时间戳

首页 > 解决方案 > 如何从 Azure Function App 调用 Azure API 管理端点

azure - 如何从 Azure Function App 调用 Azure API 管理端点

问题描述

场景如下:

Azure 函数需要调用 Azure API 管理,该管理将调用本地托管的服务的端点。

功能应用程序调用此 API 管理的身份验证要求是什么?它需要jwt令牌吗?

标签: azureazure-functionsazure-api-management

解决方案

您可以使用validate-jwt策略在 API 管理级别执行令牌/声明验证,然后使用authentication-managed-identity允许 API 管理访问 Azure 函数。

政策声明

<validate-jwt
    header-name="name of http header containing the token (use query-parameter-name attribute if the token is passed in the URL)"
    failed-validation-httpcode="http status code to return on failure"
    failed-validation-error-message="error message to return on failure"
    token-value="expression returning JWT token as a string"
    require-expiration-time="true|false"
    require-scheme="scheme"
    require-signed-tokens="true|false"
    clock-skew="allowed clock skew in seconds"
    output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">
  <openid-config url="full URL of the configuration endpoint, e.g. https://login.constoso.com/openid-configuration" />
  <issuer-signing-keys>
    <key>base64 encoded signing key</key>
    <!-- if there are multiple keys, then add additional key elements -->
  </issuer-signing-keys>
  <decryption-keys>
    <key>base64 encoded signing key</key>
    <!-- if there are multiple keys, then add additional key elements -->
  </decryption-keys>
  <audiences>
    <audience>audience string</audience>
    <!-- if there are multiple possible audiences, then add additional audience elements -->
  </audiences>
  <issuers>
    <issuer>issuer string</issuer>
    <!-- if there are multiple possible issuers, then add additional issuer elements -->
  </issuers>
  <required-claims>
    <claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">
      <value>claim value as it is expected to appear in the token</value>
      <!-- if there is more than one allowed values, then add additional value elements -->
    </claim>
    <!-- if there are multiple possible allowed values, then add additional value elements -->
  </required-claims>
</validate-jwt>


<authentication-managed-identity resource="resource" client-id="clientid of user-assigned identity" output-token-variable-name="token-variable" ignore-error="true|false"/>

您可以参考使用托管标识和 Active Directory 身份验证将 Azure API 管理与 Azure Functions 集成以及使用 AZURE AD JWT BEARER TOKEN AUTHENTICATION FOR USER ACCESS TOKENS 保护 AZURE FUNCTIONS

推荐阅读