Securing an Azure Function App with OAUTH

[Dick Montage]

Hi, I'm looking at building an API in Azure - and that's an immovable, I am bound to Azure here for various reasons.

It seems the best way for me to achieve what I need is to use a Function App, so I've done this and created a very simple Hello World api.  Great... it works, pat on the back - I can follow a tutorial.

And to manage this very simple API, I am going to use an API Management Service - it can handle the traffic management and so on.  So yeah, got that set up too.

I'm a bit confused.  While the API Management Service exposes the API through a specific URL that applies all the benefits of the service, the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?

Anyhow yeah, so I have this all set up, but I want to secure it with OAUTH so that anyone calling this API has to authenticate and so on.  I believed that Azure API Management Service could do this for me, but I seem to be missing something.

Anyone here setup anything similar and able to guide me a little please?

I'm aware that this comes very close to consultation, so if that's the case, please do also feel free to discuss that via PM.

Thanks

[+virtorio MVC]

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

[Dick Montage]

On 28/01/2023 at 01:30, virtorio said:

You can secure your Functions by using (and rotating) the App and Function Keys (configured through the Azure Portal), and you can also configure the firewall (under Networking) to disallow the general public from accessing it.

If there's a more "official" way to do it, I don't know what it us.

Thanks.  My query was more about how to implement OAUTH2 against the app?

[Software Dev Expert]

Just done some googling.

Good idea to read up on Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis and 

 

Please see these links which relate to the use of OAUTH in AD:

 

https://scomnewbie.github.io/posts/authenticatedazfunc/

 

Hope this helps, and is what you're looking for? 

 

I'm afraid I don't have experience with Azure, however I'm a massive googler in my day-to-day job as a professional software developer! When I struggle to find the information I need via documentation, I've always found it helpful to watch youtube videos!

[sao123]

I think you may have a misconception about OAUTH...  OAUTH is an authorization method, not an authentication method.

In  a nutshell, if you have ever visited a site that you want to become a member of, and instead of creating your own userid and password, you click a button that says login with Amazon or Login with Facebook, or Login with Google... and you use a pre-established account from one of those services which has already done the authentication, and now you are only authorizing that account the privilege of now using an additional site/service.

This is exactly what OAUTH is.  This is usually applied to your front end...

 

It sounds to me what you want to do is make your back end api private and only usable with your front end... ("the "raw/native" url of the Function App still exists.  This seems a bit like... easily bypassed and any end user could just go to the original Function App url.  Am I missing something?")

There are usually only 2 ways to do this... you either make it available only on your internal network

OR

you need to require a security token as part of the API request paremeters and reject all calls that do not contain it and reject all calls with a submitted token which is invalid...

How you generate and validate those tokens is up to you... (Cryptography hashes?)

 

Also you need to properly implement CORS policies within your http headers to prevent false/fake front ends from using your API.

https://stackoverflow.com/questions/54369416/how-to-secure-own-backend-api-which-serves-only-my-frontend