Azure Functions support for authentication with HTTP trigger running in Kubernetes

12/5/2019

Using the built in App Service Authentication / Authorization to populate the ClaimsPrincipal when hosting functions in Azure works great and is pretty well documented.

However, trying to accomplish this with a containerized app in Kubernetes is a different story. I can't find any information on how to support authentication in a way that would mimic the behavior of hosting the functions in Azure. I hope this is possible because I would like to use the same functions both on-premises and in Azure.

Is there any information available on how this can be accomplished?

-- Eli Pulsifer
azure-function-app
azure-functions
azure-functions-runtime
kubernetes

1 Answer

12/9/2019

App Service Authentication / Authorization is a feature provided as part of the PAAS offering. The Azure Functions Host, which is open-source, inherits such features when running on Azure PAAS.

But when running on kubernetes, the way Azure Functions works is different. For one, scaling is taken care of kubernetes (and knative/osiris/keda when setup). The same goes for any external authentication/authorization.

There are a couple of ways you could set this up

  1. If you are using an ingress controller like nginx, you can pair it with oauth2_proxy for external oauth authentication. Depending on the ingress controller you are using, it may have built-in support for authentication.

  2. If you are using a service mesh like istio, you could make use of its end-user authentication policies. Note that this just checks if there is a valid JWT and doesn't redirect users.

    You would have to deploy an EnvoyFilter similar to this one. For an SSO scenario, you might need something like this.

-- PramodValavala-MSFT
Source: StackOverflow