Identity and secure resource access in App Service and Azure Functions : Build 2018

Just another WordPress site

Identity and secure resource access in App Service and Azure Functions : Build 2018

>> Good afternoon. So i’m matthew henderson I’m a program manager on the app service and azure functions team I specialize in features around identity and secure resource Access which is what we’ll talk about today So let’s start by kind of giving a brief overview Identity is all about making sure you can control who has Access to what. This is how you do fine grain Permissions control, how you make sure you know who is Accesses what secrets from where. This is how you manage users Who is able to talk to the end points your application is exposing So the way we’ll do this is we’ll go through and build a Quick scenario out. We’ll actually start using a User identity. We’ll restrict access to an Application we’re building and then we’ll actually change the Way we handle secrets in your application by leveraging an Identity of the app itself. Along the way, we’ll talk about Some of the main issues that people run into, and how they Can, how you can get around those in terms of main stumbling Blocks and trouble shooting. I’ve got a few slides to go Through but we’ll very quickly get straight into demos That sound good? cool So this is isn’t an overview of olaf. We have to keep in mind there’s a client A client is saying they’re someone, they’re providing an Identity so it’s one thing for me to walk up and say hi, i’m Matthew. I’m the client The resource is what the client is trying to get to and the Resource has to trust, do you actually believe i’m matthew? Did i just lie on those slides earlier? No, but the point being that you have two levels of configuration There’s one part where you’re actually obtaining the identity, Presenting it to the resource and check it and deciding what Rules you’re enforcing. My application can actually fall Into both of those roles. One i can be a client Can say, hey, my application needs to go and talk to some Resource. More commonly you might see, i Have users that need access to my application. I need to know who they are, be Able to work with my data and make sure that flows through the Entire application lifecycle. So we’ll start with going with That actual scenario. A lot of these things i’ll be Walking through apply both to app service and azure functions So we’ll start with azure active directory. That’s a pretty good model for Doing both directions. And of course we work really Well with it in the cloud. One of the nice things about Azure active directory is it works on-premises so we get the Hybrid mode. We can make it so our Application can easily log users in, see which identity they are, Leverage that and we can also integrate with all sorts of Other apis. We saw things this morning, all Sorts of great things coming out that are aad backed I promised i’d get into demos quickly Let’s go. So okay, so i’m in the azure Portal and i’m working against a linux application This is something we’re announcing at build Our authentication and authorization service are Available for app service. If i go into the portal i see an Auth indication, an authorization section Let me show you what this app is. I’ve deployed the default seem Plate so this is just a simple app that should respond so we Have an app up and running and we’ll go in, and in authentication authorization We’ll turn it on. There’s two pieces of config we Have to provide. One is how do i make sure the User is logged in? how do i make sure only logged In users can get to the app. This first drop down we will say The user has to be logged in with active directory If they’re not, we’ll reject them and then we’ll go into Active directory configuration and hit this express thing This is one of the facies ways to get your app up and running With aad. You can provide advanced configuration But with express, we just have a few clicks so we’ll hit okay and Don’t forget to hit save. I see this all the time What will happen is we’ll go into active directory, create The app registration, provide the secrets and my app will be Good to go. So then, if i go ahead and grab The url for my site, well, we’re having portal issues today, Folks. There we are We’ll open an in private session so i don’t get any sso and i’ll Log into my site so i’m really going to navigate to the site itself We protected it. We’ll see it will immediately Redirect me to the aad log-in screen so all of a sudden nobody Can get to that site unless i know who they are Now, you may not want to actually have it so they’re Actually always redirecting. You might have explicit log-in Button in your app. There’s a mechanism for that There’s a set of end points once you

