Azure Functions - some public and some protected?

Question

I'm using Azure Functions with my app, most functions needs to be protected by the authentication scheme I've set up however some functions need to be accessible anonymously.

What I'd like to accomplish with this design is to have my app pass in a refresh_token to the azure function which contains the client secret to refresh the token for the user without the end device ever needing to know about the secret key.

Another option I can do is have a separate azure project with some publicly accessible functions.

Answer 1

You have 3 options when doing Auth in Azure Functions:

1. Use API Keys via the code query/header (authLevel setting in function.json in front of individual Functions.
2. Use "Easy Auth" which can put AAD in front of all your Functions
3. Do it yourself

I'd recommend just using a jwt library or something similar to do it yourself if you're doing something fancy.

I also recommend not having unauthenticated and authenticated Functions on the same Function App, just create two different Apps. This makes it harder to accidentally have escalation of privilege issues pop up.