堆栈内存溢出
  简体   繁体   English

How to call a protected API from an Azure Function App using the identity of the authenticated caller (Service Principal) to the Function App?

[英]How to call a protected API from an Azure Function App using the identity of the authenticated caller (Service Principal) to the Function App?

 原文  2022-09-01 08:35:23       azure/ oauth-2.0/ azure-functions/ easy-auth

问题描述

I have a Node.js Azure Function App with a User Assigned Managed Identity.我有一个 Node.js Azure Function 应用程序具有用户分配的托管标识。 The Function App is configured to use the App Service-provided authentication mechanism ("EasyAuth") to authenticate incoming connections using AAD. Function 应用程序配置为使用应用程序服务提供的身份验证机制(“EasyAuth”)使用 AAD 对传入连接进行身份验证。 The "Restrict Access" setting is set to "Require Authentication", so only authenticated connections will reach my code. “限制访问”设置设置为“需要身份验证”,因此只有经过身份验证的连接才能到达我的代码。 The Function App uses its User Assigned Managed Identity to do some calls to the Azure Resource Manager. Function 应用程序使用其用户分配的托管标识对 Azure 资源管理器进行一些调用。

The above all works just fine.以上所有工作都很好。 What I would like to do on top of this is to do some additional calls to the Azure Resource Manager, but this time using the identity of the caller to the Function App.除此之外,我想做的是对 Azure 资源管理器进行一些额外的调用,但这次使用 Function 应用程序的调用者身份。 If I understand everything correctly, this scenario would be a prime candidate for the OAuth 2.0 On-Behalf-Of flow .如果我正确理解了所有内容,那么这种情况将是OAuth 2.0 On-Behalf-Of flow的主要候选者。 Unfortunately, according to that page "The OBO flow only works for user principals at this time."不幸的是,根据该页面,“OBO 流程目前仅适用于用户主体。” Since the callers to my Function App will primarily be Service Principals, the OBO flow doesn't seem to be a solution here.由于我的 Function 应用程序的调用者主要是服务主体,因此 OBO 流程似乎不是这里的解决方案。 I don't know how else to approach this.我不知道还有什么方法可以解决这个问题。

So, how can I access a protected API from my Function App with the identity of the authenticated user to the Function App, where that user is a Service Principal instead of a User Principal?那么,如何从我的 Function 应用程序访问受保护的 API 并使用经过身份验证的用户的身份到 Function 应用程序,其中该用户是服务主体而不是用户?

1 个解决方案

解决方案1
 1 已采纳  2022-09-01 10:13:08

Unless there is a feature that I'm unaware of, a service principal cannot get an access token on behalf of another service principal.除非有我不知道的功能,否则服务主体无法代表另一个服务主体获取访问令牌。

The only way that I can think of that would work for this would be for the client application to send the ARM API token along with the request so your Function can use that.我能想到的唯一方法是让客户端应用程序发送 ARM API 令牌以及请求,以便您的 Function 可以使用它。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从 Azure Function 调用受保护的 API - How to call an Protected API from Azure Function 使用服务主体对 Azure 函数应用进行身份验证的正确方法是什么? - What is the correct way to authenticate an Azure function app using a service principal? 使用托管身份验证 REST API 调用 Azure 服务总线 - Authenticated REST API call to Azure Service Bus using Managed Identity 如何使用 Service Principal/Managed Identity 访问 Azure App Configuration? - How to use Service Principal/Managed Identity to access Azure App Configuration? 从 PowerApp(或逻辑应用程序)调用受 AAD 保护的 Azure Function - Call AAD Protected Azure Function from PowerApp (or Logic App) Azure 应用服务能够使用托管身份(无应用角色)调用另一个受 AAD 保护的应用服务,为什么? - Azure App Service is able to use Managed Identity(no app roles) to call another AAD protected App service, Why? 使用托管标识从 Azure 应用服务调用图 - Call Graph from Azure App Service using Managed Identity 使用托管服务标识从Data Factory调用Azure函数 - Call Azure Function from Data Factory using Managed Service Identity 使用托管标识从 Azure 逻辑应用到 Azure Function 进行身份验证 - Authenticate from Azure Logic app to Azure Function using Managed Identity 如何从 .NET Core API 调用 Azure 门户中的函数应用程序 - How to call function App in Azure portal from .NET Core API
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM