• 0

Securing an Azure Function App with OAUTH


Question

Hi, I'm looking at building an API in Azure - and that's an immovable, I am bound to Azure here for various reasons.

It seems the best way for me to achieve what I need is to use a Function App, so I've done this and created a very simple Hello World api.  Great... it works, pat on the back - I can follow a tutorial.

And to manage this very simple API, I am going to use an API Management Service - it can handle the traffic management and so on.  So yeah, got that set up too.

I'm a bit confused.  While the API Management Service exposes the API through a specific URL that applies all the benefits of the service, the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?

Anyhow yeah, so I have this all set up, but I want to secure it with OAUTH so that anyone calling this API has to authenticate and so on.  I believed that Azure API Management Service could do this for me, but I seem to be missing something.

Anyone here setup anything similar and able to guide me a little please?

I'm aware that this comes very close to consultation, so if that's the case, please do also feel free to discuss that via PM.

Thanks

4 answers to this question

Recommended Posts

  • 0

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

  • 0
  On 28/01/2023 at 01:30, virtorio said:

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

Expand  

Thanks.  My query was more about how to implement OAUTH2 against the app?

  • 0

Just done some googling.

Good idea to read up on Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis and 

 

Please see these links which relate to the use of OAUTH in AD:

 

https://scomnewbie.github.io/posts/authenticatedazfunc/

 

Hope this helps, and is what you're looking for? 

 

I'm afraid I don't have experience with Azure, however I'm a massive googler in my day-to-day job as a professional software developer! When I struggle to find the information I need via documentation, I've always found it helpful to watch youtube videos!

  • 0

I think you may have a misconception about OAUTH...  OAUTH is an authorization method, not an authentication method.

In  a nutshell, if you have ever visited a site that you want to become a member of, and instead of creating your own userid and password, you click a button that says login with Amazon or Login with Facebook, or Login with Google... and you use a pre-established account from one of those services which has already done the authentication, and now you are only authorizing that account the privilege of now using an additional site/service.

This is exactly what OAUTH is.  This is usually applied to your front end...

 

It sounds to me what you want to do is make your back end api private and only usable with your front end... ("the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?")

There are usually only 2 ways to do this... you either make it available only on your internal network

OR

you need to require a security token as part of the API request paremeters and reject all calls that do not contain it and reject all calls with a submitted token which is invalid...

How you generate and validate those tokens is up to you... (Cryptography hashes?)

 

Also you need to properly implement CORS policies within your http headers to prevent false/fake front ends from using your API.

https://stackoverflow.com/questions/54369416/how-to-secure-own-backend-api-which-serves-only-my-frontend

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • “which covers most of what people can hears. ” Oh yeah, you really reviewed this AI slop. Neowin should cut out the middleman at this point.
    • £129 in the U.K., that is a fair drop in price and if anyone have a need for one then now is a good time to buy one. But for most people if they have a pretty good router it would be money wasted,, unless they need Wi-Fi 7 and I doubt many will notice any difference even if they have Wi-Fi 7 devices. The 2.5Gb/s lan and Wan could be useful for some people, but why only one 2.5 lan? sure, there is not much around in the 2.5Gb/s line at the moment and a lot of devices like TVs would not benefit by it, but if someone has a couple of computers with 2.5Gb/s lan, they have to buy a switch, so more cost. So a unmanaged one can be picked up for around £50 these days, but that is still extra and electrical another socket and box. I suppose sticking another 2.5Gb LAN on the router would have added a bit of more cost, but not that much. I don't really have much need for a Wi-Fi 7 router, I have an Archer AX53 that does what I need, the one thing I do miss is the USB port that don't seem to be a thing these days on routers, just to stick a small USB drive in for documents, saves booting up the nas.
    • But it is a step in the right direction, and besides you need to understand that this is a technology that is still in the laboratory. We are not even sure if there will be a final product or if the product will be altered over and over again before a final product. Thinking and responding in a positive way would be ideal when responding to this article.
    • I think it is more to do with the wider channels, so more data can be sent at the same time, not about frequencies. No doubt some other things as well.
    • UniGetUI 3.3.0 by Razvan Serea UniGetUI is an application whose main goal is to create an intuitive GUI for the most common CLI package managers for Windows 10 and Windows 11, such as Winget, Scoop and Chocolatey. With UniGetUI, you'll be able to download, install, update and uninstall any software that's published on the supported package managers — and so much more. UniGetUI features Install, update and remove software from your system easily at one click: UniGetUI combines the packages from the most used package managers for windows: WinGet, Chocolatey, Scoop, Pip, Npm and .NET Tool. Discover new packages and filter them to easily find the package you want. View detailed metadata about any package before installing it. Get the direct download URL or the name of the publisher, as well as the size of the download. Easily bulk-install, update or uninstall multiple packages at once selecting multiple packages before performing an operation Automatically update packages, or be notified when updates become available. Skip versions or completely ignore updates in a per-package basis. Manage your available updates at the touch of a button from the Widgets pane or from Dev Home pane with UniGetUI Widgets. The system tray icon will also show the available updates and installed package, to efficiently update a program or remove a package from your system. Easily customize how and where packages are installed. Select different installation options and switches for each package. Install an older version or force to install a 32bit architecture. [But don't worry, those options will be saved for future updates for this package] Share packages with your friends to show them off that program you found. Here is an example: Hey @friend, Check out this program! Export custom lists of packages to then import them to another machine and install those packages with previously-specified, custom installation parameters. Setting up machines or configuring a specific software setup has never been easier. Backup your packages to a local file to easily recover your setup in a matter of seconds when migrating to a new machine UniGetUI 3.3.0 release notes: This release was expected to be 3.2.1, but it incudes more changes than planned, so it has been named 3.3.0 instead. Changelog Added default install options on a per-package-manager level! Added pre/post-install/update/uninstall commands! Added an option to close/kill process(es) before installing/updating/uninstalling a package Added cloud package backup and restore (via GitHub) more info on that here. Added the option to bulk-download installers Added the option to select package manager executable PowerShell7 can now clear older versions when updating to a new one Improvements to InstallOptions dialogs Installer download will properly guess the downloaded file name. Added "Dependencies" field to Package Details. Improvements to WinGet source management Searchbox has been moved to the titiebar, less wasted space Improvements for when window size is less wide Toolbar improvements Improvements on internal error detection and handling YAML and XML can't be created no more (more info on that here: #3860) Lots of bugfixes Other internal improvements Security enhancements Some features (pre/post install commands, command-line arguments, etc.) will be restricted by default. Bundles will also have those features restricted by default. Those features can be enabled with toggles that require an UAC prompt to be modified Bundles will show a security report when potentially dangerous settings are present. Fix some potential command-injection vulnerabilities from custom command-line arguments What's changed Load translations from Tolgee by @martinet101 in #3644 Dynamic JSON [de]serialization by @marticliment in #3679 Bump vedantmgoyal9/winget-releaser from 3e78d7ff0f525445bca5d6a989d31cdca383372e to 19e706d4c9121098010096f9c495a70a7518b30f in the actions-deps group by @dependabot[bot] in #3711 Update Scoop nirsoft bucket URL to ScoopInstaller/Nirsoft by @hboyd2003 in #3719 Per-package-manager and global default installation options by @marticliment in #3685 Further improvements to InstallOptions by @marticliment in #3721 Add toggle to enable/disable insecure settings by @marticliment in #3722 Make 'Pause updates for' submenu item use translation by @szumsky in #3705 Add toggle to enable/disable insecure settings by @marticliment in #3723 Separe Install, update and uninstall custom command-line args by @marticliment in #3748 Warn the user when a bundle contains potentially harmful prefs by @marticliment in #3749 Setting keys will be stored on const strings by @marticliment in #3750 Improve local icon detection code comments by @mrixner in #3767 Pre-install and post-install operations by @marticliment in #3756 Show Version in Update Live Dialog by @mrixner in #3798 Clear older versions of PowerShell7 modules on update by @marticliment in #3810 Allow Executable Selection by @mrixner in #3703 Add dependencies field to Package Details by @marticliment in #3822 Feat/recheck version before update by @theguy000 in #3827 feat: Add Cloud Backup and Restore via GitHub Gists by @theguy000 in #3826 Bundles file size improvements by @marticliment in #3832 Move searchbox to titlebar by @marticliment in #3837 Fix crashes & better error handling by @marticliment in #3859 Improvements to WinGet source management by @marticliment in #3876 Allow the user to force user gsudo via a SecureSetting (fix #3692) by @marticliment in #3877 Improvements to Toolbar by @marticliment in #3882 Download: UniGetUI 3.3.0 | 53.3 MB (Open Source) Links: WingetUI Home Page | GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • One Month Later
      Ricky Chan earned a badge
      One Month Later
    • First Post
      leoniDAM earned a badge
      First Post
    • Reacting Well
      Ian_ earned a badge
      Reacting Well
    • One Month Later
      Ian_ earned a badge
      One Month Later
    • Dedicated
      MacDaddyAz earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      504
    2. 2
      ATLien_0
      207
    3. 3
      Michael Scrip
      205
    4. 4
      Xenon
      141
    5. 5
      +FloatingFatMan
      116
  • Tell a friend

    Love Neowin? Tell a friend!