New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Securing local host using available providers #455

Open
kamil-mrzyglod opened this Issue May 2, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@kamil-mrzyglod
Contributor

kamil-mrzyglod commented May 2, 2018

Hi,

Before I start, sorry if I duplicated this issue/idea, just couldn't find it within this repo.

Are there any plans to integrate authentication using available providers(like Azure AD, Facebook etc.), so it is possible to secure host locally? I found it both a little tricky and cumbersome to differentiate local development from deployed one.

I think it could a great addition to the toolset, especially that many people are a bit confused when it comes to developing functions locally, when authentication is required.

I believe it could a bit problematic(since as I understand security features regarding authentication are underlying App Service responsibilities), but maybe there's a way, to ease mocking?

I'd love to see e.g. following functionality, where we can enable security in local.settings.json:

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "AzureWebJobsDashboard": "UseDevelopmentStorage=true"
  },
  "Host": {
    "CORS": "*"
  },
  "Security": {
   "Enabled":true
  }
}

And then provide a handler by convention using e.g. an interface:

public interface ISecurityProvider
{
    bool IsAuthenticated(HttpRequestMessage request);
}

Which could be applied each time a function is triggered using HttpTrigger.

Regards,
Kamil

EDIT: The idea is described here

@ahmelsayed

This comment has been minimized.

Contributor

ahmelsayed commented May 8, 2018

Hi @kamil-mrzyglod, you're correct about Authentication/Authorization being a platform feature provided to function apps just by running on App Service platform on Azure.

The idea described in the blog post is interesting though. My only concern is that this would have to be local development only feature, as on Azure things would work differently. I'd like to see what others think of this.

/cc @paulbatum @fabiocav @davidebbo @cgillum

@kamil-mrzyglod

This comment has been minimized.

Contributor

kamil-mrzyglod commented May 9, 2018

@ahmelsayed Thank you for your response. My idea is to implement it locally only(using e.g. host.json or just passing a flag like other options currently work(for instance local port or HTTPS only).

The main purpose of such feature is to enable authentication locally using a custom provider, so I don't have to use constructs lie #if DEBUG# to differentiate local and cloud development.

@cgillum

This comment has been minimized.

cgillum commented May 10, 2018

Regarding this:

Are there any plans to integrate authentication using available providers(like Azure AD, Facebook etc.), so it is possible to secure host locally?

Yes, this is something we're currently planning. We don't have a concrete timeline for when we'd be able to do it though. The basic idea is that the Functions CLI would host a version of the authentication module that we use in Azure so that you can test and develop locally with auth enabled.

FYI @mattchenderson @ConnorMcMahon

@kamil-mrzyglod

This comment has been minimized.

Contributor

kamil-mrzyglod commented May 10, 2018

@cgillum Is there any official workaround to somehow secure local development? While the fact, that there're plans to somehow host authentication module, is a great information, I find it extremely cumbersome when I have projects, in which key-based authorization is not sufficient.

@kamil-mrzyglod

This comment has been minimized.

Contributor

kamil-mrzyglod commented Aug 2, 2018

Hi Guys, is there any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment