如何从 Azure Function App 调用 Azure API 管理端点

【问题标题】:How to call Azure API Management endpoint from Azure Function App如何从 Azure Function App 调用 Azure API 管理端点
【发布时间】:2021-10-20 18:23:37
【问题描述】:

场景如下:

Azure 函数需要调用 Azure API 管理,该管理将调用本地托管服务的端点。

Function 应用调用此 API 管理的身份验证要求是什么?是否需要 jwt 令牌?

【问题讨论】:

  • 我使用了证书。将证书添加到 TLS/SSL 设置。我使用该证书创建 ssl 上下文和 APIM 订阅密钥

标签: azure azure-functions azure-api-management


【解决方案1】:

您可以使用validate-jwt 策略在 API 管理级别执行令牌/声明验证,然后使用 authentication-managed-identity 允许 API 管理访问 Azure 函数。

政策声明

<validate-jwt
    header-name="name of http header containing the token (use query-parameter-name attribute if the token is passed in the URL)"
    failed-validation-httpcode="http status code to return on failure"
    failed-validation-error-message="error message to return on failure"
    token-value="expression returning JWT token as a string"
    require-expiration-time="true|false"
    require-scheme="scheme"
    require-signed-tokens="true|false"
    clock-skew="allowed clock skew in seconds"
    output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">
  <openid-config url="full URL of the configuration endpoint, e.g. https://login.constoso.com/openid-configuration" />
  <issuer-signing-keys>
    <key>base64 encoded signing key</key>
    <!-- if there are multiple keys, then add additional key elements -->
  </issuer-signing-keys>
  <decryption-keys>
    <key>base64 encoded signing key</key>
    <!-- if there are multiple keys, then add additional key elements -->
  </decryption-keys>
  <audiences>
    <audience>audience string</audience>
    <!-- if there are multiple possible audiences, then add additional audience elements -->
  </audiences>
  <issuers>
    <issuer>issuer string</issuer>
    <!-- if there are multiple possible issuers, then add additional issuer elements -->
  </issuers>
  <required-claims>
    <claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">
      <value>claim value as it is expected to appear in the token</value>
      <!-- if there is more than one allowed values, then add additional value elements -->
    </claim>
    <!-- if there are multiple possible allowed values, then add additional value elements -->
  </required-claims>
</validate-jwt>


<authentication-managed-identity resource="resource" client-id="clientid of user-assigned identity" output-token-variable-name="token-variable" ignore-error="true|false"/>

您可以参考Integrate Azure API Management with Azure Functions using Managed Identity and Active Directory AuthenticationSECURING AZURE FUNCTIONS USING AZURE AD JWT BEARER TOKEN AUTHENTICATION FOR USER ACCESS TOKENS

【讨论】:

    猜你喜欢
    • 2019-11-16
    • 1970-01-01
    • 1970-01-01
    • 2020-12-13
    • 2019-02-28
    • 1970-01-01
    • 2020-03-11
    • 1970-01-01
    • 2020-10-26
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode