Loading...
D365Hub logo D365Hub

Communication between APIM and function App as backend

Communication between APIM and function App as backend

Background introduction

When a Function App is added as an API in APIM, there are some authorization details we need to consider while communicating from APIM to the backend function app.

It does not matter what Authorization level (function or anonymous) the function app has configured, APIM will always attach a function host key to the request. The host key is attached to the request as a header. However, we may experiment unauthorized errors even though the function host key is present in the request header.

So, this article is focused on analyzing one of those scenarios when communication between APIM and backend function app is truncated due to unauthorized errors.

 

 

Scenario

Request is going through APIM to backend function app, and we are getting a 401 Unauthorized error.

Note: APIM Subscription required is disabled and function auth level is set to function.

 

Sending the requests from APIM test console.

Didieroc_0-1685049104840.png

 

Same error if we send request from Postman.

Didieroc_1-1685049104848.png

 

We proceed to collect an APIM inspector trace to confirm if the host key is attached to the request.

 

Didieroc_2-1685049104859.png

 

 

Checking the trace, we can confirm the host key is attached to the request as a header. However, is fails with a 401 error.

 

 

Didieroc_3-1685049104867.png

 

If we check the function host keys, we note that the host key attached to the request matches with the apim-didieroc-apim-training host key value. So, why the request is failing even though the host key is the correct one?

 

 

Didieroc_4-1685049104882.png

 

 

Please go to your APIM backends and select the backend object created for function app imported.

 

Didieroc_5-1685049104899.png

 

 

Then, inside the backend object, select Authorization credentials then select Headers. Note that the header that references the host function key stored in a Named value, has the name x-functions-keys.

 

Didieroc_6-1685049104908.png

 

The import function app in APIM process creates that header automatically, but with the header name as x-functions-key. So, if we change that header name that will cause that when the request is sent to the backend function app even though with the correct host key, the function app will not recognize any header name different than x-functions-key.

 

Resolution:

Update the header name, setting it as x-functions-key then save changes.

 

Didieroc_7-1685049104915.png

 

 

Testing after changes

Sending the request again, this time it should succeed.

Didieroc_8-1685049104926.png

 

You can double check if correct header name is present in the APIM inspector trace too.

Didieroc_9-1685049104927.png

 

Published on:

Learn more
Azure PaaS Blog articles
Azure PaaS Blog articles

Azure PaaS Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy