Question 103146 in Azure Question posted in
The official documentation to get you started can be found here.

When creating an Azure function using a Http trigger to listen for webhooks, which Authorization level should I use?

What authorization level do I need for an Azure function that listens for webhooks?

Reading through the MS documentation I’m a little confused on wether or not I need to define an Authorization level other than Anonymous?

I see there is (admin, anonymous, function, system, user).

My Http trigger is going to read webhooks coming in from Stripe.com.

Here is my trigger:

public async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
     var json = await new StreamReader(req.Body).ReadToEndAsync();
     var platformWebhookSecret = Environment.GetEnvironmentVariable("PlatformWebhookSecret");
     Event stripeEvent = EventUtility.ConstructEvent(json, req.Headers["Stripe-Signature"], platformWebhookSecret);
     // perform work...
}
Tags:

3

Answers


  1. 0

    As you can see you can use the below 3 Authorization levels while creating a azure function:

    enter image description here

    I have followed Microsoft_document and it says,

    Function is used when we want to give access to only that specific function not the entire application and it requires Function API key
    Anonymous requires no access keys

    System is used by Azure Functions Internally(backend), It is not for writing/developing azure functions.
    Whereas User is used when you want to give specific access to a particular user to the particular application. We need to give User Specific API key.

    I’m a little confused on wether or not I need to define an Authorization level other than Anonymous?

    I would suggest you to use Anonymous as you are using webhooks (requests may come from third party too) otherwise you can also use Functions and if you are using that you need to give Function API key.

    Login or Signup to reply.
  2. 0

    According to the Stripe docs you need an anonymous endpoint for the webhook:

    A webhook is an endpoint on your server that receives requests from Stripe, notifying you about events that happen on your account such as a customer disputing a charge or a successful recurring payment. Add a new endpoint to your server and make sure it’s publicly accessible so we can send unauthenticated POST requests.

    That means you only need to use AuthorizationLevel.Anonymous for your function.

    Do mind that this allows others to send requests to your function, they might even mimic real Stripe events so be sure to defend against that by validating the request data against Stripe:

    Stripe can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s Stripe-Signature header. This allows you to verify that the events were sent by Stripe, not by a third party.

    Login or Signup to reply.
  3. 0

    Using Anonymous level will let anyone who knows url to your function call it with whatever data they please. Now, you can prevent this exact scenario by asking Stripe to sign its requests which you can validate for integrity.

    Having function level authentication level will add an extra layer of security and let only Stripe call your functions. One downside is that any time you regenerate your function key, you will need to update it in your Stripe configuration too.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search