堆栈内存溢出
  简体   繁体   English

如何使用应用程序服务对Azure函数应用程序进行身份验证/授权?

[英]How can I authenticate/authorize an Azure functions app with an app service?

 原文  2017-11-07 07:54:25       azure/ azure-active-directory/ azure-mobile-services

问题描述

I have an Azure app service as well as a functions app (I am currently learning Azure and if there is another way to achieve what I want I am open to suggestions). 我有一个Azure 应用程序服务以及一个功能应用程序 (我目前正在学习Azure,如果有另一种方法可以实现我想要的功能,我可以接受建议)。 The app service contains an easy table I'd like to sync with an app (which is already working) and I'd like to implement a function with a blob storage input binding or timer trigger that fills the easy table. 应用程序服务包含一个我想与一个应用程序(已经在工作)同步的简易表,我想使用一个填充简易表的Blob存储输入绑定或计时器触发器来实现一个功能。

Since there does not seem to be an output binding for easy tables I followed this answer and implemented the access with a MobileServiceClient . 由于似乎没有简单表的输出绑定,因此我遵循了这个答案并使用MobileServiceClient实现了访问。 

MobileServiceClient client = new MobileServiceClient("https://my-app.azurewebsites.net");
var table = client.GetTable<MyTableClass>();
await table.InsertAsync(myObject);

This works as long as the table is publicly writeable, but of course it does not work when it is readable anonynomously, but writeable only for authenticated users. 只要该表是可公开写的,它就可以工作,但是当匿名地读取该表时,它当然不起作用,而仅对于经过身份验证的用户才可以写。 To authenticate my function I've created an Azure Active Directory and created an API key for the app within that AD, then I tried to authenticate the MobileServiceClient via 为了对我的功能进行身份验证,我已经创建了一个Azure Active Directory并在该AD中为该应用程序创建了API密钥,然后我尝试通过以下方式对MobileServiceClient进行身份验证 

await client.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, 
                        new JObject {{"access_token", "<my API key>"}});

but this did not work out. 但这没有解决。 I am always getting an error 我总是遇到错误

The request could not be completed. 该请求无法完成。 (Unauthorized). (未经授权)。

Obviously this does not work out (using the API key that way was really just a shot in the dark), but I am not sure how to accomplish authentication from my function app. 显然,这行不通(以这种方式使用API​​密钥实际上只是在黑暗中拍摄),但是我不确定如何从功能应用程序完成身份验证。 I know that when I'm using the MobileServiceClient from within an app, I can redirect the user to login, but this (obviously) does not work with a function. 我知道当我从应用程序内部使用MobileServiceClient ,可以将用户重定向到登录名,但是(显然)这不适用于功能。

How can I authenticate my function with an existing app service in order to write to a table that is not writeable anonymously? 如何使用现有的应用程序服务对我的功能进行身份验证 ,以便写入不可匿名写入的表?

2 个解决方案

解决方案1
 0  2017-11-07 10:08:31

Simple access via API key is not possible with app service , but a full authentication via Active Directory is necessary to access the app service. 应用程序服务无法通过API密钥进行简单访问,但是访问Active Directory服务必须通过Active Directory进行完全身份验证。 To achieve this, the ADAL ( Active Directory Access Library ) can be used. 为此,可以使用ADAL活动目录访问库 )。

The AuthenticationContext AuthenticationContext

The ADAL defines AuthenticationContext class which is a helper to authenticate with an Active Directory. ADAL定义了AuthenticationContext类,该类是使用Active Directory进行身份验证的辅助工具。 First create a new AuthenticationContext 首先创建一个新的AuthenticationContext 

var authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/<Directory ID>");

You can find the Directory ID by visiting Azure Active Directory in the Azure portal and then open Properties from Azure Active Directory Menu . 您可以通过访问Azure门户中的Azure Active Directory来找到Directory ID ,然后从Azure Active Directory菜单中打开“ 属性” In the Properties menu there is a text box containing the Directory ID . 在“ 属性”菜单中,有一个包含“ Directory ID的文本框。

Authenticate with Azure Active Directory 使用Azure Active Directory进行身份验证

You can now authenticate with 您现在可以通过 

var authenticationResult = await authenticationContext.AcquireTokenAsync(
      "https://batch.core.windows.net/", 
      new ClientCredential("<app ID>", "<app secret>"));

