azure - 如何从 Azure Function App 调用 Azure API 管理端点
问题描述
场景如下:
Azure 函数需要调用 Azure API 管理,该管理将调用本地托管的服务的端点。
功能应用程序调用此 API 管理的身份验证要求是什么?它需要jwt令牌吗?
解决方案
您可以使用validate-jwt策略在 API 管理级别执行令牌/声明验证,然后使用authentication-managed-identity允许 API 管理访问 Azure 函数。
政策声明
<validate-jwt
header-name="name of http header containing the token (use query-parameter-name attribute if the token is passed in the URL)"
failed-validation-httpcode="http status code to return on failure"
failed-validation-error-message="error message to return on failure"
token-value="expression returning JWT token as a string"
require-expiration-time="true|false"
require-scheme="scheme"
require-signed-tokens="true|false"
clock-skew="allowed clock skew in seconds"
output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">
<openid-config url="full URL of the configuration endpoint, e.g. https://login.constoso.com/openid-configuration" />
<issuer-signing-keys>
<key>base64 encoded signing key</key>
<!-- if there are multiple keys, then add additional key elements -->
</issuer-signing-keys>
<decryption-keys>
<key>base64 encoded signing key</key>
<!-- if there are multiple keys, then add additional key elements -->
</decryption-keys>
<audiences>
<audience>audience string</audience>
<!-- if there are multiple possible audiences, then add additional audience elements -->
</audiences>
<issuers>
<issuer>issuer string</issuer>
<!-- if there are multiple possible issuers, then add additional issuer elements -->
</issuers>
<required-claims>
<claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">
<value>claim value as it is expected to appear in the token</value>
<!-- if there is more than one allowed values, then add additional value elements -->
</claim>
<!-- if there are multiple possible allowed values, then add additional value elements -->
</required-claims>
</validate-jwt>
<authentication-managed-identity resource="resource" client-id="clientid of user-assigned identity" output-token-variable-name="token-variable" ignore-error="true|false"/>
您可以参考使用托管标识和 Active Directory 身份验证将 Azure API 管理与 Azure Functions 集成以及使用 AZURE AD JWT BEARER TOKEN AUTHENTICATION FOR USER ACCESS TOKENS 保护 AZURE FUNCTIONS
推荐阅读
- python - 传递 boto3 客户端的最佳方式?
- java - 设置 OpenJDK JVM 故障转储位置
- asp.net-core-webapi - Asp.Net webapi:抛出新的 RestException(HttpStatusCode.Unauthorized)
- php - iframe 在 Chrome 中失去重定向会话
- c++ - 为什么 c++ std::find 返回 container.end() 而不是 NULL 来表示“未找到”?
- json - 以 JSON 格式 Swift 向服务器发送数据
- prometheus - 将作业动态添加到 Prometheus 配置
- c# - 在本机 C++ 中将变量从 C# 编组为 void*,并在本机程序内更改 Managed/C# 中的变量值
- python - 如何为 Python 3.9 安装 PyCrypto?
- c# - 什么是
在 System.Span 中 在 C# 中?