muralidharand/AzureFunctionsSecurity

Azure Functions Security

Azure Functions Security

Blogs

• Securing Azure Functions using API Keys
• Securing Azure Functions using Certificate authentication
• Securing Azure Functions using an Azure Virtual Network
• Securing Azure Key Vault inside a VNET and using from an Azure Function
• Securing Azure Functions using Azure AD JWT Bearer token authentication for user access tokens

History

2021-03-07 Update packages and using DefaultAzureCredential for Azure Key vault access, Microsoft.Identity.Web to 1.7.0

2020-10-25 Updated Microsoft.Identity.Web to 1.2.0, Updated Nuget packages

2020-09-30 Updated Microsoft.Identity.Web to 1.0.0

2020-09-19 Updated Azure Functions configurations to recommended way

2020-09-19 Added Azure Function oauth security example user access tokens

2020-09-10 Added Azure Function network security example

2020-09-01 Added Certificate authentication for Azure Functions

Testing

Azure Functions API keys , AuthorizationLevel.Anonymous

Azure

https://functionssecurity.azurewebsites.net/api/RandomStringAuthLevelAdmin

https://functionssecurity.azurewebsites.net/api/RandomStringAuthLevelAnonymous

https://functionssecurity.azurewebsites.net/api/RandomStringAuthLevelFunc

Local

http://localhost:7071/api/RandomStringAuthLevelAdmin

http://localhost:7071/api/RandomStringAuthLevelAnonymous

http://localhost:7071/api/RandomStringAuthLevelFunc

Functions Certificate

Azure

https://functioncertificate20200829215001.azurewebsites.net/api/randomString

Links

https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth

https://damienbod.com/2019/06/13/certificate-authentication-in-asp-net-core-3-0/

https://damienbod.com/2019/09/07/using-certificate-authentication-with-ihttpclientfactory-and-httpclient/

https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs

https://stackoverflow.com/questions/27307322/verify-server-certificate-against-self-signed-certificate-authority

https://stackoverflow.com/questions/24107374/ssl-certificate-not-in-x509store-when-uploaded-to-azure-website#34719216

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#access-client-certificate

Links Azure Networking / Application Gateway

https://docs.microsoft.com/en-us/azure/virtual-network/

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources

https://docs.microsoft.com/en-us/azure/virtual-network/quickstart-create-nat-gateway-portal

http://www.subnet-calculator.com/

https://www.youtube.com/watch?v=8Wh6ZXf8LK8

OpenID Connect Azure AD

https://cmatskas.com/create-an-azure-ad-protected-api-that-calls-into-cosmosdb-with-azure-functions-and-net-core-3-1/

https://anthonychu.ca/post/azure-functions-app-service-openid-connect-auth0/

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect

Azure/azure-functions-vs-build-sdk#397

https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/#secure-azure-functions-with-jwt-access-tokens

https://github.com/AzureAD/microsoft-identity-web

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2

https://jwt.io/