How to build subscription based security around Azure functions

Working in company which deals with hundreds of client azure tenants showed me how different it is working on your own tenant.

Recently i worked on a subscription based service and i want to show you how to build the secruity walls arround your azure functions.

Here is an example of subscriotion service which caters differently for each client based on thier type of subscription. Free or Paid or Premium. 

Step 1: Lets start with creating a smiple azure function in Visual Studio. For the purposes of our example created two functions one with GET and one with POST methods.

Publish this function project to Azure tenant and see it run and test.

Step 2: Now lets implement OAuth on top of this Function App. To do this go to Function App and go to Authentication.  Add an Identity Provider and pick Microsoft Idenity and make an App Registration.

Now there is a OAuth layer and you can see that the functions wont respond with out a OAuth token.

The will respond with "401 Unauthorized":"You do not have permission to view this directory or page."

Now lets get that OAuth token using a postman request.

Now lets fire that request using the Bearer token.

Ok now with Oauth in place, we got one layer of protection. But this doesnt differentiate Free, Paid or Premium clients. They all can access the Azure functionality the same after having that OAuth token.

Step 3: Now its time for building the subscription based security layer around the OAuth enabled AZ functions. This is how it looks like by end of our configuration.

Lets start with creating a Azure API Management Service. It will take more than 10 mins to provision this.

Once created go to APIs and create new one selecting FunctionApp template and choose the functions exposed over that API. I created 3 API endpoints one for Free with just GetFunction(), Paid endpoint with POSTMethod() and Premium with all Functions.

Now lets test the Premium API with OAuth authorization. and see the result.

Result:

Step 4: Creating AZ API Subscriptions for each client with set API access is a best practice. So lets start creating the Sub Keys for each client and select the API for which they paid for.

Each subscription will have a primary and secondary key for access request. so now we send those clients these Subscription Keys and they need both OAuth key and thier own subscription key to access the azure functions.

Now when we made a request to API with OAuth it clearly says it needs the Subscription Key to access.

Now lets try with both with OAuth tokens and Subscription key, it goes thorugh sucessfuly. 

Objective of providing access to Azure functions based on subscriptions was acheieved.