Use managed identity for authentication among Azure App Service/Functions

Transcript

1. Akihiro Nishikawa Use managed identity for authentication among Azure App

   Service/Functions

2. Managed identity https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

3. Type System assigned • Created as part of an Azure

   resource (for example, Azure Virtual Machines or Azure App Service). • Shared life cycle with the Azure resource that the managed identity is created with. User assigned • Created as a stand-alone Azure resource. • Independent life cycle. Must be explicitly deleted.

4. Benefits of managed identities • No credential management. • Credentials

   aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.

5. Benefits of managed identities • No credential management. • Credentials

   aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.

6. 🤔

7. Just do it!

8. Prerequisites [Caller] A managed identity for each application is enabled.

   [Callee] Azure AD authentication is enabled on each application.

9. Caller In case of C#, you can obtain bearer token

   like this. // audienceId: Function/App Service’s Application ID to be called. string audienceId; string accessToken = await new AzureServiceTokenProvider() .GetAccessTokenAsync(audienceId); HttpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers .AuthenticationHeaderValue("Bearer", accessToken); C#

10. Caller In case of Java, we can obtain a bearer

    token like this. Java // Scope: api://{Application ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api://<Application ID>/<scope>"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();

11. Caller We can also use ManagedIdentityCredential. Java // Scope: api://{Application

    ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api://<Application ID>/<scope>"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block(); // ManagedIdentityCredential is also applicable. ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder().build(); String accessToken = managedIdentityCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();

12. Callee • Authentication • JWT token verification <Note> In case

    of Java, HTTP Header keys are in all lowercase letters. (No uppercase letter is contained.)

13. Demo

14. 😎

15. Benefits Not only • Password-less authentication • Can implement caller

    applications like typical OAuth 2.0 client applications But also • Callee applications can delegate authentication to Azure AD and don’t have to implement the authenticator. • As access tokens contain caller information, JWT verification allows us to filter requests from unexpected callers.

16. Summary

17. Key takeaways • Managed identities can be used for not

    only RBAC but also authentication. • Password-less authentication scheme frees our efforts from credential management. • When using managed identity in Functions/App Services, we can add bearer token extracted from the managed identity to authorization header, like OAuth 2.0 and OIDC client.

18. Thank you!