提高从 Azure 逻辑应用调用自定义 API 的安全性Increase security for calls to custom APIs from Azure Logic Apps

若要提高调用 API 的安全性,可通过 Azure 门户设置 Azure Active Directory (Azure AD) 身份验证,这样便不需要更新代码。To improve security for calls to your APIs, you can set up Azure Active Directory (Azure AD) authentication through the Azure portal so you don't have to update your code. 或者,还可利用 API 代码要求并强制执行身份验证。Or, you can require and enforce authentication through your API's code.

适用于 API 的身份验证选项Authentication options for your API

可通过以下方式提高调用自定义 API 的安全性:You can improve security for calls to your custom API in these ways:

在不更改代码的情况下,验证对 API 的调用Authenticate calls to your API without changing code

下面是此方法的常规步骤:Here are the general steps for this method:

  1. 创建两个 Azure Active Directory (Azure AD) 应用程序标识:一个用于逻辑应用,另一个用于 Web 应用(或 API 应用)。Create two Azure Active Directory (Azure AD) application identities: one for your logic app and one for your web app (or API app).

  2. 要验证对 API 的调用,请对与逻辑应用的 Azure AD 应用程序标识相关联的服务主体使用凭据(客户端 ID 和密码)。To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Azure AD application identity for your logic app.

  3. 在逻辑应用定义中包含此应用程序 ID。Include the application IDs in your logic app definition.

第 1 部分:为逻辑应用创建 Azure AD 应用程序标识Part 1: Create an Azure AD application identity for your logic app

逻辑应用将使用此 Azure AD 应用程序标识根据 Azure AD 进行身份验证。Your logic app uses this Azure AD application identity to authenticate against Azure AD. 只需为目录将此标识设置一次。You only have to set up this identity one time for your directory. 例如,可选择为所有逻辑应用使用相同标识,但也可为每个逻辑应用创建唯一标识。For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. 可以在 Azure 门户中或者使用 PowerShell 设置这些标识。You can set up these identities in the Azure portal or use PowerShell.

在 Azure 门户中为逻辑应用创建应用程序标识Create the application identity for your logic app in the Azure portal

  1. Azure 门户中,选择“Azure Active Directory”。In the Azure portal, choose Azure Active Directory.

  2. 确认所在目录与 Web 应用或 API 应用相同。Confirm that you're in the same directory as your web app or API app.

    提示

    要切换目录,请选择配置文件,然后选择其他目录。To switch directories, choose your profile and select another directory. 还可以选择“概述” > “切换目录” 。Or, choose Overview > Switch directory.

  3. 在目录菜单的“管理”下,选择“应用注册” > “新建应用程序注册” 。On the directory menu, under Manage, choose App registrations > New application registration.

    提示

    默认情况下,应用注册列表显示目录中的所有应用注册。By default, the app registrations list shows all app registrations in your directory. 若要仅查看应用注册,请在搜索框旁选择“我的应用”。To view only your app registrations, next to the search box, select My apps.

    新建应用注册

  4. 为应用程序标识命名,将“应用程序类型”设置为“Web 应用/API”,提供格式化的唯一字符串,作为“登录 URL”的域,然后选择“创建” 。Give your application identity a name, leave Application type set to Web app / API, provide a unique string formatted as a domain for Sign-on URL, and choose Create.

    提供应用程序标识的名称和登录 URL

    你为逻辑应用创建的应用程序标识现在将出现在应用注册列表中。The application identity that you created for your logic app now appears in the app registrations list.

    逻辑应用的应用程序标识

  5. 在应用注册列表中,选择新的应用程序标识。In the app registrations list, select your new application identity. 复制并保存“应用程序 ID”,在第 3 部分中将其用作逻辑应用的“客户端 ID”。Copy and save the Application ID to use as the "client ID" for your logic app in Part 3.

    复制并保存逻辑应用的应用程序 ID

  6. 如果未显示应用程序标识设置,请选择“设置”或“所有设置” 。If your application identity settings aren't visible, choose Settings or All settings.

  7. 在“API 访问”下,选择“密钥” 。Under API Access, choose Keys. 在“说明”下,提供密钥的名称。Under Description, provide a name for your key. 在“过期时间”下,选择密钥的持续时间。Under Expires, select a duration for your key.

