问题描述
对于Standard Logic App,当使用HTTP请求来触发一个Workflow时,默认固定不变的SAS签名认证,因并且随着URL传递,存在泄露风险。
是否可以用Header中使用Bearer Token来进行验证呢?
问题解答
可以的,为Standard Logic App开启Easy Auth。
Easy Auth 使通过触发器对工作流调用进行身份验证成为可能。可以将 Easy Auth 用作一种更安全的身份验证方法,使用有过期时间要求的访问令牌,而不是使用共享访问签名 (SAS) 令牌。
基本上,Easy Auth 提供了使用托管标识进行身份验证时可用的所有优势 。要设置授权策略,需要通过REST API 设置 Auth Settings V2。 本文介绍如何以这种方式启用和使用轻松身份验证,以对发送到标准逻辑应用工作流中的请求触发器的调用进行身份验证。
第一步:调用 authsettingsV2 接口
PUT: https://management.chinacloudapi.cn/subscriptions/<Subscriptions ID>/resourceGroups/<Resource Group>/providers/Microsoft.Web/sites/<Logic App Name>/config/authsettingsV2?api-versinotallow=2023-01-01
第二步:替换占位符值(如 )为要使用的实际值
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "AllowAnonymous"
}
保持 Boby 中 requireAuthentication 值为 true。其它值根据实际修改。主要需要修改的值有:
- identityProviders.azureActiveDirectory.openIdIssuer:Azure AD 的令牌颁发者
- identityProviders.azureActiveDirectory.clientId:AAD 应用注册的 ID。这将作为允许的受众进行扩充。
- identityProviders.azureActiveDirectory.validation.allowedAudiences:包含令牌允许的受众值的数组
- identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedPrincipals.identities:包含 Azure AD 标识的对象 ID 的数组,例如用户/组
附上全部的Body内容
{
"id": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Web/sites/{logicAppName}/config/authsettingsV2",
"name": "authsettingsV2",
"type": "Microsoft.Web/sites/config",
"location": "{locationOfLogicApp}",
"tags": {},
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "AllowAnonymous"
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "{issuerId}",
"clientId": "{clientId}"
},
"login": {
"disableWWWAuthenticate": false
},
"validation": {
"jwtClaimChecks": {},
"allowedAudiences": [
{audience1},
"{audience2}"
],
"defaultAuthorizationPolicy": {
"allowedPrincipals": {
"identities": [
"{ObjectId of AAD app1}",
"{ObjectId of AAD app2}"
]
}
}
}
},
"facebook": {
"enabled": false,
"registration": {},
"login": {}
},
"gitHub": {
"enabled": false,
"registration": {},
"login": {}
},
"google": {
"enabled": false,
"registration": {},
"login": {},
"validation": {}
},
"twitter": {
"enabled": false,
"registration": {}
},
"legacyMicrosoftAccount": {
"enabled": false,
"registration": {},
"login": {},
"validation": {}
},
"apple": {
"enabled": false,
"registration": {},
"login": {}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": false,
"tokenRefreshExtensionHours": 72.0,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
第三步:发送PUT请求,返回200,Easy Auth配置成功
第四步:最后使用 Azure AD OAuth 调用请求触发器
若要使用 Azure AD OAuth 在工作流中调用请求触发器,请使用以下语法在查询参数中传递 Authorization 标头,但不传递 SAS 令牌,从而将请求发送到回调或调用 URL:
POST / GET:
https://XXXXX.chinacloudsites.cn:443/api/XXXXX/triggers/When_a_HTTP_request_is_received/invoke?api-version=2022-05-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun&sv=1.0
[end]
参考资料
Trigger workflows in Standard logic apps with Easy Auth : https://techcommunity.microsoft.com/t5/azure-integration-services-blog/trigger-workflows-in-standard-logic-apps-with-easy-auth/ba-p/3207378
Enable Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth) : https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal&ref=hybridbrothers.com#enable-microsoft-entra-id-open-authentication-microsoft-entra-id-oauth
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!