question

Karduan-4265 avatar image
0 Votes"
Karduan-4265 asked PramodValavala-MSFT commented

Azure Functions App with APIM using Managed Identity - Authentication and Authorization

Hi, I'm creating an application under Azure Functions using managed identity and importing in under APIM as API. Restricting it with managed identity, custom header and jwt-policy for token validation.

The users of my application will either come from mobile client or web client SPA. I don't want an Oauth2 consent screen for login or registration.

But under managed identity how I deal with request of reach user? Identity the unique token of each user's request and use it later to maintain the session life on Mobile App(s) or Web SPA.

I'm not sure what services I need to use to make this flow working. The thing which is clear is I want all users using my app(s) either mobile or web connected and calling my Function APP API's be going through APIM. And then, there is no user interaction involved in terms of consent or oauth flow etc.

Can somebody please guide me? For the right path what to use and when for this requirement. I have gone through many options. Azure B2C or B2b is not my option. It involves user consent.

Here is How it works right now:

On Previous Existing Infrastructure:
We are doing it with our own Symfony API's with JWT Authentication. Due to some business requirement we don't want the user to know if we have migrated from one Cloud to another. But also at the same time we are shifting from RESTful API's to Azure Functions for everything. That is why we want the user to be unaware of the changes we made and everything for them should work as is

In Azure Current I'm trying:
In Azure I have Configured Azure Functions under APIM with Managed Identity+ JWT-Validation. Which works fine. But rest of the confusion stays there. How do I have unique user tokens and sessions with that Azure setup etc.

Users will normally be supplying their Username/Password and then Hit the Request For Example Login. Then it hits the APIM, Which gets authenticated goes through Managed identity Policy and then it hits Functions Assigned Managed Identity. I get Token From Context Variable and pass it to JWT-Validation Policy and then. The next phase is confusing where to store token per User and how the next steps works?

Is this even possible to create such seamless experience while shifting the stack and underlying tech?

Thanks
Karduan

azure-functionsazure-api-managementazure-ad-authenticationazure-managed-identity
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Karduan-4265 Just to confirm my understanding, you already have an authentication mechanism in place that takes username/password and returns a JWT Token. Correct? And you are looking for a way to leverage APIM and Functions to migrate your APIs to Azure right?

0 Votes 0 ·
Karduan-4265 avatar image Karduan-4265 PramodValavala-MSFT ·

Yes Exactly @PramodValavala-MSFT - Shifting from RESTFul APIs of the Symfony Framework with JWT to Azure Functions with APIM and JWT Authentication in Place.

But at the same time, we don't want users to notice any changes which is why I'm trying to figure out which way to use? I have tested the MSI with Token on APIM with validation but have not been to figure how can I control per/user sessions non interactively.

Kindly guide if you can.

0 Votes 0 ·
Karduan-4265 avatar image Karduan-4265 PramodValavala-MSFT ·

Hello @PramodValavala-MSFT any help please?

0 Votes 0 ·

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered PramodValavala-MSFT commented

@Karduan-4265 You don't have to change the authentication system and can pre-authorize requests at the APIM level using the same tokens.

As for the requests from APIM to Azure Functions, instead of MSI you could directly pass the requests as-is and setup IP Restrictions on your Azure Functions to prevent direct requests to them.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @PramodValavala-MSFT Thanks for providing more insights - I'm still checking these. But even during this stage, I'm not getting the unique token for each user. Because the tokens are being generated by APIM and its level which is using Managed Identity and also this then goes to Azure Functions which is also under MSI. I checked the MSAL Library for Python which is what I'm using the write the code for Azure Functions. Seems Like there is no support for MSI with MSAL in Azure Functions?

Confused on Next Steps.

0 Votes 0 ·

@Karduan-4265 Could you elaborate on how you are getting the token for users? MSI would get the token as a service making the call, not really a user. You would need to fetch the user specific token from the user facing app and pass that in requests to APIM.

0 Votes 0 ·