如何使用 ARM 模板为 azure 函数应用程序创建身份提供者?
How to Create Identity Provider using ARM template for azure function app?
如何使用 Azure 函数的 ARM 模板在 Azure 门户中创建 Azure 身份提供者。
用于部署 Azure 资源的 ARM 模板。我能够创建 azure 函数,但我还需要动态创建身份验证 -> 身份提供程序 (Microsoft)。
我们已尝试在我们的环境中使用以下模板创建具有 Azure AD 身份验证和身份提供程序 (Microsoft) 的 Azure 功能:
先决条件:-
- 在 Azure AD 中注册应用程序(
AZURE AD>APP REGISTRATION
)。
- 启用 ID 令牌(用于隐式和混合流)。
手臂模板:-
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "[concat('FuncApp-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "The name of your Web Site."
}
},
"storageAccountName": {
"type": "String",
"defaultValue": "[concat('store', uniqueString(resourceGroup().id))]"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"clientId": {
"type": "string",
"metadata": {
"description": "ClientId of the APP registration to be used by the Function APP authentication"
}
}
},
"variables": {
"hostingPlanName": "[concat('hpn-', resourceGroup().name)]",
"storageAccountid": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('siteName')]",
"kind": "functionapp,linux",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"name": "[parameters('siteName')]",
"adminEnabled": true,
"enabledHostNames": [
"[concat(parameters('siteName'),'.azurewebsites.net')]",
"[concat(parameters('siteName'),'.scm.azurewebsites.net')]"
],
"hostNameSslStates": [
{
"name": "[concat(parameters('siteName'),'.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Standard"
},
{
"name": "[concat(parameters('siteName'),'.scm.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Repository"
}
],
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "python"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
}
]
},
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"clientAffinityEnabled": false
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2021-02-01",
"name": "[variables('hostingPlanName')]",
"location": "[parameters('location')]",
"kind": "linux",
"properties": {
"reserved": true
},
"sku": {
"Tier": "Standard",
"Name": "S1"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
}
},
{
"name": "[concat(parameters('siteName'), '/authsettingsV2')]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2021-02-01",
"location": "[parameters('location')]",
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"redirectToProvider": "azureactivedirectory"
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "[concat('https://sts.windows.net/',tenant().tenantId,'/v2.0')]",
"clientId": "[parameters('clientId')]",
"clientSecretSettingName": "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
},
"login": {
"disableWWWAuthenticate": false
},
"validation": {
"jwtClaimChecks": {},
"allowedAudiences": [],
"defaultAuthorizationPolicy": {
"allowedPrincipals": {}
}
}
},
"facebook": {
"enabled": true,
"registration": {},
"login": {}
},
"gitHub": {
"enabled": true,
"registration": {},
"login": {}
},
"google": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"twitter": {
"enabled": true,
"registration": {}
},
"legacyMicrosoftAccount": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"apple": {
"enabled": true,
"registration": {},
"login": {}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
注意:在客户端id中提供您之前创建的应用程序注册申请id
输出:-
部署使用:
az deployment group create -n TestDeployment -g <resourcegroupname> --template-file "C:\Path\to\template.json"
注意:- 在 APP 注册中,我们必须使用 azure cli cmd
和 https://yourfunctionappname.azurewebsites.net/.auth/login/aad/callback
添加回复 uri
az ad app update --id <objectid> --reply-urls https://funcapp-xxxxxxx.azurewebsites.net/.auth/login/aad/callback
测试函数应用程序输出:
如何使用 Azure 函数的 ARM 模板在 Azure 门户中创建 Azure 身份提供者。
用于部署 Azure 资源的 ARM 模板。我能够创建 azure 函数,但我还需要动态创建身份验证 -> 身份提供程序 (Microsoft)。
我们已尝试在我们的环境中使用以下模板创建具有 Azure AD 身份验证和身份提供程序 (Microsoft) 的 Azure 功能:
先决条件:-
- 在 Azure AD 中注册应用程序(
AZURE AD>APP REGISTRATION
)。 - 启用 ID 令牌(用于隐式和混合流)。
手臂模板:-
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "[concat('FuncApp-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "The name of your Web Site."
}
},
"storageAccountName": {
"type": "String",
"defaultValue": "[concat('store', uniqueString(resourceGroup().id))]"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"clientId": {
"type": "string",
"metadata": {
"description": "ClientId of the APP registration to be used by the Function APP authentication"
}
}
},
"variables": {
"hostingPlanName": "[concat('hpn-', resourceGroup().name)]",
"storageAccountid": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('siteName')]",
"kind": "functionapp,linux",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"name": "[parameters('siteName')]",
"adminEnabled": true,
"enabledHostNames": [
"[concat(parameters('siteName'),'.azurewebsites.net')]",
"[concat(parameters('siteName'),'.scm.azurewebsites.net')]"
],
"hostNameSslStates": [
{
"name": "[concat(parameters('siteName'),'.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Standard"
},
{
"name": "[concat(parameters('siteName'),'.scm.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Repository"
}
],
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "python"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
}
]
},
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"clientAffinityEnabled": false
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2021-02-01",
"name": "[variables('hostingPlanName')]",
"location": "[parameters('location')]",
"kind": "linux",
"properties": {
"reserved": true
},
"sku": {
"Tier": "Standard",
"Name": "S1"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
}
},
{
"name": "[concat(parameters('siteName'), '/authsettingsV2')]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2021-02-01",
"location": "[parameters('location')]",
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"redirectToProvider": "azureactivedirectory"
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "[concat('https://sts.windows.net/',tenant().tenantId,'/v2.0')]",
"clientId": "[parameters('clientId')]",
"clientSecretSettingName": "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
},
"login": {
"disableWWWAuthenticate": false
},
"validation": {
"jwtClaimChecks": {},
"allowedAudiences": [],
"defaultAuthorizationPolicy": {
"allowedPrincipals": {}
}
}
},
"facebook": {
"enabled": true,
"registration": {},
"login": {}
},
"gitHub": {
"enabled": true,
"registration": {},
"login": {}
},
"google": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"twitter": {
"enabled": true,
"registration": {}
},
"legacyMicrosoftAccount": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"apple": {
"enabled": true,
"registration": {},
"login": {}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
注意:在客户端id中提供您之前创建的应用程序注册申请id
输出:- 部署使用:
az deployment group create -n TestDeployment -g <resourcegroupname> --template-file "C:\Path\to\template.json"
注意:- 在 APP 注册中,我们必须使用 azure cli cmd
和 https://yourfunctionappname.azurewebsites.net/.auth/login/aad/callback
添加回复 uri
az ad app update --id <objectid> --reply-urls https://funcapp-xxxxxxx.azurewebsites.net/.auth/login/aad/callback
测试函数应用程序输出: