question

AlexandreGiuseppe-1545 avatar image
0 Votes"
AlexandreGiuseppe-1545 asked JamesLongworth answered

API Management bypasses Azure Function security

Hey guys,

I have an azure function with Authorization Level set to Function.

When I access it through the API Management URL, it returns "Hello World". When I access it through the Azure Function url, it returns 401.

184833-image.png

How come API Management bypass security? I have set no inbound policy to have this behavior, just imported the function into API management.

184874-image.png


How do I disable such bypass?


azure-functionsazure-api-management
image.png (19.1 KiB)
image.png (36.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MughundhanRaveendran-MSFT avatar image
0 Votes"
MughundhanRaveendran-MSFT answered nasreen-akter commented

@AlexandreGiuseppe-1545 ,

Thanks for reaching out to Q&A.

When the authorization scope is set to "Function", it uses one of the function keys (default, host) to authorize the requests. So for the requests without the key, the function would return 401 response. In your case, you have imported the function api to APIM. As soon as the http function is integrated with APIM, a host key gets created in the function app (Please refer the below screenshot). The APIM uses this key to communicate with the function app, so the APIM does not bypass the function security. You can check the key creation in your function app.

185132-image.png

I hope this helps!

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.


image.png (68.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is it safe to delete this key?

0 Votes 0 ·

@AlexandreGiuseppe-1545 , It might affect the APIM +function integration. If you delete the key, then its better to import the function in the APIM again.

0 Votes 0 ·
nasreen-akter avatar image nasreen-akter AlexandreGiuseppe-1545 ·

Hi @AlexandreGiuseppe-1545,

Please let me explain a little bit to clear up the confusion here. In the FunctionApp, there are concepts in Host level authentication + Function level authentication. Now when you explore the FunctionApp while creating the API in the APIM, it will create a Key in the FunctionAPP for host level authentication. Now, with the host-level authentication you can call any function inside that FunctionApp. Each function has own function key, with the functionKey you can only call that specific function.

Now, if you would like to keep the function-level authentication (I mean, if you want the user will pass the functionKey while calling the API), then you can add a header in the API for the functionKey (i.e., code) and add a policy to append that Key as a Query parameter while calling that backend-function (same like how you are calling that function now with the CODE in the URL).

Hope this helps! Thank you.

Useful Link:

https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#authorization-scopes-function-level

0 Votes 0 ·
JamesLongworth avatar image
0 Votes"
JamesLongworth answered

When you import a function into API management (APIM) you are, in effect, moving the point of authentication for the down-stream consumer (in this case your Powershell) to APIM. APIM acts as a facade (or proxy) for the functions behind it. And can apply authentication as well as many other policy-based elements to the traffic in additon to acting as a central 'switch-board' for all the back-end services behind it.

An import of a function app sets up a host-key in the function, a named value in APIM and appropriate policies which means that it is APIM that is authenticating with your function, not the calling user or service. The default config and policy for an imported policy may no 'end-user' authentication configured. Thus, if you can reach the APIM API endpoint then your call will pass through to the backend function without the need to provide any function key in the 'client'

Whilst you can configure an API to require a dedicated subscription key at the API level, APIM has the concept of Products and Subscriptions. A product is a collection of APIs, and a subscription provides access to one or more products (Thus a collection of APIs). If you want to use a 'pre-shared key' method of authentication, via APIM then review this. However, using API management you can enforce OAUTH2, mutual certificate authentication and pretty much anything else (including bespoke authentication providers) using advanced policies.

You could always change the API config and policy to just 'pass through' the function key, but then I would be interested in your use case for APIM (if you have one of course - you could just be learning :))


Hope that helps.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.