| languages |
|
|||
|---|---|---|---|---|
| page_type | sample | |||
| name | Python Azure Function that protects an HTTP trigger function with Easy Auth and access token scope validation. | |||
| description | This Python Azure Function protects its own HTTP Trigger function with Easy Auth and access token scope validation. The code in this sample is used by one or more articles on learn.microsoft.com. | |||
| products |
|
|||
| urlFragment | ms-identity-docs-code-functions-python |
This Python Azure Function protects its own API (HTTP trigger) with the combination of the built-in authentication & authorization feature of Azure Functions (commonly known as "Easy Auth") and JWT access token scope validation.
$ curl https://<your-function>.azurewebsites.net/api/greeting -H "Authorization: Bearer <valid-access-token>"
Hello, world. You were able to access this because you provided a valid access token with the Greeting.Read scope as a claim.📃 This sample application backs one or more technical articles on docs.microsoft.com.
- A Microsoft Entra tenant and the permissions or role required for managing app registrations in the tenant.
- Python 3.8+
- Azure Functions Core Tools
- An empty, Python 3.8 Function app (v4) deployed to Azure and the permissions or role required to modify its settings
First, complete the steps in Register an API application with the Microsoft identity platform to register the sample app.
Use these settings in your app registration.
| App registration setting |
Value for this sample app | Notes |
|---|---|---|
| Name | python-azure-function-api |
Suggested value for this sample. You can change the app name at any time. |
| Supported account types | Accounts in this organizational directory only (Single tenant) | Suggested value for this sample. |
| Platform type | None | No redirect URI required; don't select a platform. |
| Scopes defined by this API | Scope name: Greeting.ReadWho can consent?: Admins and users Admin consent display name: Read API GreetingsAdmin consent description: Allows the user to see greetings from the API.User consent display name: Read API GreetingsUser consent description: Allows you to see greetings from the API.State: Enabled |
Required scope for this sample. |
ℹ️ Bold text in the table matches (or is similar to) a UI element in the Microsoft Entra admin center, while
code formattingindicates a value you enter into a text box in the Microsoft Entra admin center.
Next, complete the steps in Configure your App Service or Azure Functions app to use Microsoft Entra sign-in to add Microsoft Entra ID as an identity provider for your API.
Use these settings in your identity provider configuration.
ℹ️ Bold text in the table matches (or is similar to) a UI element in the Microsoft Entra admin center, while
code formattingindicates a value you enter into a text box in the Microsoft Entra admin center.
func azure functionapp publish <your-Function-App-name>Using Postman, curl, or a similar application, issue an HTTP GET request to https://<your-function-app-name>.azurewebsites.net/api/greeting with an Authorization header of Bearer {VALID-ACCESS-TOKEN}.
For example, if you use curl and everything worked, you should receive a response from the Azure Function similar to this.
$ curl https://<your-function>.azurewebsites.net/api/greeting -H "Authorization: Bearer <VALID-ACCESS-TOKEN>"
Hello, world. You were able to access this because you provided a valid access token with the Greeting.Read scope as a claim.This Azure Function is an anonymous HTTP trigger written in Python and uses the built-in Authentication and authorization in Azure Functions feature to offload fundamental JWT access token validation. Requests that make it through the built-in authentication feature of Azure Functions are then routed to the Python code, which applies additional access token validation checking for a specific scope.
- A missing or invalid (expired, wrong audience, etc) token will result in a
401response. (Handled by Azure Functions authentication) - An otherwise valid token without the proper scope will result in a 403 response.
- A valid token with the proper scope of
Greeting.Readwill result in the "Hello, world" message.
At the time of this writing, Function app authentication does not support a local development experience that has parity with the on-Azure runtime. You can still execute this locally with func start but the authentication functionality provided by the Function app service on Azure will not be invoked; all JWT token validation for authorization (signature, iss, exp, aud) will be skipped.
In Python, it is common to use a web framework, such as Django or Flask, to handle APIs. While this sample doesn't show it, Azure Functions for Python does support WSGI integration, allowing you to use the web framework as your HTTP request pipeline. Introducing WSGI into this scenario is out of scope for this introduction, but doing so would allow you to use framework-specific authentication mechanisms that might feel more native for your Python API.
If you can't get the sample working, you've checked Stack Overflow, and you've already searched the issues in this sample's repository, open an issue report the problem.
- Search the GitHub issues in the repository - your problem might already have been reported or have an answer.
- Nothing similar? Open an issue that clearly explains the problem you're having running the sample app.
⚠️ WARNING: Any issue in this repository not limited to running one of its sample apps will be closed without being addressed.
For all other requests, see Support and help options for developers.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
