Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Use managed identity for authentication among A...

Use managed identity for authentication among Azure App Service/Functions

Presentation slides used in JDConf 2022.

Akihiro Nishikawa

May 16, 2023
Tweet

More Decks by Akihiro Nishikawa

Other Decks in Technology

Transcript

  1. Type System assigned • Created as part of an Azure

    resource (for example, Azure Virtual Machines or Azure App Service). • Shared life cycle with the Azure resource that the managed identity is created with. User assigned • Created as a stand-alone Azure resource. • Independent life cycle. Must be explicitly deleted.
  2. Benefits of managed identities • No credential management. • Credentials

    aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.
  3. Benefits of managed identities • No credential management. • Credentials

    aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.
  4. Prerequisites [Caller] A managed identity for each application is enabled.

    [Callee] Azure AD authentication is enabled on each application.
  5. Caller In case of C#, you can obtain bearer token

    like this. // audienceId: Function/App Service’s Application ID to be called. string audienceId; string accessToken = await new AzureServiceTokenProvider() .GetAccessTokenAsync(audienceId); HttpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers .AuthenticationHeaderValue("Bearer", accessToken); C#
  6. Caller In case of Java, we can obtain a bearer

    token like this. Java // Scope: api://{Application ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api://<Application ID>/<scope>"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();
  7. Caller We can also use ManagedIdentityCredential. Java // Scope: api://{Application

    ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api://<Application ID>/<scope>"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block(); // ManagedIdentityCredential is also applicable. ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder().build(); String accessToken = managedIdentityCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();
  8. Callee • Authentication • JWT token verification <Note> In case

    of Java, HTTP Header keys are in all lowercase letters. (No uppercase letter is contained.)
  9. Benefits Not only • Password-less authentication • Can implement caller

    applications like typical OAuth 2.0 client applications But also • Callee applications can delegate authentication to Azure AD and don’t have to implement the authenticator. • As access tokens contain caller information, JWT verification allows us to filter requests from unexpected callers.
  10. Key takeaways • Managed identities can be used for not

    only RBAC but also authentication. • Password-less authentication scheme frees our efforts from credential management. • When using managed identity in Functions/App Services, we can add bearer token extracted from the managed identity to authorization header, like OAuth 2.0 and OIDC client.