0

I have a Node.js Azure Function App with a User Assigned Managed Identity. The Function App is configured to use the App Service-provided authentication mechanism ("EasyAuth") to authenticate incoming connections using AAD. The "Restrict Access" setting is set to "Require Authentication", so only authenticated connections will reach my code. The Function App uses its User Assigned Managed Identity to do some calls to the Azure Resource Manager.

The above all works just fine. What I would like to do on top of this is to do some additional calls to the Azure Resource Manager, but this time using the identity of the caller to the Function App. If I understand everything correctly, this scenario would be a prime candidate for the OAuth 2.0 On-Behalf-Of flow. Unfortunately, according to that page "The OBO flow only works for user principals at this time." Since the callers to my Function App will primarily be Service Principals, the OBO flow doesn't seem to be a solution here. I don't know how else to approach this.

So, how can I access a protected API from my Function App with the identity of the authenticated user to the Function App, where that user is a Service Principal instead of a User Principal?

Jurjen
  • 149
  • 4
  • I'm _quite_ sure this is not possible. The authenticated service principal would need to do the authentication to ARM API and pass the token to your Function along with the normal authentication token. – juunas Sep 01 '22 at 08:39
  • Thanks, I was afraid this would be the case, but at least this will save me time looking in the wrong place... – Jurjen Sep 01 '22 at 09:43

1 Answers1

1

Unless there is a feature that I'm unaware of, a service principal cannot get an access token on behalf of another service principal.

The only way that I can think of that would work for this would be for the client application to send the ARM API token along with the request so your Function can use that.

juunas
  • 54,244
  • 13
  • 113
  • 149