Secure Azure Function in Xamarin Forms app.How should it work?

Question

In my xamarin forms app I have the need to call some azure functions in a secure way.

What I have done

All my functions have AuthorizationLevel=Function
Get Function Key by making a call to a webApi that is stored on the server
Function Key is passed in the header of the http call (all works!!)

I do not like the above and definitely I do not want to store the function key on the mobile app as an alternative

I have read about Authentication/Authorization but I cannot figure out if it fits my scenario

My Scenario

Ability to call an azure function in a secure way.User should NOT be prompted to login.Its a silent call.

Is there some sort of accessToken I can use and retrieve safely from azure portal and use that in some way to access the function?
How do you securely access an azure function in a mobile app?
Any samples? I have read below and did not help

https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

Edited

Tried below but I get an error(connection string error) in the mobile app.Also not sure how it works when deployed as in debug it uses the credential of the developer

var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var keyVaultClient =
        new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
    var secret = await keyVaultClient.GetSecretAsync("mysecretIdentifier").ConfigureAwait(false);
    var key = secret.Value;

does the function do anything that is specific to a mobile user or it does not matter? — CodeReaper
@developer9969 are you already use Azure ActiveDirectory authentification within your mobile app ? — Houssem
@HoussemDbira I can use AAD no problem but must be a silent call a user should not be prompted to login using those providers.Reading a value from the vault would be fine but not sure how it works in production see edited question, — developer9969

Brandon Minnick Brandon Minnick · Accepted Answer · 2020-05-13T17:06:26

Recommended Approach

The best way to handle authentication for Azure Functions is to leverage the built-in Authentication and Authorization feature. This uses an existing auth provider to authenticate your users allowing you to avoid creating/storing/maintaining user ids & passwords.

Here's a walkthrough adding Azure AD B2C Authentication to Azure Functions: https://github.com/jimbobbennett/MobileAppsOfTomorrow-Lab/blob/master/Workshop/2-SetupAzureFunctions.md#4-setup-function-app-authentication

Alternative Approach

Since it sounds like you aren't using authentication and you want to have a secure API that only your app can access, we can use AuthorizationLevel=Function and inject the API key into our app using our Continuous Integration server at build-time.

I do this for my GitTrends app. Here's how:

Create a AzureConstants.cs that will store the Functions API Key: https://github.com/brminnick/GitTrends/blob/master/GitTrends.Shared/Constants/AzureConstants.cs
Use git update-index --assume-unchanged AzureConstants.cs to ensure the API Keys aren't committed into source control: https://www.jimbobbennett.io/hiding-api-keys-from-git/
On your Continous Integration Server, Add the API Keys as Environment Variables. Here's how to do it in App Center: https://docs.microsoft.com/appcenter/build/custom/variables/
Add a pre-build script to your Continuous Integration server to inject the API Keys. Here's the pre-build script I use in App Center Build for GitTrends: https://github.com/brminnick/GitTrends/blob/master/GitTrends.iOS/appcenter-pre-build.sh

Secure Azure Function in Xamarin Forms app.How should it work?

1 Answers

Recommended Approach

Alternative Approach