript
ADAL for Javascript
Now, I usually recommend for all API requests to be authenticated for production environments, so keep that in mind.
Related
I'm new to Protractor and am wanting to write C# tests that run against an Angular 8 application. The problem is, the application uses Azure AD for authentication and I don't know the correct approach to authenticate automatically when running the test. If I navigate to the application URL it redirects to the Microsoft login page for authentication but I can't seem to access this.
You can use the libraries given by Microsoft to implement applications for authenticating to Azure.MSAL is one of the libreary whiich is best to use. If you want to use MSAL to acquire a token, you need to:
Register an application in Azure AD.
Add target API, and grant consent to select permissions.
Generate a secret key.
Then you can get a token as Acquire a token and call Microsoft Graph API.
However, I think what you really want is to integrate AAD. You can easily enable AAD authentication for your .NET web application. It uses OWIN middleware.
I'm investigating options for adding AzureAD authentication to Angular SPA application with .NET core backend. I'm using VS 2019 MVC project with Angular (same as dotnet new Angular is producing). It's using .NET Core 3.1 and Angular 8.
From what I learned so far I have 3 options:
Built in Azure App Service Authentication
Adal.js - looks like the older brother of,
MSAL.js - which after making it work locally with Azure AD I learned on this page that "At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. Please check back for updates." I couldn't make it work on Azure today so maybe this Note is for a good reason.
EDIT: Interestingly now point 3 works for me on Azure App Service so I'm not sure what this note means.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I never worked with Angular and I don't have any experience with Azure AD and I need someone that implemented it already to at least tell me which option I should choose and I can go from there.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I think the option 1 could meet your requirement, the configuration of Azure AD in Authentication / Authorization is higher than your code, the user could not access the app unless they log in.
To read the information about the roles, groups, you could check this good blog.
Here you have an angular E2E auth scenario using App Service built in authentication:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad
I believe the part you are interested in is this one:
Enable authentication and authorization for front-end app
This way app service is the one redirecting you to AAD and getting a valid token that you can just pass in to your APIs afterwards. If the APIs are hosted in App Service as well, then APP service will be the one validating the token for you, so your backend code does not need to worry about authentication (you still need to handle authorization)
I've got a single page application that currently uses Azure AD B2C authentication to allow users to sign in, and then use the auth cookies to talk directly to internal services. There is now a requirement that we use two factor auth on top of the existing AD auth. We've already rolled our own 'second factor' auth, and we need to be able to integrate with that (I'd much rather use the built in MFA that Azure provides, but for this question assume that isn't an option).
Our issue is that we don't want to call our MFA service until the user has authenticated succesfully with AD - but of course, once they have, they are already authenticated, and it's too late.
When Azure AD hands back to us via the call back (we are using CookieAuthenticationEvents), is there any way to defer the access token being available until our own second factor auth step succeeds?
Just as juunas suggested, try to use custom polices which are designed primarily to address complex scenarios.
Reference:
Custom policies in Azure Active Directory B2C
I'm tried to build a new rich application and i'm having some problems designing the authentication process.
I've only two requirements :
An API needs to be available
An ADFS needs to be used to authentication
My first thoughts was to build the API and to use Angular.js for the frontend. However, I can't see how the authentication should work.
My API needs to be available though scripts. As far as I saw, the ADFS authentication always display t the webpage for the authentication process.
API are usually secured with OAuth2. We used an client id and a client secret to generate a token. But I can't have this behavior with an ADFS.
The only solution I see is to provide two authentications behavior with my application. One with the ADFS for the web access and in the web interface, add a possibility to generate a client id and a client secret associated with an user account that could be used for the API to the headless authentication.
Someone has already faced this kind of scenario?
Thanks a lot!
I assume the 'ADFS needs to be used for authentication' really means 'users should be able to use their Active Directory domain credentials to authenticate'.
If that is the case, you should take a look at Thinktecture IdentityServer. It's an OAuth2 authorization server that you can use with a Active Directory identity provider.
P.S. ADFS 3.0 that comes with Windows 2012R2 only supports the authorization code grant, which is not suitable for JavaScript apps.
I am using UserService to allow my users to register and login.
We find that users for some reason would like to create a login on our own site without using their existing credentials.
I know UserService supports Google Friend Authentication and we can use Yahoo & other openids. However, I would like to know if we can add our authentication mechanism without becoming implementing as an open-id provider/producer.
If becoming a openid provider is only viable option, are there any recommended libraries for AppEngine.
Thanks.
How you do this depends entirely on how you've built your authorization system. Using the Users API directly, your only options are to use OpenID or Google Accounts (and only one per app, at any one time, not both). If you want more flexibility, you will need to build your own authorization subsystem, or use an existing one, which abstracts away different auth providers. See, for instance, webapp2's auth module.