[英]Is it possible to enable Managed Identity between Azure function and Azure Web API?
I am currently using Basic
authentication between Azure Function
and Web API
.我目前在Azure Function
和Web API
之间使用Basic
身份验证This is not secure, hence I was searching for an alternative and found the managed identity
feature in Azure.这并不安全,因此我正在寻找替代方案,并在 Azure 中找到了managed identity
功能。 However, I do not see this feature can be enabled between Web API and Azure function.但是,我看不到可以在 Web API 和 Azure ZC1C425268E683794FCAB14 之间启用此功能
Note: We can enable between Azure Function
and KeyVault
but not between web API and azure function. Note: We can enable between Azure Function
and KeyVault
but not between web API and azure function.
Looking for a solution like below寻找如下解决方案
I have enabled Easy Auth for my app service:我为我的应用服务启用了 Easy Auth:
You can find its client ID in advanced blade:您可以在高级刀片中找到其客户端 ID:
So we need to get an access token for this resource to call APIs, just try the code below(I assume you have enabled Managed identity for your function):所以我们需要为这个资源获取一个访问令牌来调用 API,只需尝试下面的代码(我假设你已经为你的函数启用了托管身份):
#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
var endpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
var identity_header = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
//chnage your client ID value here.
var resource = "4df52c7e-3d6f-4865-a499-cebbb2f79d26";
var requestURL = endpoint + "?resource=" + resource + "&api-version=2019-08-01";
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Add("X-IDENTITY-HEADER", identity_header);
HttpResponseMessage response = await httpClient.GetAsync(requestURL);
response.EnsureSuccessStatusCode();
string responseBody = await response.Content.ReadAsStringAsync();
var access_token = JsonConvert.DeserializeObject<TokenResp>(responseBody).access_token;
//After get access token for app: 4df52c7e-3d6f-4865-a499-cebbb2f79d26, call the API that protected by it
//chnage your api url here.
var APIURL = "https://frankapp.azurewebsites.net";
HttpClient callAPI = new HttpClient();
callAPI.DefaultRequestHeaders.Add("Authorization","Bearer "+ access_token);
HttpResponseMessage APIResponse = await callAPI.GetAsync(APIURL);
//check the response code to see if called the API successfully.
return new OkObjectResult(APIResponse.StatusCode);
}
public class TokenResp {
public string access_token { get; set; }
public string expires_on { get; set; }
public string resource { get; set; }
public string token_type { get; set; }
public string client_id { get; set; }
}
Result:结果:
Hi i can see you asking exchange between of Azure Function
and Web API
, in theory, it should be your resource server(Apis) rather than managed identity. Hi i can see you asking exchange between of Azure Function
and Web API
, in theory, it should be your resource server(Apis) rather than managed identity. There are concept around on-behalf auth/client grant credential on top of Azure AD.在 Azure AD 之上有关于代表身份验证/客户端授予凭证的概念。 You may follow this learning tutorial Build Azure functions with Microsoft Graph , and start thinking how would you want your identity flow looks like - simple way is to using on-behalf to azure functions and web api, the access token assertion are implemented in common classes for both. You may follow this learning tutorial Build Azure functions with Microsoft Graph , and start thinking how would you want your identity flow looks like - simple way is to using on-behalf to azure functions and web api, the access token assertion are implemented in common classes对彼此而言。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.