    创建的密钥将充当逻辑应用的应用程序标识的“机密”或密码。The key that you're creating acts as the application identity's "secret" or password for your logic app.

    为逻辑应用标识创建密钥

  8. 在工具栏上,选择“保存”。On the toolbar, choose Save. 密钥现在将显示在“值”的下方。Under Value, your key now appears. 务必复制并保存密钥以供后续使用,因为离开“密钥”页面后密钥将隐藏 。Make sure to copy and save your key for later use because the key is hidden when you leave the Keys page.

    在第 3 部分配置逻辑应用时,将此密钥指定为“机密”或密码。When you configure your logic app in Part 3, you specify this key as the "secret" or password.

    复制并保存密钥以供后续使用

在 PowerShell 中为逻辑应用创建应用程序标识Create the application identity for your logic app in PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可使用 PowerShell 通过 Azure 资源管理器执行此任务。You can perform this task through Azure Resource Manager with PowerShell. 在 PowerShell 中运行以下命令:In PowerShell, run these commands:

  1. Add-AzAccount -Environment AzureChinaCloud

  2. $SecurePassword = Read-Host -AsSecureString

  3. 输入密码,然后按 Enter。Enter a password and press Enter.

  4. New-AzADApplication -DisplayName "MyLogicAppID" -HomePage "http://mydomain.tld" -IdentifierUris "http://mydomain.tld" -Password $SecurePassword

  5. 请务必复制所使用的“租户 ID”(Azure AD 租户的 GUID)、“应用程序 ID”和密码 。Make sure to copy the Tenant ID (GUID for your Azure AD tenant), the Application ID, and the password that you used.

有关详细信息,请了解如何使用 PowerShell 创建服务主体以访问资源For more information, learn how to create a service principal with PowerShell to access resources.

第 2 部分:为 Web 应用或 API 应用创建 Azure AD 应用程序标识Part 2: Create an Azure AD application identity for your web app or API app

如果已部署 Web 应用或 API 应用,则可在 Azure 门户中开启身份验证并创建应用程序标识。If your web app or API app is already deployed, you can turn on authentication and create the application identity in the Azure portal. 否则,可以在使用 Azure 资源管理器模板部署时开启身份验证Otherwise, you can turn on authentication when you deploy with an Azure Resource Manager template.

在 Azure 门户中为已部署的应用创建应用程序标识并开启身份验证Create the application identity and turn on authentication in the Azure portal for deployed apps

  1. Azure 门户中,找到并选择 Web 应用或 API 应用。In the Azure portal, find and select your web app or API app.

  2. 在“设置”下,选择“身份验证/授权”。 Under Settings, choose Authentication/Authorization. 在“应用服务身份验证”下,“开启”身份验证 。Under App Service Authentication, turn authentication On. 在“身份验证提供程序”下,选择“Azure Active Directory” 。Under Authentication Providers, choose Azure Active Directory.

    开启身份验证

  3. 现在为 Web 应用或 API 应用创建应用程序标识,如此处所示。Now create an application identity for your web app or API app as shown here. 在“Azure Active Directory 设置”页面,将“管理模式”设置为“快速” 。On the Azure Active Directory Settings page, set Management mode to Express. 选择“新建 AD 应用”。Choose Create New AD App. 为应用程序标识命名,然后选择“确定”。Give your application identity a name, and choose OK.

    为 Web 应用或 API 应用创建应用程序标识

  4. 在“身份验证/授权”页上,选择“保存”。 On the Authentication / Authorization page, choose Save.

现在必须找到与 Web 应用或 API 应用关联的应用程序标识的客户端 ID 和租户 ID。Now you must find the client ID and tenant ID for the application identity that's associated with your web app or API app. 第 3 部分需使用这些 ID。You use these IDs in Part 3. 因此,请对 Azure 门户继续执行这些步骤。So continue with these steps for the Azure portal.

在 Azure 门户中查找 Web 应用或 API 应用的应用程序标识的客户端 ID 和租户 IDFind application identity's client ID and tenant ID for your web app or API app in the Azure portal

  1. 在“身份验证提供程序”下,选择“Azure Active Directory” 。Under Authentication Providers, choose Azure Active Directory.

    选择“Azure Active Directory”

  2. 在“Azure Active Directory 设置”页面,将“管理模式”设置为“高级” 。On the Azure Active Directory Settings page, set Management mode to Advanced.

