0

Using the built in App Service Authentication / Authorization to populate the ClaimsPrincipal when hosting functions in Azure works great and is pretty well documented.

However, trying to accomplish this with a containerized app in Kubernetes is a different story. I can't find any information on how to support authentication in a way that would mimic the behavior of hosting the functions in Azure. I hope this is possible because I would like to use the same functions both on-premises and in Azure.

Is there any information available on how this can be accomplished?

Eli Pulsifer
  • 713
  • 9
  • 25

1 Answers1

0

App Service Authentication / Authorization is a feature provided as part of the PAAS offering. The Azure Functions Host, which is open-source, inherits such features when running on Azure PAAS.

But when running on kubernetes, the way Azure Functions works is different. For one, scaling is taken care of kubernetes (and knative/osiris/keda when setup). The same goes for any external authentication/authorization.

There are a couple of ways you could set this up

  1. If you are using an ingress controller like nginx, you can pair it with oauth2_proxy for external oauth authentication. Depending on the ingress controller you are using, it may have built-in support for authentication.

  2. If you are using a service mesh like istio, you could make use of its end-user authentication policies. Note that this just checks if there is a valid JWT and doesn't redirect users.

    You would have to deploy an EnvoyFilter similar to this one. For an SSO scenario, you might need something like this.

PramodValavala
  • 6,026
  • 1
  • 11
  • 30
  • I can definitely use an external authentication service to deal with the actual authentication but what I want is some way to initialize the ClaimsPrincipal passed to the functions so that my existing authorization code in the functions continues to work. – Eli Pulsifer Dec 09 '19 at 17:52