How to secure Azure functions with OAuth for both humans and machines?
I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.
Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?
Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.
Is there any reliable way to tell whether an API is being called by a machine or by a human?
Should I still do it with two seperate app registrations?
My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.
As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :
- Register an Azure AD App
- Getting an access token from Azure AD by request below :
URL:
POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token
Header:
Content-Type: application/x-www-form-urlencoded
Body:
client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials
Result:
Use this access token to call Azure function :
If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .
- How to get the GitLab userid in a Python app that uses GitLab as an Oauth provider?
- Upload Video to Vimeo in Objective-C on iPhone
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- oAuth style NSURLRequst with image
- Pinterest OAuth API not redirecting?
- Spring boot Jwt signed with RS256
- How to get refresh token for "Sign In With Google"
- Google OAuth HTTP API iOS
- Laravel Passport Password Grant - Client authentication failed
- How do I authorize a facebook application? PHP
- How do refresh tokens work in an OAuth flow?
- Tumblr reblog (TMTumblrSDK) return 401 error
- Facebook Graph API question
- How do you change the name of the GoogleOauth2 omniauth provider name?
- How can I download a single raw file from a private github repo using the command line?
- How to use OAuth signature_type in Apps Script?
- Understanding client_id and client_secret
- Role based authorization using Keycloak and .NET core
- How to protect Open xpage REST API using Azure OAuth or Azure API Gateway
- What is the difference between OAuth based and Token based authentication?
- Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
- Google OAuth (DRF + Djoser) "Invalid state has been provided." after POST request with state and code
- How to validate an OAuth 2.0 access token for a resource server?
- Firebase Auth with Google as an IdP expires ID token frequently and why?
- What's the point of refresh token?
- Electron Google Login: "This browser or app may not be secure"
- What is the purpose of authorization code in OAuth
- How to securely store access token and secret in Android?
- User.Identity.IsAuthenticated is false in a non-auth methods after successful login in asp.net core