How to secure Azure functions with OAuth for both humans and machines?
I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.
Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?
Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.
Is there any reliable way to tell whether an API is being called by a machine or by a human?
Should I still do it with two seperate app registrations?
My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.
As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :
- Register an Azure AD App
- Getting an access token from Azure AD by request below :
URL:
POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token
Header:
Content-Type: application/x-www-form-urlencoded
Body:
client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials
Result:
Use this access token to call Azure function :
If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- Using basic oauth to send a tweet
- Spring Boot redirection back to login page
- Unsuccessful using OAuth 2 access token to send emails via Gmail
- Logging in users with API built in laravel
- LinkedIn API: The token used in the OAuth request has been revoked
- How to get LinkedIn access token in iOS to call API?
- OAuth Client Credential Flow - Refresh Tokens
- AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
- ServiceStack JWT Refresh token uses Session identifier when used with OAuth AuthProvider
- EXPO AuthSession returns dismiss on Android device
- Threads Meta API/Auth Callback URLs
- Is storing an OAuth token in cookies bad practice?
- Firebase credentials as Python environment variables: Could not deserialize key data
- Azure Authenticatication Flow in a Desktop App (WinForms C#)
- Check OAuth Facebook token from iOS client on server/API
- Role based authorization using Keycloak and .NET core
- Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app
- How to use SHA256-HMAC in python code?
- Facebook OAuth "The domain of this URL isn't included in the app's domain"
- How get config file values in other config file - Laravel 5
- Snowflake custom OAuth not working with invalid_client error
- How to Locate and Customize the OAuth Implicit Flow Redirect Screen?
- Keycloak - Assign a client scope to user with a specific role
- Implementing a dynamic OAuthBearerServerOptions AccessTokenExpireTimeSpan value from data store
- How to call an OAuth API once I have the access_token and refresh_token
- React App on Azure (Windows) Web App Not Reading Environment Variables for Auth0
- OAuth2 WebApi Token Expiration
- Origin is "not allowed" for given client ID when origin was added
- Angular CORS Error When Following Backend Redirect for OAuth2 Logout