Azure Function App Chaining Authorisation

1
votes

I have a number of Azure Function Apps that are chained as part of a business process and I want to implement proper Authorisation on each Function App.

enter image description here

I understand that I can set the Function App Authorisation Level to Function and provide the key via the code query string or x-functions-key header

What I was wondering was if it's possible to use the Managed Identity of each of the Function Apps to provide authorisation for the subsequent calls? Not sure if this can be done via User Assigned Identities

1
azureauthenticationauthorizationazure-functions

1 Answers

1
votes

This is possible. If you just want to get a token from the user assigned identity to pass to other functions then this is answered here.

If you want to pass through user identity all the way down it is a bit more tricky. Apologies for the link heavy answer, this is a big topic and involves a number of steps to put in place. Hopefully this gives you all the keywords (on behalf of flow, server to server authentication and grant consent to applications) to find some good blog articles to walk you through.

You need to break the problem down in to pieces.

  1. Use Active Directory authentication for the first call. You either need to add the configuration in to your deployment scripts or manually configure the Azure Active Directory set up using the wizard/tools in the Azure Portal.
  1. Implement the "On behalf of" Authentication flow to run the downstream functions using the context of the user that was authenticated in the first call. This requires you to set up service to service authentication. A sticky point if often the "Grant Consent" that needs to be set up.

Picture from the docs

enter image description here

Grant Consent

enter image description here