Communication between APIM and function App as backend

Background introduction

When a Function App is added as an API in APIM, there are some authorization details we need to consider while communicating from APIM to the backend function app.

It does not matter what Authorization level (function or anonymous) the function app has configured, APIM will always attach a function host key to the request. The host key is attached to the request as a header. However, we may experiment unauthorized errors even though the function host key is present in the request header.

So, this article is focused on analyzing one of those scenarios when communication between APIM and backend function app is truncated due to unauthorized errors.

 

 

Scenario

Request is going through APIM to backend function app, and we are getting a 401 Unauthorized error.

Note: APIM Subscription required is disabled and function auth level is set to function.

 

Sending the requests from APIM test console.

 

Same error if we send request from Postman.

 

We proceed to collect an APIM inspector trace to confirm if the host key is attached to the request.

 

 

 

Checking the trace, we can confirm the host key is attached to the request as a header. However, is fails with a 401 error.

 

 

 

If we check the function host keys, we note that the host key attached to the request matches with the apim-didieroc-apim-training host key value. So, why the request is failing even though the host key is the correct one?

 

 

 

 

Please go to your APIM backends and select the backend object created for function app imported.

 

 

 

Then, inside the backend object, select Authorization credentials then select Headers. Note that the header that references the host function key stored in a Named value, has the name x-functions-keys.

 

 

The import function app in APIM process creates that header automatically, but with the header name as x-functions-key. So, if we change that header name that will cause that when the request is sent to the backend function app even though with the correct host key, the function app will not recognize any header name different than x-functions-key.

 

Resolution:

Update the header name, setting it as x-functions-key then save changes.

 

 

 

Testing after changes

Sending the request again, this time it should succeed.

 

You can double check if correct header name is present in the APIM inspector trace too.

 

Continue to website...