Securing Azure Functions with OAuth2 Authentication
Serge Artishev
Posted on March 23, 2024
In this blog post, we will explore how to create an Azure Function with an HTTP trigger and OAuth2 authentication using Azure Active Directory (AAD). We will also create a sample client app that authenticates and executes the function. This solution will help you understand how to secure your Azure Functions using OAuth2 authentication.
1. Creating and Deploying an Azure Function using DevContainer in VSCode
Before we dive into the details of OAuth2 authentication, let's first create and deploy a simple Azure Function using a DevContainer in Visual Studio Code (VSCode).
Introduction
Azure Functions are a great way to build serverless applications that can scale on demand. In this section, we will create an Azure Function with an HTTP trigger and deploy it using a DevContainer in Visual Studio Code (VSCode).
Prerequisites
Before we get started, make sure you have the following prerequisites installed on your machine:
Installation
To create and run the Azure Function, follow these steps:
- Clone this GitHub repository.
- Open the repository in Visual Studio Code.
- Reopen the repository in the Dev Container.
- Run the following command to install the dependencies.
npm install
- Start the Azure Function by running the following command.
npm start
Open your browser and navigate to
http://localhost:7071/api/ping
. You should see a standard "Hello, World!" message.Create the Azure Function resource in Azure by right-clicking on the
Function App
group in theAzure
resources view and selectingCreate Function App in Azure...
. Follow the instructions to create the Function in your Azure subscription.After successful creation, you can deploy the Azure Function to Azure by clicking on the
Azure
tab in your VSCode and selecting the function logo in theWorkspace
view. Then click onDeploy to Function App...
and follow the instructions to deploy the Function in your Azure subscription.After successful deployment, you can access the Azure Function in the Azure portal.
Make sure to test the Azure Function by navigating to the URL provided in the Azure portal. You should see the same "Hello, World!" message as before.
2. Configuring the Azure Function to use Azure Active Directory (AAD) OAuth2
Now that we have created and deployed the Azure Function, let's configure it to use Azure Active Directory (AAD) OAuth2 for authentication.
Introduction to AAD OAuth2
Azure Active Directory (AAD) OAuth2 is a secure way to authenticate users and authorize access to your applications. In this section, we will configure the Azure Function to use AAD OAuth2 for authentication.
Configuring AAD OAuth2 for the Azure Function
To configure AAD OAuth2 authentication for the Azure Function, follow these steps:
- Open the Azure portal.
- Navigate to the Azure Function App that you have created.
- In the
Settings
section, click onAuthentication
and then click onAdd identity provider
. - In the
Choose a tenant for your application and its users
section, selectWorkforce configuration (current tenant)
. - In the
App registration
section, you can either create a new app registration or select an existing app registration. If you want to create a new app registration, you can specify the appName
, and select theSupported account types
asCurrent tenant - Single tenant
. - In the
App Service authentication settings
section, make sure that theRestrict access
is set toRequire authentication
. - In the
Unauthenticated requests
section, selectHTTP 401 Unauthorized: recommended for APIs
. - Click Next and then click Add.
Here's a screenshot of the AAD OAuth2 configuration in the Azure portal:
Testing AAD OAuth2 Authentication
After configuring AAD OAuth2 authentication, you can test the Azure Function by navigating to the URL provided in the Azure portal. As far as we selected to return 401 for unauthenticated requests, you should see an HTTP 401 Unauthorized response when accessing the Function URL without authentication.
Now, to authenticate and access the Azure Function, follow these steps:
Open up a browser, I’d recommend in incognito/in-private mode. We now need to build up a specific URL to call MS Identity and authenticate. All of the below should be on one line, but has been broken over multiple lines so it is easier to read.
https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize
?client_id=<Client ID>
&response_type=code
&redirect_uri=https%3A%2F%2F<Function Name>.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback
&response_mode=fragment
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
&state=12345
Once you have the URL, paste it into the browser and hit enter. You will be redirected to the Microsoft login page. Enter your credentials and sign in. You will then be redirected to the Azure Function.
After successful authentication, you will be able to execute the Azure Function.
3. Creating a Sample Client App that Authenticates and Executes the Function
Now that we have configured the Azure Function to use AAD OAuth2, let's create a sample client app that authenticates and executes the function.
Designing the Client App
The client app will be a simple Node.js application that authenticates with AAD OAuth2 and calls the Azure Function.
Implementing Authentication
To implement authentication in the client app, follow these steps:
const axios = require('axios');
const clientId = 'YOUR_CLIENT_ID';
const clientSecret = 'YOUR_CLIENT_SECRET';
const tenantId = 'YOUR_TENANT_ID';
const functionUrl = 'YOUR_FUNCTION_URL';
const getToken = async () => {
const tokenEndpoint = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
const response = await axios.post(tokenEndpoint, {
grant_type: 'client_credentials',
client_id: clientId,
client_secret: clientSecret,
scope: `api://${clientId}/.default`,
});
return response.data.access_token;
};
const callFunction = async () => {
const token = await getToken();
const response = await axios.get(functionUrl, {
headers: {
Authorization: `Bearer ${token}`,
},
});
console.log(response.data);
};
callFunction();
Replace the placeholders YOUR_CLIENT_ID
, YOUR_CLIENT_SECRET
, YOUR_TENANT_ID
, YOUR_RESOURCE_NAME
, and YOUR_FUNCTION_URL
with your actual values.
In this code snippet, we are using the axios
library to make HTTP requests to authenticate with AAD OAuth2 and call the Azure Function.
Conclusion
In this blog post, we explored how to create an Azure Function with OAuth2 authentication using Azure Active Directory (AAD). We also created a sample client app that authenticates and executes the function. This solution will help you secure your Azure Functions and build secure serverless applications. For more details, you can refer to the GitHub repository
Posted on March 23, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.