  3. 复制“客户端 ID”并保存该 GUID,以便在第 3 部分使用。Copy the Client ID, and save that GUID for use in Part 3.

    提示

    如果“客户端 ID”和“颁发者 URL”未显示,请尝试刷新 Azure 门户,然后重复步骤 1 。If Client ID and Issuer Url don't appear, try refreshing the Azure portal, and repeat Step 1.

  4. 在“颁发者 URL”下,复制并保存 GUID,以便在第 3 部分使用。Under Issuer Url, copy and save just the GUID for Part 3. 如有必要,还可在 Web 应用或 API 应用的部署模板中使用此 GUID。You can also use this GUID in your web app or API app's deployment template, if necessary.

    此 GUID 是你的特定租户的 GUID(“租户 ID”),应显示在此 URL 中:https://sts.chinacloudapi.cn/{GUID}This GUID is your specific tenant's GUID ("tenant ID") and should appear in this URL: https://sts.chinacloudapi.cn/{GUID}

  5. 在不保存更改的情况下,关闭“Azure Active Directory 设置”页面。Without saving your changes, close the Azure Active Directory Settings page.

使用 Azure 资源管理器模板部署时开启身份验证Turn on authentication when you deploy with an Azure Resource Manager template

还需要为 Web 应用或 API 应用创建 Azure AD 应用程序标识,该标识不能与逻辑应用的应用标识相同。You still need to create an Azure AD application identity for your web app or API app that differs from the app identity for your logic app. 若要创建应用程序标识,请在 Azure 门户中按照先前在第 2 部分中的步骤操作。To create the application identity, follow the previous steps in Part 2 for the Azure portal.

也可以按照第 1 部分的步骤操作,但对于“登录 URL”和“应用 ID URI”,请确保使用 Web 应用或 API 应用的实际 https://{URL}You can also follow the steps in Part 1, but make sure to use your web app or API app's actual https://{URL} for Sign-on URL and App ID URI. 执行这些步骤时,请务必保存客户端 ID 和租户 ID,以便在应用的部署模板和第 3 部分使用。From these steps, you have to save both the client ID and tenant ID for use in your app's deployment template and also for Part 3.

备注

为 Web 应用或 API 应用创建 Azure AD 应用程序标识时,必须使用 Azure 门户,而不是 PowerShell。When you create the Azure AD application identity for your web app or API app, you must use the Azure portal, not PowerShell. PowerShell commandlet 没有设置可让用户登录到网站的必需权限。The PowerShell commandlet doesn't set up the required permissions to sign users into a website.

获得客户端 ID 和租户 ID 后,将这些 ID 作为 Web 应用或 API 应用的子资源包含在部署模板中:After you get the client ID and tenant ID, include these IDs as a subresource of your web app or API app in your deployment template:

"resources": [ 
   {
      "apiVersion": "2015-08-01",
      "name": "web",
      "type": "config",
      "dependsOn": ["[concat('Microsoft.Web/sites/','parameters('webAppName'))]"],
      "properties": {
         "siteAuthEnabled": true,
         "siteAuthSettings": {
            "clientId": "<client-ID>",
            "issuer": "https://sts.chinacloudapi.cn/<tenant-ID>/"
         }
      }
   } 
]

若要使用 Azure Active Directory 身份验证自动同时部署空白 Web 应用和逻辑应用,请在此处查看完整模板或单击此处的“部署到 Azure”:To automatically deploy a blank web app and a logic app together with Azure Active Directory authentication, view the complete template here, or click Deploy to Azure here:

“部署到 Azure”Deploy to Azure

第 3 部分:填充逻辑应用中的授权部分Part 3: Populate the Authorization section in your logic app

上面的模板已设置了此授权部分,但如果要直接对逻辑应用进行授权,则必须包括完整的授权部分。The previous template already has this authorization section set up, but if you are directly authoring the logic app, you must include the full authorization section.

