Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securely calling a WebSite hosted Web API from an Azure WebJob

Tags:

azure

azure-webjobs

I have a continuously scheduled web job that's monitoring a message queue, pulling messages off and calling a Web API on the peer Web Site to process the messages (in this case using SignalR to send notifications to appropriate users).

What would be the best way in this case to call the web API securely? The API being hosted in the web site is obviously exposed otherwise. Perhaps something using Basic Auth or storing a security token in config and passing it from the job to the web API. Or creating a custom AuthorizeAttribute?

Ant thoughts on securing the Web API call from the WebJob would be much appreciated. The API should only be callable from the WebJob.

UPDATE: Something like this perhaps?

First I declare this class;

public class TokenAuthenticationHeaderValue : AuthenticationHeaderValue
{
    public TokenAuthenticationHeaderValue(string token)
        : base("Token", Convert.ToBase64String(Encoding.UTF8.GetBytes(token)))
    { }
}

Then the caller (the WebJob) uses this class to set an auth header when making the HTTP request;

using (var client = new HttpClient())
{
    client.BaseAddress = new Uri(/* something */);
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    client.DefaultRequestHeaders.Authorization = new TokenAuthenticationHeaderValue("TOKEN FROM CONFIG"); 
    // ....

Over in the Web API we check the request looking for the expected token in the auth header, currently the code is pretty ugly but this could be put into a custom attribute;

public HttpResponseMessage Post([FromBody]TheThing message)
{
    var authenticationHeader = Request.Headers.Authorization;
    var token = Encoding.UTF8.GetString(Convert.FromBase64String(authenticationHeader.Parameter));
    if (authenticationHeader.Scheme != "Token" || token != "TOKEN FROM CONFIG")
    {
        return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "No, no, no. That's naughty!");
    }
    // All OK, carry on.

So this way the WebJob calls the Web API on the peer web site and security is achieved by passing a token that is securely held in the Azure configuration, both the Site and Job have access to this token.

Any better ideas?

like image 692
Stuart Hallows Avatar asked May 06 '14 10:05

Stuart Hallows

1 Answers

Sounds like Basic Authentication would be fine for your scenario.

Great tutorial here: Basic Authentication

like image 57
Brendan Green Avatar answered Oct 11 '22 15:10

Brendan Green
Sign in to Comment

Related questions

Why am I unable to add a depends_on block to a module with provider configuration?
What happens to Azure diagnostic information when a role stops?
backup/snapshot a vm image (vhd) in windows azure
How to detect if the environment is staging or production in azure hosted service worker role?
Visual Studio 2010 hangs on "Configure Remote Desktop Connections" for Windows Azure
Windows Azure sdk 1.7, CloudTableClient missing GetTableReference function
Getting Azure InstanceInput endpoint port
Azure ConstraintRules not working
Azure - deploying from Bitbucket
Failure writing to log file with RavenDB Embedded on Windows Azure
Swapping Azure Staging/Production environments with a SignalR Hub
Azure Storage browsing client software options [closed]
Authenticated push notifications without publishing the App to the Windows Phone Store
CloudConfigurationManager.GetSetting returns null while RoleEnvironment.GetConfigurationSettingValue works as expected
Azure Cmdlets: String was not recognized as a valid Boolean
How to find the Name servers for my azure website?
Azure Service Bus: What's a 'request' and a 'message'?
Azure - Credit spread across multiple subscriptions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!