How to Setup Authentication for Azure Functions

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone this video will cover azure functions authentication and we're going to go through how you can set up authentication for your own functions um the diagram here shows a couple of different applications that are calling this app azure function and the azure function is calling another azure function as well as making call to sql now now these functions can be open or anonymous or they can be locked down but basically the idea is that you wouldn't want to to allow any just anybody to be able to call your function you want to have some control and there are basically two ways to do this actually there are three up in the diagram over here i'm showing that the azure function can be configured with uh managed identity but this is actually a special scenario of azure integration uh not covered in this video but i'll do another video on how to set up managed identity but for this purposes the purpose of this video we're basically talking about two things token authentication or azure integration in token authentication there is a special token that you're going to that you're going to manage and you allow you basically set up your calling application to use that token and azure functions will only allow that call to succeed if the token is present the token can either be provided uh in the url as the code parameter or it can be provided over the http header so let's take a look at the token authorization how does that work um their each function itself can be set up to allow anonymous access function level access or admin level access and what that means is that which key which token is is the function going to look at so in this example i have four functions hello world get users get products and update user they each have their own token uh their their own and these are called function tokens and at the the function app level there's actually two there's a host token and an admin token the idea is that if you set up your function to have to require admin authorization authentication it's it needs you're going to need to use the admin token in order to use it if it set the function then either the host or the the function token can be used so if let's say you set it up for get users then get users function token or its parent the host will work similarly if you set it up for products it'll be the products function token or the host token and you know the bottom here it shows the line protocol the header is called x functions key where where you have to pass the token and i said earlier you would either send it in the url or in this header i like the header because sometimes that url gets logged and if it's getting logged in that token is in the log file and so that's not good so i like the functions uh header uh because it's hidden from a lot of logs and uh scenarios but let's see how this works now i'm going to show you a demo that actually as i said has these four functions defined hello world is set up as anonymous get users and get products are both set up as function an update user is going to be set up as admin but first let's go take a look at how these keys or where you can find the keys all right so i'm going to go over to my azure function so this is the resource group where my function code has been deployed if i go into my function i can see that there is a sorry here we go under the functions blade there is an app keys section if you go in here you will see the keys defined for there's going to be two keys here master and default master is actually the admin key and default is the host key and so what i've done is i've actually copied these as environment variables in my script which i'm going to show you a little bit later so we're going to come back to that the function level keys are defined at the function so if you go into the actual function get products you look at its function keys you can see it same way you have to click on show values but you can see it's defined and similarly each of the other functions has their own function key defined okay so that's where you find the keys and so in this demo what i'm going to show is i'm going to call hello world which is set up with anonymous and i'm going to use it with no key no authentication or i'm going to use it with the get users key the product key the different function keys and what we're going to see is that it's going to actually work it because the setup is anonymous all of these are going to work so actually let's go give that a shot so as i said earlier what i've done is i've taken the keys and i've actually copied them in as environment variables so i have an app token which is the host token admin token this is the master product token so this is from the product function user token from the user uh get user function update token is from the update user uh update product or update function itself and they're basically copied in and i've also copied in the urls for each of the functions so the way you get that is if you actually go into the function itself there's this get url and you can copy that uh if you notice in here there's uh this code parameter and this is the they basically just for convenience they embed the token in there for you and as i said earlier i don't like to use that because uh it ends up in log files and i don't want to see that so i've got this these environment variables defined and basically i'm going to call my functions to see that it works okay so for this let's try hello world with no authentication and i'm going to use wget so wget hello and i want the output to just come to the screen and i can see it here so i basically i'm getting a 200 response and it says hello world and these headers are output so actually let's go take a look at how i've done that here's my code that was deployed here's get products get users hello world update user hello world and what i'm doing is basically taking a look at the request headers keys and i've turned that into a string uh separated by new lines and that's how you're seeing it and the reason i'm doing that is because late in the second half of this demo when we actually do ada integration you'll see that the ad actually adds some additional headers and we can inspect them to figure out whether that caller should have access or not but so for now i've got my hello world its function says it's anonymous update user its function says it's set to admin getusers function says uh it's a function level authentication uh and getproducts function.json says that it's set as function as well so i've already deployed this using azure tools so i've gone here if you need to find out about how to deploy this you can go back to a different video in the channel but for now let's actually uh call it and see that see how this stuff works so as i said earlier i called hello world and i got to see hello world i got to see all the headers in it um let's actually call it with um with the put some header values so header so x dash functions dash key and uh we're actually going to call it with the admin token okay that actually needs to be inside that that works as well and now let's try the app token that works let's try user so all all of them are working and the reason is because it's set up for anonymous so it doesn't really matter what i could actually just pass some garbage in here and it'll still work and the reason for that is because it's set to anonymous so all of these will work now let's actually show update user which is set up as admin and it's the only one that's going to work is admin so just as a reminder our update functions json is set to auth level admin and so let's check that out so my url is update update url and if i use the admin token here this works and it says update user if i change that to let's say app token i get a 401 unauthorized if i use the function tokens like product that fails let's try user and it goes without saying that if all of these failed anonymous we should also fail um so now let's actually look at uh get users and get products and we're here we're going to use the app key sorry the the host key or the admin key right they should all four should work so and the reason is because get get products is set up as function and similarly get users is also set up as function so let's try uh let's try product url