在代码视图中打开逻辑应用定义,转到“HTTP”操作定义,找到“授权”部分,然后将这些属性包含在其中 :Open your logic app definition in code view, go to the HTTP action definition, find the Authorization section, and include these properties:

{
   "tenant": "<tenant-ID>",
   "audience": "<client-ID-from-Part-2-web-app-or-API app>", 
   "clientId": "<client-ID-from-Part-1-logic-app>",
   "secret": "<key-from-Part-1-logic-app>", 
   "type": "ActiveDirectoryOAuth"
}
属性Property 必须Required 说明Description
tenanttenant Yes Azure AD 租户的 GUIDThe GUID for the Azure AD tenant
受众audience Yes 想要访问的目标资源的 GUID - Web 应用或 API 应用的应用程序标识中的客户端 IDThe GUID for the target resource that you want to access, which is the client ID from the application identity for your web app or API app
clientIdclientId Yes 请求访问权限的客户端的 GUID - 逻辑应用的应用程序标识中的客户端 IDThe GUID for the client requesting access, which is the client ID from the application identity for your logic app
secretsecret Yes 请求访问令牌的客户端的应用程序标识中的密钥或密码The key or password from the application identity for the client that's requesting the access token
typetype Yes 身份验证类型。The authentication type. 对于 ActiveDirectoryOAuth 身份验证,该值为 ActiveDirectoryOAuthFor ActiveDirectoryOAuth authentication, the value is ActiveDirectoryOAuth.

例如:For example:

{
   "actions": {
      "HTTP": {
         "inputs": {
            "method": "POST",
            "uri": "https://your-api-chinacloudsites.cn/api/your-method",
            "authentication": {
               "tenant": "tenant-ID",
               "audience": "client-ID-from-azure-ad-app-for-web-app-or-api-app",
               "clientId": "client-ID-from-azure-ad-app-for-logic-app",
               "secret": "key-from-azure-ad-app-for-logic-app",
               "type": "ActiveDirectoryOAuth"
            }
         }
      }
   }
}

通过代码保护 API 调用Secure API calls through code

证书身份验证Certificate authentication

若要验证从逻辑应用传入 Web 应用或 API 应用的请求,可以使用客户端证书。To validate the incoming requests from your logic app to your web app or API app, you can use client certificates. 若要设置代码,请了解如何配置 TLS 相互身份验证To set up your code, learn how to configure TLS mutual authentication.

在“授权”部分中包含这些属性:In the Authorization section, include these properties:

{
   "type": "ClientCertificate",
   "password": "<password>",
   "pfx": "<long-pfx-key>"
} 
属性Property 必须Required 说明Description
type Yes 身份验证类型。The authentication type. 对于 TLS/SSL 客户端证书,该值必须为 ClientCertificateFor TLS/SSL client certificates, the value must be ClientCertificate.
password No 用于访问客户端证书(PFX 文件)的密码The password for accessing the client certificate (PFX file)
pfx Yes 客户端证书(PFX 文件)的 base64 编码内容The base64-encoded contents of the client certificate (PFX file)

基本身份验证Basic authentication

若要验证从逻辑应用传入 Web 应用或 API 应用的请求,可以使用基本身份验证,如用户名和密码。To validate incoming requests from your logic app to your web app or API app, you can use basic authentication, such as a username and password. 基本身份验证是一种常用模式,在用来生成你的 Web 应用或 API 应用的任何语言中都可以使用此身份验证。Basic authentication is a common pattern, and you can use this authentication in any language used to build your web app or API app.

在“授权”部分中包含这些属性:In the Authorization section, include these properties:

{
   "type": "Basic",
   "username": "<username>",
   "password": "<password>"
}
属性Property 必须Required 说明Description
typetype Yes 要使用的身份验证类型。The authentication type that you want to use. 对于基本身份验证,该值必须是 BasicFor basic authentication, the value must be Basic.
usernameusername Yes 要用于身份验证的用户名The username that you want to use for authentication
passwordpassword Yes 要用于身份验证的密码The password that you want to use for authentication

利用代码进行 Azure Active Directory 身份验证Azure Active Directory authentication through code

默认情况下,在 Azure 门户中开启的 Azure AD 身份验证不提供细化的授权。By default, the Azure AD authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. 例如,此身份验证将 API 锁定到特定租户,而不是特定用户或应用。For example, this authentication locks your API to just a specific tenant, not to a specific user or app.

若要通过代码限制 API 访问逻辑应用,请提取具有 JSON Web 令牌 (JWT) 的标头。To restrict API access to your logic app through code, extract the header that has the JSON web token (JWT). 检查调用方的标识,并拒绝不匹配的请求。Check the caller's identity, and reject requests that don't match.

后续步骤Next steps