• 0

Securing an Azure Function App with OAUTH

Asked by Dick Montage,

 Share

Question

Grand Master

Dick Montage

Posted
Posted

Hi, I'm looking at building an API in Azure - and that's an immovable, I am bound to Azure here for various reasons.

It seems the best way for me to achieve what I need is to use a Function App, so I've done this and created a very simple Hello World api.  Great... it works, pat on the back - I can follow a tutorial.

And to manage this very simple API, I am going to use an API Management Service - it can handle the traffic management and so on.  So yeah, got that set up too.

I'm a bit confused.  While the API Management Service exposes the API through a specific URL that applies all the benefits of the service, the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?

Anyhow yeah, so I have this all set up, but I want to secure it with OAUTH so that anyone calling this API has to authenticate and so on.  I believed that Azure API Management Service could do this for me, but I seem to be missing something.

Anyone here setup anything similar and able to guide me a little please?

I'm aware that this comes very close to consultation, so if that's the case, please do also feel free to discuss that via PM.

Thanks

4 answers to this question

Recommended Posts

  • 0
Grand Master

+virtorio MVC

Posted
  • MVC
Posted

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

  • Dick Montage
  • Like 1
  • 0
Grand Master

Dick Montage

Posted
  • Author
Posted
On 28/01/2023 at 01:30, virtorio said:

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

Thanks.  My query was more about how to implement OAUTH2 against the app?

  • 0
Collaborator

Software Dev Expert

Posted
Posted

Just done some googling.

Good idea to read up on Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis and 

 

Please see these links which relate to the use of OAUTH in AD:

 

https://scomnewbie.github.io/posts/authenticatedazfunc/

 

Hope this helps, and is what you're looking for? 

 

I'm afraid I don't have experience with Azure, however I'm a massive googler in my day-to-day job as a professional software developer! When I struggle to find the information I need via documentation, I've always found it helpful to watch youtube videos!

  • 0
Enthusiast

sao123

Posted
Posted

I think you may have a misconception about OAUTH...  OAUTH is an authorization method, not an authentication method.

In  a nutshell, if you have ever visited a site that you want to become a member of, and instead of creating your own userid and password, you click a button that says login with Amazon or Login with Facebook, or Login with Google... and you use a pre-established account from one of those services which has already done the authentication, and now you are only authorizing that account the privilege of now using an additional site/service.

This is exactly what OAUTH is.  This is usually applied to your front end...

 

It sounds to me what you want to do is make your back end api private and only usable with your front end... ("the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?")

There are usually only 2 ways to do this... you either make it available only on your internal network

OR

you need to require a security token as part of the API request paremeters and reject all calls that do not contain it and reject all calls with a submitted token which is invalid...

How you generate and validate those tokens is up to you... (Cryptography hashes?)

 

Also you need to properly implement CORS policies within your http headers to prevent false/fake front ends from using your API.

https://stackoverflow.com/questions/54369416/how-to-secure-own-backend-api-which-serves-only-my-frontend

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to question listing