Provide authorization. I don’t know if folks can see That okay. We’ll just — zoom in on that So if i go to this end point that will trigger the exact same log-in flow We’re using the normal browser session, so what should happen Is it will automatically log me in and present me with a consent prompt After i log in with aad it says this application wants this information In this case just basic profile. If i did want to go ahead and Provide additional things, first off note we have this explicit Log-in done thing so what’s happening here is when you’re Using that direct api, we’re basically assuming you’re trying To do an api stealth flow so we’ll give you a token In the example earlier where we automatically redirected i had a Session cookie. That allows me to continue Working with the site going on. In this case i’d use the token If i wanted to change what those permissions are in that consent Prompt we have full access to the aad registration so we just Did everything behind the scenes but you can go see everything About aad. We can go into manage Application here, and we get the full experience you you’d Normally have as an admin. We can go into the permission Set where you go ahead and define things So if you wanted to add permissions to the microsoft graph you’d do it here If you change the permissions you must relog-in your users Because the tokens will not be valid You have to get them to go into the log-in flow You saw i got navigated right a way. We actually flow any sorry, we Flow any parameters that you provide on the request, back to Aad. So there’s actually a flag in Aad for explicitly showing the consent prompt and to do that i Set a query string parameter. Prompt equals consent So if i run that, we’ll get navigate back in through that Log-in flow. It will ask me to sign in picking an account that’s Already, i didn’t have to enter my password again but here’s the Consent prompt. This is where any changes we Made would show up. So the next thing we want to Talk about is what do we actually do with that identity? So we logged in and secured, we’ve gotten permissions to do All sorts of fun things. First, there’s an end point Again under the slash.Auth prefix If i go to that end point i have to have a token or cookie or Something so that’s how we were able to get this information But this is basically a set of profile information that aad Gave us at initial log-in time. So we have basic profile information If i wanted to do more i would need to leverage some tokens We’ll go ahead and grab this token, just for later so this is The id token from aad. So you do not have to call this End point in order to get all the profile information That’s not something you want to do. You’re doing http call every Time. So we actually flow a lot of That information in as headers on the request So those will all be prefixed with xms client or xms token as We’ve got in the comments. The idea is that i can grab the Id token, and then i can go ahead and call aad, this is Using the active directory authentication library and i Need the token and the client id and secret that were used for my App registration but then with those i can say: hey, aad, give Me a token to the graph on behalf of this user and then i Have permission to do anything the user consented to earlier in Their context so if i update a sharepoint file using this flow It will show up in sharepoint as edited by this user But of course they consented to do all that before Those client id and secret values are passed in as Environment variables so all the information about the incoming User comes in as headers. All the things that are Properties of our application are environment variables Does that make sense? so i promised we would show some Debugging. One of the big guest things that I see is confusion with audiences and things like that Typically that happens when you’re doing api sell applications, not so much if You’re showing content of the web app. I’m going to use postman, an api client We’ll take at token that i saw earlier, and we’ll going to pass It in in the authorization header as a bearer token This is a way that aad tends to have tokens passed in and our Platform handles it as well. It’s a general spec I need to grab the url of the site really quickly And what we should see is the html that we were serving Earlier come back in our client. That’s coming back so we’re good there

So now we want to break it. So first let’s remove that Token. So we’re just making a request, We get a 401. That means they’re not allowed To access it so they need to log in somehow But what if i send the wrong token? So let me show you a quick trick This is really good if you’re ever developing against the Azure resource manager is just steal a token from the portal We’re going to open our friendly f12 developer tools, and then I’m going to navigate somewhere that’s going to cause an arm Call to be made. So let’s say deployment option sounds good So we’ll go ahead and click deployment options and what we Should see is get scm info here and we have the token the portal Is sending back to the azure resource manager so we’ll copy That. This should not work because That was a token meant for the resource manager It was not meant for our application. There’s an important part of how We validate tokens and things like that generally speaking You want to check the audience, that’s who it’s for The issuer, did it actually come from my aad tenant? The signature, which is basically how the key was signed And the expiration. Is this token still valid? In this case the audience will definitely be wrong even though Everything else is probably correct. So we’ll paste that in and we Should see again a 401. Right? so we have a good failure case Here. The problem is, all we get is a 401, right? How do we know? what if i thought that token was good? How would i figure out what was going on? so you could do things where you Go and crack open the token, figure out how it works but you Can also use a property of the authentication authorization feature which is we log Everything for you, and so we can actually go see what was Going on. This is the first thing you Should do if you start seeing an issue with authentication Authorization is just see what the logs are telling you To do that we’ll go into the diagnostic logs feature And it actually slightly overlaps with this session but There’s a session all about supportability that is going on This afternoon. So we’ll choose the file system Log-in verbose. And we’ll go ahead and open the Logstream. So then if i send a few bad Requests we’ll get some logs. So this logstream just shows Things that are happening while the session is open And so we’ve got a couple going here and we see we received a request We got that but then we ended up giving it a 401 and there were Some things where we did some log-in pieces but we see right Away, audience validation failed. The audience is the azure Resource manager but that’s not what we expected Most common issue i see in terms of authentication for users is Audience validation issues so this is the first place to go Check and then you want to go see, when i was getting that Token, did i pass in the right value? things like that That’s user authentication. I want to jump back quickly and Start talking act what happens when i want my app to have an identity We’ll talk about managed service identity It’s a new preview feature in azure applying both to app Service and functions. I will make the distinction of It is not available in app service on linux yet, only on The windows offerings. We’ll go through a functions Example. The idea is my application needs To talk to a bunch of resources and a lot of the azure resources Can understand aad identities. The problem is how do i make Sure my app actually has an identity and is able to provide It? if i with don’t talk to key Vault, i’m getting secrets out of the source control We never want to check them in or end up in our code but how do You talk to key vault? do you need a secret to start with? And then that secret isn’t managed and that sounds bad That’s what managed service identity solves because the Entire idea here is you don’t see any credentials during this process You just are able to start using the identity, getting a token Automatically and the way this works is ads will go ahead and Provision all the credentials for you We will get them associated with your application and make them Available to it but you only interface with it through a Token service we expose, a local end point and when you call that End point we take care of all the interesting aad bits and Then give you that token to call the designated resource so That’s msi in a nutshell. We’ll walk through two different Flows. One will be how do i go about Doing that in the raw requests? and i’ll show you how to use Some of the nice sdks that key vault and a couple other provided We’ll start by going to the function app For those who aren’t familiar, what we’ll do is go into Platform features. That’s the same as the left hand Navigation we saw in app service I choose managed service identity. We’ll take a few clicks here I’ll say that i want it and hit save. So this is us registering the Client. Our application now has an Identity but we want to go talk to key vault

