Is it possible to enable Managed Identity between Azure function and Azure Web API?

Question

我目前在Azure Function和Web API之間使用Basic身份驗證這並不安全，因此我正在尋找替代方案，並在 Azure 中找到了managed identity功能。 但是，我看不到可以在 Web API 和 Azure ZC1C425268E683794FCAB14 之間啟用此功能

Note: We can enable between Azure Function and KeyVault but not between web API and azure function.

尋找如下解決方案

Answer 1

我為我的應用服務啟用了 Easy Auth：

您可以在高級刀片中找到其客戶端 ID：

所以我們需要為這個資源獲取一個訪問令牌來調用 API，只需嘗試下面的代碼（我假設你已經為你的函數啟用了托管身份）：

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    log.LogInformation("C# HTTP trigger function processed a request.");
    var endpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
    var identity_header = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
    //chnage your client ID value here.
    var resource = "4df52c7e-3d6f-4865-a499-cebbb2f79d26";
    var requestURL = endpoint + "?resource=" + resource + "&api-version=2019-08-01";

    HttpClient httpClient = new HttpClient();
    httpClient.DefaultRequestHeaders.Add("X-IDENTITY-HEADER", identity_header);
    HttpResponseMessage response = await httpClient.GetAsync(requestURL);
    response.EnsureSuccessStatusCode();
    string responseBody = await response.Content.ReadAsStringAsync();
    var access_token = JsonConvert.DeserializeObject<TokenResp>(responseBody).access_token;

    //After get access token for app: 4df52c7e-3d6f-4865-a499-cebbb2f79d26, call the API that protected by it
    //chnage your api url here.
    var APIURL = "https://frankapp.azurewebsites.net";
    HttpClient callAPI = new HttpClient();
    callAPI.DefaultRequestHeaders.Add("Authorization","Bearer "+ access_token);
    HttpResponseMessage APIResponse = await callAPI.GetAsync(APIURL);
    //check the response code to see if called the API successfully.
    return new OkObjectResult(APIResponse.StatusCode);
}

public class TokenResp {
 public string access_token { get; set; }
 public string expires_on { get; set; }
 public string resource { get; set; }
 public string token_type { get; set; }
 public string client_id { get; set; }

}

結果：

Answer 2

Hi i can see you asking exchange between of Azure Function and Web API , in theory, it should be your resource server(Apis) rather than managed identity. 在 Azure AD 之上有關於代表身份驗證/客戶端授予憑證的概念。 You may follow this learning tutorial Build Azure functions with Microsoft Graph , and start thinking how would you want your identity flow looks like - simple way is to using on-behalf to azure functions and web api, the access token assertion are implemented in common classes對彼此而言。