Azure functions Authentication - possible without AD?

1
votes

I'm working on securing some Azure Functions endpoints. I tried with Certificate, but I hit a few walls

  1. In the FunctionsStartup (from which derives my startup) I could not find a way to connect my AddAuth and Auth methods/classes. (I tried to search, read more on this topic, but all the answers were either for web API other type of Authentications)
  2. I tried to check for the existence of a certificate at least, but that didn't worked either. I tried to get the certificate from request-context-connection-ClientCertificate or to read it from headers. Didn't worked locally or on deployed version. The certificates are always null.

I saw that there are some options to secure it with AD(also with facebook, google and so on), but first I'm curious if someone successfully implemented another Auth method, more like in a classic web api approach (JWT tokens, certificate, other similar stuff)

1
c#azureazure-functionsazure-authentication
have you considered adding Azure API Management (in consumption tier) in front of your Function? - silent
No, but I will read more and see what comes up. Thanks for the idea. - Iosif Bujor
I think it would be a cleaner solution as it would keep boiler-plate code such as for auth, out of your Function - silent

1 Answers

1
votes

Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.

Also you can request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication.

First, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier.

Secondly, enable client certificates:

az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>

Finally, Access client certificate. App Service injects an X-ARR-ClientCert request header with the client certificate. Your app code is responsible for validating the client certificate.

For more details about how to configure TLS mutual authentication for Azure App Service, please refer to this article.