我有一个使用Oauth2(Google)身份验证设置的Azure功能应用代理,它将请求代理到blob存储帐户。我的想法是使用代理作为存储在blob存储中的静态HTML站点的身份验证/授权层。
好的,所以身份验证有效,但现在任何拥有Google帐户的人都可以看到该内容。如何控制访问权限,例如对可配置帐户集的限制?
答案 0 :(得分:0)
好吧,我没有找到一个快速的方法来使用功能应用程序代理,而API管理似乎只是让事情变得复杂(授权服务器?我需要多少台服务器来支持一个小团队静态站点 - 我们做什么的发布统计数据?),所以我选择了代理功能应用程序,这里是:
using System.Net;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
var authURI = new Uri(req.RequestUri.GetLeftPart(UriPartial.Authority));
var path = authURI.MakeRelativeUri(req.RequestUri);
var prefix = "api/myfunction";
var fileName = path.ToString().Remove(0,prefix.Length);
// Get request body
dynamic data = await req.Content.ReadAsAsync<object>();
// Authorization - allow only @myorg.com users
IEnumerable<string> headerValues = req.Headers.GetValues("X-MS-CLIENT-PRINCIPAL-NAME");
var user = headerValues.FirstOrDefault();
if (!user.EndsWith("@myorg.com", true, null))
{
return req.CreateResponse(HttpStatusCode.Forbidden, "Unauthorized");
}
var blobStorageURI = System.Configuration.ConfigurationManager
.ConnectionStrings["BLOB_SERVICE_ENDPOINT"].ConnectionString;
var container = System.Configuration.ConfigurationManager
.ConnectionStrings["BLOB_CONTAINER"].ConnectionString;
var authKey = System.Configuration.ConfigurationManager
.ConnectionStrings["BLOB_ACCESS_STRING"].ConnectionString;
using(var client = new HttpClient())
{
client.BaseAddress = new Uri(blobStorageURI);
var storagePath = "/" + container + fileName + authKey;
return await client.GetAsync(storagePath);
}
}
这里是function.json:
{
"bindings": [
{
"authLevel": "anonymous",
"name": "req",
"type": "httpTrigger",
"direction": "in",
"route": "myfunction/{*path}",
"methods": [
"get",
"head"
]
},
{
"name": "$return",
"type": "http",
"direction": "out"
}
],
"disabled": false
}