This post is part of an Azure Function Proxies blog series:
- Part 1: Represent heterogenous service operations into a single API
- Part 2: Easily enable hybrid integration
- Part 3: Secure your API
- Part 4: A very light-weight API management
You can leverage the default App Service authentication feature, that forces clients to get authenticated against one of these providers: Azure Active Directory, Facebook, Google, Twitter & Microsoft. This can be done without any code changes. This only covers authentication. When authorization is required, some minimal code changes are needed.
Suggestions for product team
- Common security measures like IP restrictions and configurable rate limits to protect against DoS attacks would be great. There is already a feature request on UserVoice.
- Leveraging the standard Azure Function keys or host keys would be also a simple way to authorize the API endpoint. You can easily setup rotating keys to improve security. Apparently this is on the radar, but no ETA defined yet!