Search code examples
azurehttpsecurityazure-functionsapi-key

Is there any point in an Azure Function API Key when the Key is public?

Azure Functions allow API keys to be used as a form of authorization.

API key authorization

By default, an HTTP trigger requires an API key in the HTTP request. So your HTTP request normally looks like the following:

https://<yourapp>.azurewebsites.net/api/<function>?code=<ApiKey>

You can allow anonymous requests, which do not require keys.

In my case the Azure Function is used from in a web site single page client application, as such the API Key is effectively publicly available by anyone who debugs the application.

In this context is there any point in using an API Key?

Solution

  • Still useful against accidental invocation and dumb crawlers. For the latter you should use the key in headers, like so:

    GET /api/get-issues HTTP/1.1
Host: {funcapp}.azurewebsites.net
User-Agent: ajax-library-of-the-day
x-functions-key: rkW0PqT.....zcUBQ==

    Function authorization logic

    You'll need OAuth 2.0 implicit flow if user-agent to backend API authorization is your main concern.

    Can't comment if you get billed for those 401 Unauthorized. Most probably not, otherwise this would make for a very expensive attack vector with your subscription being on the expensive end.