ms-identity-docs-code-python/protect-function-app at main · TREKK-Design-Group/ms-identity-docs-code-python · GitHub
Skip to content

Latest commit

 

History

History
 
 

Folders and files

README.md

languages
Python
page_type sample
name Python Azure Function that protects an HTTP trigger function with Easy Auth and access token scope validation.
description This Python Azure Function protects its own HTTP Trigger function with Easy Auth and access token scope validation. The code in this sample is used by one or more articles on learn.microsoft.com.
products
azure
azure-active-directory
azure-functions
urlFragment ms-identity-docs-code-functions-python

Python | Azure Function | protect an API | Microsoft identity platform

This Python Azure Function protects its own API (HTTP trigger) with the combination of the built-in authentication & authorization feature of Azure Functions (commonly known as "Easy Auth") and JWT access token scope validation.

$ curl https://<your-function>.azurewebsites.net/api/greeting -H "Authorization: Bearer <valid-access-token>"
Hello, world. You were able to access this because you provided a valid access token with the Greeting.Read scope as a claim.

📃 This sample application backs one or more technical articles on docs.microsoft.com.

Prerequisites

Setup

1. Register the app

First, complete the steps in Register an API application with the Microsoft identity platform to register the sample app.

Use these settings in your app registration.

App registration
setting
Value for this sample app Notes
Name python-azure-function-api Suggested value for this sample.
You can change the app name at any time.
Supported account types Accounts in this organizational directory only (Single tenant) Suggested value for this sample.
Platform type None No redirect URI required; don't select a platform.
Scopes defined by this API Scope name: Greeting.Read
Who can consent?: Admins and users
Admin consent display name: Read API Greetings
Admin consent description: Allows the user to see greetings from the API.
User consent display name: Read API Greetings
User consent description: Allows you to see greetings from the API.
State: Enabled
Required scope for this sample.

ℹ️ Bold text in the table matches (or is similar to) a UI element in the Microsoft Entra admin center, while code formatting indicates a value you enter into a text box in the Microsoft Entra admin center.

2. Enable Function app authentication

Next, complete the steps in Configure your App Service or Azure Functions app to use Microsoft Entra sign-in to add Microsoft Entra ID as an identity provider for your API.

Use these settings in your identity provider configuration.

Identity provider setting Value for this sample app Notes
Identity provider Microsoft Required value for this sample.
App registration type Provide the details of an existing app registration Required value for this sample.
Application (client) ID <client-id> Required value for this sample.
'Application (client) ID' of the API's app registration in the Microsoft Entra admin center - this value is a GUID
Client secret (recommended) None Suggested value for this sample.
This sample doesn't require this feature.
Issuer URL https://login.microsoftonline.com/<tenant-id>/v2.0 Required value for this sample.
Update to include 'Tenant ID' of your Microsoft Entra instance - this value is a GUID
Allowed token audiences api://<client-id> Required value for this sample.
'Application ID URI' of app registration in the Microsoft Entra admin center - this value typically starts with api://
Restrict access Require authentication Required value for this sample.
Unauthenticated requests HTTP 401 Unauthorized: recommended for APIs Suggested value for this sample.
Token store Unselected Suggested value for this sample.

ℹ️ Bold text in the table matches (or is similar to) a UI element in the Microsoft Entra admin center, while code formatting indicates a value you enter into a text box in the Microsoft Entra admin center.

3. Deploy the Function app

func azure functionapp publish <your-Function-App-name>

Access the API

Using Postman, curl, or a similar application, issue an HTTP GET request to https://<your-function-app-name>.azurewebsites.net/api/greeting with an Authorization header of Bearer {VALID-ACCESS-TOKEN}.

For example, if you use curl and everything worked, you should receive a response from the Azure Function similar to this.

$ curl https://<your-function>.azurewebsites.net/api/greeting -H "Authorization: Bearer <VALID-ACCESS-TOKEN>"
Hello, world. You were able to access this because you provided a valid access token with the Greeting.Read scope as a claim.

About the code

This Azure Function is an anonymous HTTP trigger written in Python and uses the built-in Authentication and authorization in Azure Functions feature to offload fundamental JWT access token validation. Requests that make it through the built-in authentication feature of Azure Functions are then routed to the Python code, which applies additional access token validation checking for a specific scope.

  • A missing or invalid (expired, wrong audience, etc) token will result in a 401 response. (Handled by Azure Functions authentication)
  • An otherwise valid token without the proper scope will result in a 403 response.
  • A valid token with the proper scope of Greeting.Read will result in the "Hello, world" message.

Running locally

At the time of this writing, Function app authentication does not support a local development experience that has parity with the on-Azure runtime. You can still execute this locally with func start but the authentication functionality provided by the Function app service on Azure will not be invoked; all JWT token validation for authorization (signature, iss, exp, aud) will be skipped.

Web server gateway interface (WSGI) alternative

In Python, it is common to use a web framework, such as Django or Flask, to handle APIs. While this sample doesn't show it, Azure Functions for Python does support WSGI integration, allowing you to use the web framework as your HTTP request pipeline. Introducing WSGI into this scenario is out of scope for this introduction, but doing so would allow you to use framework-specific authentication mechanisms that might feel more native for your Python API.

Reporting problems

Sample app not working?

If you can't get the sample working, you've checked Stack Overflow, and you've already searched the issues in this sample's repository, open an issue report the problem.

  1. Search the GitHub issues in the repository - your problem might already have been reported or have an answer.
  2. Nothing similar? Open an issue that clearly explains the problem you're having running the sample app.

All other issues

⚠️ WARNING: Any issue in this repository not limited to running one of its sample apps will be closed without being addressed.

For all other requests, see Support and help options for developers.

Contributing

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.