and we're going to use uh the app token that worked it's get products and i see the headers and let's try the admin token that also works let's change the url from product to users user with admin that worked and let's try app so no surprise there all four worked and the reason they worked is because even though these are set up at function it's they're responding to their own function token as well as the host token now let's take a look at the when we don't have any uh and the anonymous scenario where we're trying we're calling it without any tokens so let's take this out the header that should fail and let's look at product and that fails as well okay so uh and now we have this other scenario where we use the exact uh function key that should work and then if we use the function key for the other url the other function it should fail so oops let's and all right let's go here and we're going to do is call product and we're going to use a book product and we're basically going to use the product key this should work that works now let's use the user token it should fail and it fails and similarly if we call user with the user token this works if we call it with the product token uh that fails and the reason is because it doesn't match right so we've actually shown this we've actually done this totality right we've called all the functions with all the possibilities and we've seen that um now this is great except now you're going to have to manage those tokens a lot of people do not like to do that they don't want to have to maintain and manage all those tokens um and and not to mention like if the token gets out anybody could call it um and so the only thing you could probably do at that point is refresh that token and then those tokens become invalidated it's not the end of the world but it's actually not not a great scenario so now let's look at how ad is set up right in this scenario you have a cl a service principle and you log in as a service principle it's given access to call the function and the function is similarly set up with the authentication against ad so the first thing we're going to do is we're going to set up the azure function and we're going to set it up to have authentication with ad and then 80 is going to know about it then we'll advertise an app role and then we'll assign that app role to the the service principle for the caller and then we'll see how all that works all right so first thing we're going to do is we're going to uh actually go to the browser we're going to go to the the function itself so uh let's go to the azure function here and over here on the left under settings you're going to see authentication so we're going to go into authentication and we're going to add an identity provider there's a number of identity providers depending on how you want to authenticate yourself so for this purpose of this demo we're actually going to use microsoft i've set it up it's going to create this app registration uh so you know later on we're going to see this it's the same same as the name of the function so that's actually very easy to identify and if you're not able to have authorized if you're not able to call it um we're setting it up so that we receive this 401 code that's all i have to do i click on add and this will add an identity provider okay now at this point my anonymous call should fail to work let's go check that out so if i go in and if we remember um look at our history we can see that there was this call that we did to hello world so actually let's call this bang2112 this uh pulls up you know our command with by that number so this is doing wget hello uh an output and you see that it's not authorized this worked before so if i go back and look at our history oops not history but actually if we looked at the output prior we would have seen this is all the history i've done in order to get this commands this demo working okay here we go um we will see at some point i will get to that hello function with an anonymous call so here it was we called it um with nothing with no tokens and we actually had seen a response before and at this point all we've done is we've set up authentication and now that authentication fails okay and so in order to set this up further what we're going to do is we're going to add an app role so we click into the to the app registration for the function and we're going to create an app role let's give it a name function function user okay and this is going to be for application level just putting in some uh just default values here value function and i'm going to apply that so now that role that function app um should well has an app role called function user so now the next thing we're going to do is we're going to go to app registrations and we're going to create a client this is a service principle we're going to create so we're creating a new service principle just call it 80 client and single tenant that's fine i register this after i've registered it i'm going to assign it some api permissions i'm going to grant it the permission to call my api and i'm going to give it that function user say add permission and at this point it's not granted so i'm just going to grant permission for uh for that and see i see both of them so function user is should now be callable and now what i've got to do is i'm going to log in as that user okay so in order for me to log in as the user i need i need to have i need to have this client secret first so actually let's add a secret uh we're going to call the sample secret and it's going to be valid for six months we're going to copy its value okay and we're going to set that up as an environment variable so my secret equals that value i'm going to use it again um okay unlike blank spaces so let's get rid of that okay so i've defined that variable uh and at this point i'm going to log in as that as that that service principle in order for me to log in i need this id the application id i'm going to say a z login service principle the minus u is actually my application id minus p is that the password is the client secret and i'm gonna need a tenant and my tenant id is here copy that paste it and uh the only thing because this is service principle i don't have subscriptions i'm going to say allow no subscriptions and if i did that correctly i'm i'm going to get that output that it's logged in at this point um i should be able to make the call so what the reason i'm doing this is because az has a very nice way to um to get the token from ad and it packages it up as the bearer token in my call to the function so i it's basically there's a there's a mechanism in a z cli that allows me to make rest api calls if i look at help i can see the parameters so this is what i'm going to use i'm going to use method uh get so let's try that out so i'm going to say method is get and the url i'm going to use i'm going to i'm going to use the hello url this earlier failed and the only other thing i need to provide is the resource so there is a resource um id that i need to i need to specify the resource so that azure knows where to look up um my uh behind the scenes it has to know which directory to look things up so i'm actually going to go to api permissions and click on this function this api is actually this is the this is the url api slash is that i'm going to need it as a value for resource and this allows um easy rest to look up the appropriate information the only thing i need to do is you need to lock that back part off and i hit enter so what at this point i'm going to see is the function call succeeded and i see the response and i have a few more headers here so if i look at it i have xms client principle xms principle i idp request id client principal id i can inspect those to figure out some additional permissions at the function level that we might want now i can probably use a combination of ad authentication as well as those tokens to to have more control but what this shows is how we are actually allowing uh this authenticated service principle to call the function and the function is doing behind the scenes validation all right thank you
Info
Channel: Azure App Modernization
Views: 27,333
Rating: undefined out of 5
Keywords:
Id: GWLACWQIzGs
Channel Id: undefined
Length: 20min 44sec (1244 seconds)
Published: Wed May 25 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.