Accessing Azure Function App Protected By MS Entra Id From Another Client App using Client Credentials Flow
I am very new to working with Azure Entra Id.
I have an Azure Function app containing Http triggered functions. I need to protect the function app by Entra Id and access it from client app in non interactive mode (client credentials flow)
I have created an App registration in Entra Id and using it to enable the Function App Authentication. I have exposed an API from the registered app. I got all the details like ClientId, Client Secret, Object Id, Scopes, Auth endpoint, Token endpoint.
With all these I am easily able to get the access token using postman with Client Credentials Flow and access the Functions.
Now my doubt is, I have created only one app registration and in the Function app Authenticate, hooked that App registration. I have not created any separate App registration for the client app. But everywhere including MS documentation, I see we need to create two different App registration for client credentials flow, one for the function app and another for the client app. I am not understanding what is the reason to create two different app registration? What is the point I am missing out here?
Note that: If you want to protect the client application, then you must create two Azure AD applications. This ensures more security and helps to prevent unauthorized access to your resources.
- You can create one client application also to access Azure Function API.
- If you want to protect the client app from the user or not to keep it open, you can create two applications based on your requirement.
I created an Azure AD Function app like below:
In Azure AD application added API permissions (created only one app):
Generated access token via Postman:
Using the above access token, I am able to access function api:
GET https://testrukfunctapp1.azurewebsites.net/api/HttpTrigger1
x-functions-key : FunctionURLCodeValue
Content-Type : application/json
- If you want to create two applications, the Expose the API in Client application.
- Then grant the API permission in the other application not the actual client application.
- Maven repository with OAuth2 (or any other HTTP header authentification)
- How to validate an OAuth 2.0 access token for a resource server?
- How to integrate FitBit Api in IOS app using Swift
- What's the point of refresh token?
- Xero API Authentication - Building the Authentication App using C#, ASP.NET Core MVC
- Migrating from validate-jwt to validate-azure-ad-token policy
- What is the purpose of authorization code in OAuth
- JWT validation failure error in azure apim
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- Some scopres missing from Google Gmail API oAuth Consent Flow
- passport-oauth2 client how to use profile data received
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- How access Azure APIs
- Chrome identity launchWebAuthFlow only opens empty callback page
- Limiting the scopes of an OAuth 2.0 flow
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- Why do i need to specify redirect_uri if i am authenticating from server side?
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Authentication Problems using Google's ARCore API
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level