Sunday, July 3, 2022

OAuth2.0 Security Function APP with Azure AD

 

When we create function app and put it on Azure cloud, they need to be secure. When it comes to security of Function Apps, there are few options like Azure AD, Function Level, put them in VNET, secure them through API Manager etc. In this blog we will see how we can secure our function using Azure AD OAuth 2.0.



We will be creating Azure App registration and Function App separately then will enable our function app to use Azure AD as an Identity provider.

 

Azure AD App Registration:

Open azure portal and click on Azure Active Directory, you should be able to see below screen.

 


Click on New Registration button as highlighted.


 

Register an app by providing a Name and supported account type. In my case I have given oauth-demo-fun-app name and chosen “Single Tenant



Click on register to create app registration. An Application (Client) id will be generated.

 



Copy the Application ID and Click on “Expose as API” to add a scope. Use “api://<Application Id>” that you copied. Click on save and continue.



Give scope name as “user_impersonation”, choose “Admin and users”, provide description and display name as per below screenshot.

Click on Add Scope

 


 If scope added successfully, similar below screen will be appeared


Now let create a new client secret for the API. This credential will be used to call token API. Secret will be appeared only once so make sure you copy it once created otherwise create a new one.


Click on “New Client Secret” and provide description and choose expiry duration.

Note* - From portal you can choose up to 24 months only, if you want to create for longer period or never expired, use PowerShell or terraform code etc.

 




 Once secret is generated copy it somewhere secured.

 



To verify if your Token API is working and generating the token properly, click on Overview and click on the endpoint as per below screenshot

 

Copy the OAuth 2.0 token endpoint to test it in postman. As per below

Postman Request:

Method POST

URL: Token API 2.0 (copy it from endpoint)

Body: x-www-form-urlencoded

            Grant_type:       client_credentails

            Client_secret: (use the secret that we created in above step)

            Client_id: Application (Client) ID of the app registration

Scope: api://<application id>

Hit the URL you should be getting a valid JWT token



 Create a Function App:

This is the 2nd phase where are going to create a function app in the portal. I’ll be using dotnet runtime, windows based with consumption-based plan.

 I have given my function app name auth2-demo

 


 To choose Azure Ad as an Identity provider, click on “Authentication” link and click on Add an Identity Provider

 



 Choose Microsoft from the Identity Provider dropdown like below screenshot

 



Now there are two options when it comes to selecting Microsoft as an Identity provider. You can create one from here or choose an existing one. Since we have created App registration at the beginning of the blog so we will use that option (which is existing one).

 You can select your app registration from the dropdown and use Require Authentication as restricted access and HTTP 401 Unauthorized recommended for API option. You can choose to click Token store.

 Click on Add button.


You should be able to see below screen



 Now click on Edit option again to choose Audience (I am not sure why it is not visible when we choose the ID provider)

 



 Provide the Allowed token audiences

Value will be: api://<Application (Client) Id>

 

You can again copy this value from App registration overview page.

 


 

Create a Function app using C# code from Visual Studio

 

 This is the last phase of our blog where are will be creating C# function app with “Anonymous” access. This will a http trigger-based function app like below screen shot

 

Note* - Anonymous Access is required if you want to use Azure AD as an ID Provider.


This is going to be very simple function app which is generated by default.

 



Let’s publish this function App in our subscription where we created consumption-based function app.

 



 Choose the function app and click on publish

 



Once the function app is published let’s try to call it from the postman. Below request is failed as we know it needs a “Authorization” token. It gives me 401 unauthorized access.

 



Let’s get the token from the token API. Use the previous token API to get the token. Copy the token once generated.

 



 Pass this token in “Authorization” header in Function APP URL. You should be able to see the 200 OK response.

 


 

OAuth 2.0 is widely used and accepted protocol. You can restrict function App with some other security pattern as per your requirement.