Key vault doesn’t trust that. We need to make sure it knows It’s okay for this app to get secrets To do that, we’ll wait for this to save real quick So again going through all the motions of getting those aad Credentials, putting them in the right place and so on Actually it shouldn’t matter if we exit delayed because the Action will have completed anyway. We’ll go to our friendly key vault You’ll note so i’ve actually provisioned this with a secret But if i look at secrets i get an error It’s because i haven’t given myself permission to see these Secrets. You can set it up so your Automation generates the secrets but no human has to interact With them unless they’re debugging your application with Break point debugging. In order to let somebody read The secrets i need to set an access policy Now we’re getting the resource ready to understand our client So if i go create a new access policy, i’ll select the Principal, that will be application i created so we’ll Look for the application name and we’ll see two entries One is the actual linux application we’ve set earlier, It was a managed service identity This is the function app we just registered. We’ll select that and give it Permission to get secret. Okay? This is another place where i see the portal failing people You still need to click save after you’ve hit that okay Button. Otherwise key vault won’t understand what’s going on and It will reject the request. A common error is making sure You the access policies on the resource set up properly That will be good to go now. Let’s jump over to our function Again. And we’ll wait for the portal to Load here. I’ll show you quickly the way That all those calls get put together At the end of the day it comes down to getting a token, sorry, I know you can’t see that in the back. Getting a token, then getting a Secret and returning that secret. So getting a token is the msi part Getting a secret is the key vault part The key vault part is straight forward. We’ll make an api call to a key Vault url, something i set up with an environment variable Keep your key vaults separate with your environments For a development environment you have a development key vault For production, you have a production key vault. We just give it a secret name as Part of the path and then api version that key vault knows and parse out the result But we have to attach a token as a bearer token as we did earlier In the postman. To get that token we actually Use two environment variables that msi provides We get an end point, where locally we should go to request That token and then a secret which is used as a header for Forgery mitigation. A security practice on our side If you send that request, specifying a resource, in this Case key vault, and api version, which is well known, then you’ll Get a token back. And at the end of the day all This function does is it takes the input from the request and Uses that as the name of the secret in key vault so like i Said i already created a secret in key vault. Let’s try this out to see if we Can fetch that secret. Now, this is a scary key name Because i know some of you are very concerned about infinity Voice spoilers and that happens go the secret we’ll share right Now. I’m not actually ruining the movie In fact all i’m telling you is if it works, and we see the Output here. We got an exception Hey, folks, we get to debug right now. So what could have gone wrong Here? we see one or more errors Occurred. Status code, not indicating success Not found. That points to a functions issue Probably, unless i’ve named the secret wrong which is very possible In fact, there we go. So it couldn’t find the secret Because i spelled it wrong. So we’ll try that real quick Again. And we get my opinion that it’s A good movie so we were able to pull a secret from key vault and At no point did we ever see any secrets ourselves We didn’t actually have to, we don’t have to rotate anything Azure takes care of keeping everything rotated and up to date There are no certificates to manage. This is very, very powerful That was a little more code than we generally like to see, right? So very quickly i’ll show you that there are a couple of Sdks that are very important. There’s key vault client which Actually makes it much easier to pull secrets out and it Integrates very well with another library called the azure Service token provider. What’s nice about that is it is An abstraction. It uses msi when in the cloud But if you’re developing locally, it will fall back to Using your identity that’s logged into visual studio, or The azure cli or windows integrated authentication That means when you’re doing development, we want separate Key vaults. May development key vault i can Have access to it, and so that makes it much, much easier so i

Strongly recommend if you’re using .Net, the azure service Token provider, that library is must-have Running short on time. I’m about to run over a little bit Really quickly let’s just see what have we done hear? So we learned about authentication just in general, How we can use the april service authentication feature and how We can leverage the user identity. We had headers available and we Can do things on behalf of the user if they want to talk to Something like graph. If something goes wrong Diagnostic logs are probably our best friend there. For managed service identity we Got rid of some secrets and what’s nice is we don’t have to Use key vault. That’s just one example Things like sql know how to deal with azure aad directly Same with event hubs, a bunch of other resources in azure July that over time so you can get rid of secrets entirely Then of course, use those libraries that i mentioned, That’s a huge savings. And when you’re dealing with Debugging rate both client and resource. We saw when my demo broke was The fact that okay there was an error that was coming back but It was coming from key vault because i spelled the key name wrong So you always want to check both ends and of course, definitely Make sure the access policies are good So we of course want plenty of evaluations. Please let me know if this is valuable Catch me afterwards. I’ll head over to the azure Functions booth immediately after that so i’m glad to take Questions there. There’s lots of other great Sessions in the serverless and app identity space you should Check out. Thanks very much for your time And i really appreciate it, folks. Thanks. [ Applause ]