Akihiro Nishikawa Use managed identity for authentication among Azure App Service/Functions

Managed identity https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

Type System assigned • Created as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service). • Shared life cycle with the Azure resource that the managed identity is created with. User assigned • Created as a stand-alone Azure resource. • Independent life cycle. Must be explicitly deleted.

Benefits of managed identities • No credential management. • Credentials aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.

Benefits of managed identities • No credential management. • Credentials aren’t even accessible to you. • Managed identities can be used to authenticate to any resource that supports Azure AD authentication, including own applications. • No additional cost.

🤔

Just do it!

Prerequisites [Caller] A managed identity for each application is enabled. [Callee] Azure AD authentication is enabled on each application.

Caller In case of C#, you can obtain bearer token like this. // audienceId: Function/App Service’s Application ID to be called. string audienceId; string accessToken = await new AzureServiceTokenProvider() .GetAccessTokenAsync(audienceId); HttpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers .AuthenticationHeaderValue("Bearer", accessToken); C#

Caller In case of Java, we can obtain a bearer token like this. Java // Scope: api://{Application ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api:///"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();

Caller We can also use ManagedIdentityCredential. Java // Scope: api://{Application ID}/{scope string} // Application ID: Function/App Service’s Application ID to be called. TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api:///"); // Use DefaultAzureCredential if doing tests in local environment as well as Azure DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build(); String accessToken = defaultAzureCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block(); // ManagedIdentityCredential is also applicable. ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder().build(); String accessToken = managedIdentityCredential.getToken(tokenRequestContext) .map(AccessToken::getToken).block();

Callee • Authentication • JWT token verification In case of Java, HTTP Header keys are in all lowercase letters. (No uppercase letter is contained.)

Demo

😎

Benefits Not only • Password-less authentication • Can implement caller applications like typical OAuth 2.0 client applications But also • Callee applications can delegate authentication to Azure AD and don’t have to implement the authenticator. • As access tokens contain caller information, JWT verification allows us to filter requests from unexpected callers.

Summary

Key takeaways • Managed identities can be used for not only RBAC but also authentication. • Password-less authentication scheme frees our efforts from credential management. • When using managed identity in Functions/App Services, we can add bearer token extracted from the managed identity to authorization header, like OAuth 2.0 and OIDC client.

Thank you!