azureoauth-2.0azure-functionseasy-auth

How to call a protected API from an Azure Function App using the identity of the authenticated caller (Service Principal) to the Function App?


I have a Node.js Azure Function App with a User Assigned Managed Identity. The Function App is configured to use the App Service-provided authentication mechanism ("EasyAuth") to authenticate incoming connections using AAD. The "Restrict Access" setting is set to "Require Authentication", so only authenticated connections will reach my code. The Function App uses its User Assigned Managed Identity to do some calls to the Azure Resource Manager.

The above all works just fine. What I would like to do on top of this is to do some additional calls to the Azure Resource Manager, but this time using the identity of the caller to the Function App. If I understand everything correctly, this scenario would be a prime candidate for the OAuth 2.0 On-Behalf-Of flow. Unfortunately, according to that page "The OBO flow only works for user principals at this time." Since the callers to my Function App will primarily be Service Principals, the OBO flow doesn't seem to be a solution here. I don't know how else to approach this.

So, how can I access a protected API from my Function App with the identity of the authenticated user to the Function App, where that user is a Service Principal instead of a User Principal?


Solution

  • Unless there is a feature that I'm unaware of, a service principal cannot get an access token on behalf of another service principal.

    The only way that I can think of that would work for this would be for the client application to send the ARM API token along with the request so your Function can use that.