Introduction
Azure Functions app provides Authorization Level (Anonymous/Function/Admin) options during Function App creation in your code. It is more on Authorization of your App or API but if you want to bring authentication to your function app, we have App Service Authentication feature.
App Service Authentication by default is Off on Azure Function App and users will not be promoted for Login. App service authentication provides below authentication providers
- Azure Active Directory
- Microsoft Account
- Facebook
- Google
- Twitter
Where to Find App Service Authentication in Portal
Open your Function App > Left menu > Settings > Configuration > Authentication / Authorization.
Fig 1 : Function App with App Service Authentication is Off by default
Create Function App
Refer step by step guide(http://www.dotnetmirror.com/articles/microsoft-azure/226/create-azure-function-app-using-visual-studio-step-by-step-guide) to create your first function app and deploy to Azure. Below screenshot shows we are able to access the function app without any Authentication in front of it.
Fig 2 : Function App with Authentication
In this post, let us look at how to Authenticate Azure function apps using Google as an authentication provider.
Configure Google App
- Login to Google API Console (https://console.developers.google.com/) with your Google account.
- Click on Project dropdown beside Google API's> Click on “Create New Project” (or select existing project)> Enter "Project Name" and NO Organization (just have the default values) > Click on Create
- Select Credentials tab from left menu > Click on CONFIGURE CONSENT SCREEN > Select External User Type > Click on Create > Provide Application name on OAuth consent screen > Click on Save
- Select Credentials tab from left menu > Click on CREATE CREDENTIALS > Select OAuth Client ID > Select Web application from Application type > ADD URI=<<your function app url>> [E.g: https://helloworldfunctionapp20200908214911.azurewebsites.net] in Authorised JavaScript origins > ADD URI=<<your function app url>>/.auth/login/google/callback [E.g: https://helloworldfunctionapp20200908214911.azurewebsites.net/.auth/login/google/callback] in Authorised redirect URIs > Click on Save
- Copy Client ID and Client Secret
Fig 3 : Google API Console - Configure Consent Screen
Fig 4 : Google API Console - OAuth user type
Fig 5 : Google API Console - OAuth consent screen configuration
Fig 6 : Configure Redirect and App URI
Fig 7 : Google App - OAuth APP Client ID and Secret
Configure Google Authentication Provider for Azure Function
- From Azure Portal > Open your Function App > select Authentication/Authorization left menu > Click On option from App Service Authentication and you can see authentication providers like Azure AD, Microsoft, Facebook, Google and Twitter.
- Select “Google” from Authentication Providers. It opens the Google Authentication Setting page. You can select the scopes based on your app need.
Fig 8 : Google Authentication Setting on Function App
- Provide Client ID and Client Secret from Fig 7.
- Click on OK.
- It takes back to “App Service Authentication” page
Fig 9 : Configure Google as Authentication Provider
- Select “Log in with Google” from “Action to take when request is not authenticated”
- Click on Save
Now if you try to access the Function App,
- It asks you login with your Google account.
- Provide your Google Email and password > Click on Sign In
Fig 10 : Google Authentication & Authorize 3rd Party App (your function app)
- Once you login successfully, it redirects back to our Function App.
Fig 11 : Successful Login - Function App is accessible
How to disable Authentication
If you want disable authentication, select Off from App Service Authentication. Click on Save.
Conclusion
We learnt how to configure Google authentication provider on Azure Function and added authentication to your app for additional security.
References