[英]How can I authenticate/authorize an Azure functions app with an app service?
I have an Azure app service as well as a functions app (I am currently learning Azure and if there is another way to achieve what I want I am open to suggestions). 我有一个Azure 应用程序服务以及一个功能应用程序 (我目前正在学习Azure,如果有另一种方法可以实现我想要的功能,我可以接受建议)。 The app service contains an easy table I'd like to sync with an app (which is already working) and I'd like to implement a function with a blob storage input binding or timer trigger that fills the easy table.
应用程序服务包含一个我想与一个应用程序(已经在工作)同步的简易表,我想使用一个填充简易表的Blob存储输入绑定或计时器触发器来实现一个功能。
Since there does not seem to be an output binding for easy tables I followed this answer and implemented the access with a MobileServiceClient
. 由于似乎没有简单表的输出绑定,因此我遵循了这个答案并使用
MobileServiceClient
实现了访问。
MobileServiceClient client = new MobileServiceClient("https://my-app.azurewebsites.net");
var table = client.GetTable<MyTableClass>();
await table.InsertAsync(myObject);
This works as long as the table is publicly writeable, but of course it does not work when it is readable anonynomously, but writeable only for authenticated users. 只要该表是可公开写的,它就可以工作,但是当匿名地读取该表时,它当然不起作用,而仅对于经过身份验证的用户才可以写。 To authenticate my function I've created an Azure Active Directory and created an API key for the app within that AD, then I tried to authenticate the
MobileServiceClient
via 为了对我的功能进行身份验证,我已经创建了一个Azure Active Directory并在该AD中为该应用程序创建了API密钥,然后我尝试通过以下方式对
MobileServiceClient
进行身份验证
await client.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new JObject {{"access_token", "<my API key>"}});
but this did not work out. 但这没有解决。 I am always getting an error
我总是遇到错误
The request could not be completed.
该请求无法完成。 (Unauthorized).
(未经授权)。
Obviously this does not work out (using the API key that way was really just a shot in the dark), but I am not sure how to accomplish authentication from my function app. 显然,这行不通(以这种方式使用API密钥实际上只是在黑暗中拍摄),但是我不确定如何从功能应用程序完成身份验证。 I know that when I'm using the
MobileServiceClient
from within an app, I can redirect the user to login, but this (obviously) does not work with a function. 我知道当我从应用程序内部使用
MobileServiceClient
,可以将用户重定向到登录名,但是(显然)这不适用于功能。
How can I authenticate my function with an existing app service in order to write to a table that is not writeable anonymously? 如何使用现有的应用程序服务对我的功能进行身份验证 ,以便写入不可匿名写入的表?
Simple access via API key is not possible with app service , but a full authentication via Active Directory is necessary to access the app service. 应用程序服务无法通过API密钥进行简单访问,但是访问Active Directory服务必须通过Active Directory进行完全身份验证。 To achieve this, the ADAL ( Active Directory Access Library ) can be used.
为此,可以使用ADAL ( 活动目录访问库 )。
AuthenticationContext
AuthenticationContext
The ADAL defines AuthenticationContext
class which is a helper to authenticate with an Active Directory. ADAL定义了
AuthenticationContext
类,该类是使用Active Directory进行身份验证的辅助工具。 First create a new AuthenticationContext
首先创建一个新的
AuthenticationContext
var authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/<Directory ID>");
You can find the Directory ID
by visiting Azure Active Directory in the Azure portal and then open Properties from Azure Active Directory Menu . 您可以通过访问Azure门户中的Azure Active Directory来找到
Directory ID
,然后从Azure Active Directory菜单中打开“ 属性” 。 In the Properties menu there is a text box containing the Directory ID
. 在“ 属性”菜单中,有一个包含“
Directory ID
的文本框。
You can now authenticate with 您现在可以通过
var authenticationResult = await authenticationContext.AcquireTokenAsync(
"https://batch.core.windows.net/",
new ClientCredential("<app ID>", "<app secret>"));
I'm assuming that there already is an registered app. 我假设已经有一个注册的应用程序。 To obtain the app ID visit Azure Active Directory → App registrations → <Your app> , there you can find the Application ID (also under Properties ).
要获取应用程序ID,请访问Azure Active Directory → 应用程序注册 → <您的应用程序> ,您可以在其中找到应用程序ID (也在“ 属性”下)。
Next you'll have to create the secret key for the app. 接下来,您必须为应用创建密钥 。 Therefor visit Azure Active Directory → App registrations → <Your app> → Keys .
因此访问Azure Active Directory → 应用程序注册 → <您的应用程序> → 密钥 。 There you can create a key, just enter a key name and an expiry and click save.
您可以在其中创建密钥,只需输入密钥名称和有效期,然后单击保存。 The key will be shown after saving.
保存后将显示密钥。 ( Watch out: The Key can't be restored afterwards. Save it somewhere.)
(请注意:此密钥以后无法恢复。将其保存在某个位置。)
MobileServiceClient
MobileServiceClient
The last step is to create the MobileServiceClient
. 最后一步是创建
MobileServiceClient
。 Since the UI login is not available we'll have to create the logged in user manually (see here ). 由于UI登录不可用,我们必须手动创建登录用户(请参阅此处 )。
MobileServiceClient client = new MobileServiceClient("https://my-app.azurewebsites.net");
client.CurrentUser = new MobileServiceUser("Foo:123456789");
client.CurrentUser.MobileServiceAuthenticationToken = authenticationResult.AccessToken;
Now the MobileServiceClient
is authenticated and ready to be used. 现在,
MobileServiceClient
已通过身份验证,可以使用了。
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api
https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.clients.activedirectory.authenticationcontext?view=azure-dotnet https://docs.microsoft.com/zh-cn/dotnet/api/microsoft.identitymodel.clients.activedirectory.authenticationcontext?view=azure-dotnet
https://docs.microsoft.com/en-us/azure/batch/batch-aad-auth https://docs.microsoft.com/zh-CN/azure/batch/batch-aad-auth
You an use managed service identity to authenticate your function to the app service. 您使用托管服务身份来向应用程序服务验证您的功能。
Your application can communicate with other Azure services as itself using a managed Azure Active Directory identity.
您的应用程序可以使用托管的Azure Active Directory身份作为自身与其他Azure服务进行通信。
You can see how to enable and work with managed identity here: 您可以在此处查看如何启用和使用托管身份:
https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity https://docs.microsoft.com/zh-CN/azure/app-service/app-service-managed-service-identity
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.