通过 Azure 门户中的“身份验证”刀片与 Startup.cs 中的手动保护 Function 应用程序

Question

I secured my ASP.NET Core Azure Function App by modifying the configuration in Startup.cs and calling the Microsoft.Identity.Web's AddAuthentiction and AddMicrosoftIdentityWebApi extension methods on the services collection object (similar to the approach used in the AzureFunctions example in the Tests directory of the GitHub repo of Microsoft.Identity.Web). This allows me to securely call the Azure Function API from my Blazor Server app using Microsoft Identity Platform. The Azure Functions API does not call any downstream api.

This approach works perfectly fine without the need to enable the Authentication option under Function App - Setting in Azure Portal and specifying an identity provider there and linking it to an Azure AD app registration.

Does somebody know what does enabling authentication and adding an identity provider under settings of the Function App in the Azure Portal do compared to the manual configuration in Startup.cs? If I understand correctly, it does the same thing but implicitly instead of explicitly in the Startup.cs.

Answer 1

That option, sometimes referred as "Easy Auth" enables an additional container (or program) that will validate the token, so you don't have to. Request will first go to that middleware application and then, if validation passes, will go to your app.

For details see the docs page: https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

That option is common to the webapps and function apps. The code runs separately, so it's not part of your application middleware chain.