Azure Functions App with APIM using Managed Identity - Authentication and Authorization

0
votes

I'm creating an application under Azure Functions using managed identity and importing in under APIM as API. Restricting it with managed identity, custom header and jwt-policy for token validation.

The users of my application will either come from mobile client or web client SPA. I don't want an Oauth2 consent screen for login or registration.

But under managed identity how I deal with request of reach user? Identity the unique token of each user's request and use it later to maintain the session life on Mobile App(s) or Web SPA.

I'm not sure what services I need to use to make this flow working. The thing which is clear is I want all users using my app(s) either mobile or web connected and calling my Function APP API's be going through APIM. And then, there is no user interaction involved in terms of consent or oauth flow etc.

Can somebody please guide me? For the right path what to use and when for this requirement. I have gone through many options. Azure B2C or B2b is not my option. It involves user consent.

Updated: Here is How it works right now:

On Previous Existing Infrastructure:

We are doing it with our own Symfony API's with JWT Authentication. Due to some business requirement we don't want the user to know if we have migrated from one Cloud to another. But also at the same time we are shifting from RESTful API's to Azure Functions for everything. That is why we want the user to be unaware of the changes we made and everything for them should work as is

In Azure Current I'm trying:

In Azure I have Configured Azure Functions under APIM with Managed Identity+ JWT-Validation. Which works fine. But rest of the confusion stays there. How do I have unique user tokens and sessions with that Azure setup etc.

Users will normally be supplying their Username/Password and then Hit the Request For Example Login. Then it hits the APIM, Which gets authenticated goes through Managed identity Policy and then it hits Functions Assigned Managed Identity. I get Token From Context Variable and pass it to JWT-Validation Policy and then. The next phase is confusing where to store token per User and how the next steps works?

Is this even possible to create such seamless experience while shifting the stack and underlying tech?

Thanks

1
azure-active-directoryazure-functionsazure-api-managementazure-managed-identityazure-authentication
Using Azure AD B2C or B2B, an administrator can grant consent for all users so users dont have to grant consent. Also what is the reason behind not asking for consent ? it is just a one time consent.Thomas
@Thomas actually the application model is different. Due to some business requirement we don't want the user to know if we have migrated from one Cloud to another. But also at the same time we are shifting from RESTful API's to Azure Functions for everything. That is why we want the user to be unaware of the changes we made and everything for them should work as is.kamiko
At the moment how do you authenticate the users ?Thomas
@Thomas We are doing it with our own Symfony API's with JWT Authentication. In Azure I have Configured Azure Functions under APIM with Managed Identity+ JWT-Validation. Which works fine. But rest of the confusion stays there. How do I have unique user tokens and sessions with that Azure setup etc.kamiko
you mean APIM is using a managed identity to authenticate to the function app ?Thomas

1 Answers

0
votes

HTTP- triggered Azure Functions are exposed to public internet via APIM. So, if we want to use them as a part of our application then we need to secure those functions from any attacks.

APIs are created using App Services like Function App and set as backend for APIM using APIM Policies. Also APIM uses managed identity which is tied to Azure Active Directory.

The way to solve the problem is by using the JSON Web Token (JWT). If you decide to authenticate your API with JWT Tokens, a "validate-jwt" policy should come before the "authentication-managed-identity" policy. Otherwise the "Authorization" header will be replaced before having a chance to be validated.

Check the following documents for more information.

Azure AD authentication based on JWT token.

Authenticate and Authorize Azure Function with Azure Web App Using MSI.