Azure Function Keys

%3CLINGO-SUB%20id%3D%22lingo-sub-1833350%22%20slang%3D%22en-US%22%3EAzure%20Function%20Keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833350%22%20slang%3D%22en-US%22%3E%3CP%3EPlanning%20to%20design%20a%20simple%20azure%20function%20for%20multiple%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eeach%20client%20will%20have%20a%20separate%20function%20key.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Serverless%20Function%2C%20I%20want%20to%20write%20a%20custom%20security%20check%20(%20extra%20layer)%2C%20to%20ensure%20that%20key%20is%20passed%20from%20desired%20tenant%20or%20client%20only.%20Hence%20I%20want%20to%20check%2C%20Key%20name%20of%20the%20value%20being%20passed%20while%20calling%20the%20function.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3EFunction%20Name%20%3A%20SecureFunction%3C%2FP%3E%3CP%3EAuthentication%20%3A%20Function%20level%20Security%3C%2FP%3E%3CP%3EKeys%3C%2FP%3E%3CP%3EClient1%20%3A%20Key1%3C%2FP%3E%3CP%3EClient2%20%3A%20Key2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20Calls%20SecureFunction%20with%20Key2%20(%20using%20x-functions-key%20header)%20%3A%20I%20want%20to%20derive%20the%20keyname%20of%20passd%20key%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExpected%20output%20is%20Client2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833559%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Function%20Keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833559%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344845%22%20target%3D%22_blank%22%3E%40Bhargav1985%3C%2FA%3E%26nbsp%3BOne%20thing%20to%20think%20about%20is%20API%20management%20-%20it's%20designed%20to%20do%20exactly%20what%20you're%20outlining%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-howto-create-subscriptions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20subscriptions%20in%20Azure%20API%20Management%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20have%20'subscriptions'%20created%20for%20each%20customer%20and%20you%20would%20know%20who%20the%20caller%20is%20and%20what%20they're%20allowed%20to%20do%20based%20on%20the%20passed%20in%20key.%26nbsp%3B%20I%20think%20it%20would%20be%20easier%20to%20have%20this%20managed%20by%20a%20product%20that%20performs%20these%20tasks%20versus%20needing%20to%20maintain%20this%20look-up%20table%20in%20code.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1856182%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Function%20Keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1856182%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319411%22%20target%3D%22_blank%22%3E%40CloudyRyan%3C%2FA%3E%26nbsp%3B%3A%20I%20tried%20APIM%20Subscriptions.%20But%20concept%20is%20same%2C%20it%20passes%20the%20key%20in%20header%20as%20%3CSPAN%3EOcp-Apim-Subscription-Key.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20it's%20in%20header%2C%20I%20can%20just%20get%20the%20value.%20To%20identify%20the%20key%20Name%2C%20I%20need%20to%20have%20the%20lookup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECorrect%20me%20if%26nbsp%3B%20I%20have%20misunderstood%20the%20concept.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20requirement%20is%20identify%20the%20product%20based%20on%20the%20key%20value.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1856835%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Function%20Keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1856835%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20suggestion%20was%20to%20use%20api%20management%20instead%20of%20passing%20keys%20on%20the%20header.%20What%20you%20are%20proposing%20sounds%20overly%20complex%20and%20would%20be%20challenging%20to%20scale%20as%20more%20clients%20come%20aboard.%20Api%20management%20would%20simple%20be%20another%20key%20you%20could%20issue%20on%20the%20product%20and%20would%20never%20require%20code%20changes.%20You%20could%20even%20correlated%20the%20issued%20key%20to%20a%20customer%20by%20storing%20that%20in%20a%20table%20or%20dB.%20I%20wouldn't%20overly%20complex%20it%20with%20the%20header%20inspection%20and%20just%20use%20the%20passed%20in%20key%20to%20discern%20between%20authorized%20clients.%3C%2FLINGO-BODY%3E
New Contributor

Planning to design a simple azure function for multiple clients.

 

each client will have a separate function key.

 

In Serverless Function, I want to write a custom security check ( extra layer), to ensure that key is passed from desired tenant or client only. Hence I want to check, Key name of the value being passed while calling the function.

 

Example:

Function Name : SecureFunction

Authentication : Function level Security

Keys

Client1 : Key1

Client2 : Key2

 

User Calls SecureFunction with Key2 ( using x-functions-key header) : I want to derive the keyname of passd key

 

Expected output is Client2

 

 

 

3 Replies

@Bhargav1985 One thing to think about is API management - it's designed to do exactly what you're outlining: Create subscriptions in Azure API Management | Microsoft Docs

 

You can have 'subscriptions' created for each customer and you would know who the caller is and what they're allowed to do based on the passed in key.  I think it would be easier to have this managed by a product that performs these tasks versus needing to maintain this look-up table in code.

@CloudyRyan : I tried APIM Subscriptions. But concept is same, it passes the key in header as Ocp-Apim-Subscription-Key.

 

As it's in header, I can just get the value. To identify the key Name, I need to have the lookup.

 

Correct me if  I have misunderstood the concept. 

 

My requirement is identify the product based on the key value.

Hello,

My suggestion was to use api management instead of passing keys on the header. What you are proposing sounds overly complex and would be challenging to scale as more clients come aboard. Api management would simple be another key you could issue on the product and would never require code changes. You could even correlated the issued key to a customer by storing that in a table or dB. I wouldn't overly complex it with the header inspection and just use the passed in key to discern between authorized clients.