I'm assuming that there already is an registered app. 我假设已经一个注册的应用程序。 To obtain the app ID visit Azure Active DirectoryApp registrations<Your app> , there you can find the Application ID (also under Properties ). 获取应用程序ID,请访问Azure Active Directory应用程序注册<您的应用程序> ,您可以在其中找到应用程序ID (也在“ 属性”下)。

Next you'll have to create the secret key for the app. 接下来,您必须为应用创建密钥 Therefor visit Azure Active DirectoryApp registrations<Your app>Keys . 因此访问Azure Active Directory应用程序注册<您的应用程序>密钥 There you can create a key, just enter a key name and an expiry and click save. 您可以在其中创建密钥,只需输入密钥名称和有效期,然后单击保存。 The key will be shown after saving. 保存后将显示密钥。 ( Watch out: The Key can't be restored afterwards. Save it somewhere.) (请注意:此密钥以后无法恢复。将其保存在某个位置。)

The MobileServiceClient MobileServiceClient

The last step is to create the MobileServiceClient . 最后一步是创建MobileServiceClient Since the UI login is not available we'll have to create the logged in user manually (see here ). 由于UI登录不可用,我们必须手动创建登录用户(请参阅此处 )。 

MobileServiceClient client = new MobileServiceClient("https://my-app.azurewebsites.net");
client.CurrentUser = new MobileServiceUser("Foo:123456789");
client.CurrentUser.MobileServiceAuthenticationToken = authenticationResult.AccessToken;

Now the MobileServiceClient is authenticated and ready to be used. 现在, MobileServiceClient已通过身份验证,可以使用了。

Further reading 进一步阅读

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api

https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.clients.activedirectory.authenticationcontext?view=azure-dotnet https://docs.microsoft.com/zh-cn/dotnet/api/microsoft.identitymodel.clients.activedirectory.authenticationcontext?view=azure-dotnet

https://docs.microsoft.com/en-us/azure/batch/batch-aad-auth https://docs.microsoft.com/zh-CN/azure/batch/batch-aad-auth

解决方案2
 0  2017-11-07 18:24:40

You an use managed service identity to authenticate your function to the app service. 您使用托管服务身份来向应用程序服务验证您的功能。

Your application can communicate with other Azure services as itself using a managed Azure Active Directory identity. 您的应用程序可以使用托管的Azure Active Directory身份作为自身与其他Azure服务进行通信。

You can see how to enable and work with managed identity here: 您可以在此处查看如何启用和使用托管身份:

https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity https://docs.microsoft.com/zh-CN/azure/app-service/app-service-managed-service-identity

Hope this helps! 希望这可以帮助!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从 Python 脚本以用户身份向 Azure 应用服务进行身份验证? - How can I authenticate as a user to Azure App Service from Python script? 当应用程序在 Azure 中时,如何使用 MSAL 进行身份验证? - How can i use MSAL to authenticate when the app is in Azure? 如何从 Azure 容器应用服务使用 Azure ACR 进行身份验证 - How to authenticate with Azure ACR from Azure container app service 如何在不创建Azure应用程序的情况下(在App Registrations中)对Azure AD中存在的用户进行身份验证? - How can I authenticate users present in my Azure AD without creating an Azure App (at App Registrations)? 如何使用 Azure AD 验证和授权使用我的 python web 应用程序? - How to authenticate and authorize uses of my python web app using Azure AD? 如何使用不记名令牌授权一个 Azure Active Directory 应用程序访问不同的 AAD 应用程序服务 Web API? - How do I authorize one Azure Active Directory app to access a different AAD App Service Web API using a Bearer token? 如何使用 Azure AD 向 web 服务验证移动应用程序? - How to authenticate mobile app to web service using Azure AD? 如何部署预打包的 Quarkus Azure Functions 应用程序 - How can I deploy a prepackaged Quarkus Azure Functions app [Authorize]属性如何增强Azure App Service(Web应用程序)的身份验证/授权 - How does [Authorize] attribute enhance Azure App Service (web app) authentication/authorization Azure Linux 应用服务上的 docker 是否可以在我们不在应用设置中指定密码的情况下使用 ACR 进行身份验证? - Can docker on Azure Linux App Service authenticate with the ACR without us specifying the password in the app settings?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM