Reputation: 91
Accessing Azure Function App Protected By MS Entra Id From Another Client App using Client Credentials Flow
I am very new to working with Azure Entra Id.
I have an Azure Function app containing Http triggered functions. I need to protect the function app by Entra Id and access it from client app in non interactive mode (client credentials flow)
I have created an App registration in Entra Id and using it to enable the Function App Authentication. I have exposed an API from the registered app. I got all the details like ClientId, Client Secret, Object Id, Scopes, Auth endpoint, Token endpoint.
With all these I am easily able to get the access token using postman with Client Credentials Flow and access the Functions.
Now my doubt is, I have created only one app registration and in the Function app Authenticate, hooked that App registration. I have not created any separate App registration for the client app. But everywhere including MS documentation, I see we need to create two different App registration for client credentials flow, one for the function app and another for the client app. I am not understanding what is the reason to create two different app registration? What is the point I am missing out here?
Upvotes: 2
Views: 1849
Answers (1)
Reputation: 15444
Note that: If you want to protect the client application, then you must create two Azure AD applications. This ensures more security and helps to prevent unauthorized access to your resources.
- You can create one client application also to access Azure Function API.
- If you want to protect the client app from the user or not to keep it open, you can create two applications based on your requirement.
I created an Azure AD Function app like below:
In Azure AD application added API permissions (created only one app):
Generated access token via Postman:
Using the above access token, I am able to access function api:
GET https://testrukfunctapp1.azurewebsites.net/api/HttpTrigger1
x-functions-key : FunctionURLCodeValue
Content-Type : application/json
- If you want to create two applications, the Expose the API in Client application.
- Then grant the API permission in the other application not the actual client application.
Upvotes: 1
Related Questions
- Client Credentials Flow for Azure DevOps
- What is the purpose of the implicit grant authorization type in OAuth 2?
- What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
- Azure Function AAD Authentication - Client Credentials Flow
- Azure AD OAuth token wrong audience (client credentials flow)
- Azure AD OAuth Client Credentials Grant flow
- Postman Client Credentials Flow with Azure AD protected ressource
- WPF app Accessing Azure Function with AAD
- Azure AD client credentials flow permission grants