How to safely call Azure Function with function level authorization in Xamarin mobile app?

Question

I'm making an iOS/Android app using Xamarin (not Xamarin.Forms, just regular Xamarin). I'm using the shared library set up rather than PCL. I want my app to call an Azure function but I'm unsure of the safest/best way to handle this. I have it set to "Function" for the "Authorization level". The test URL includes the "?code=..." portion in it. I was under the impression that if I put that in my C# code with the "code" value exposed that it was considered a bad idea from a security perspective.

I'm lost as to the safest/best way to deal with this. I've read that setting it in app.config is also a bad idea. I found some references for a web app that suggest using the connection strings that are available in the azure portal, but since this isn't a web app, I'm unsure of how I'd actually retrieve those values in my code (or if that's even possible).

So how would you suggest I handle setting the value for "code" so that I can call my function and avoid a security problem?

UPDATE: Providing more info as per request: I'm using MSAL to authenticate my users with a B2C active directory. I already have that part working and have received a token authenticating the user.

I also just now enabled authentication in my functions.

I was under the impression that to call my function from my mobile client I had to make a new HttpRequestMessage. I'm unsure of then what I'd place in it to pass my token along.

Answer 1

Just to make sure I understand, your concern is about embedding secrets (the ?code=XXX value) in your iOS/Android app, correct? If so, yes, this is generally considered bad security practice. It's best to assume that anyone who can download your app will have the ability to discover these secrets and use them any way they want.

The recommended way to authenticate with a backend service, such as Azure Functions, from a mobile device is to use interactive authentication - i.e. some kind of OAuth flow. You can build it yourself, or you can use the built-in functionality of Azure Functions and Azure App Service to help you (Azure Functions is built on top of App Service). Here is a resource which might be useful:

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview

https://contos.io/working-with-identity-in-an-azure-function-1a981e10b900#.vcjit3ntw

Answer 2

The API Key (code) is indeed not meant to be used by clients you distribute externally, so it shouldn't be used by your mobile app.

The most straight forward option here would be to use the built in App Service Authentication features with Azure Functions and implement an authentication flow in your app, which would allow you to securely authenticate the user.

Sharing more information about your scenario may help identify alternatives.