How to secure swagger ui page ?

[imhdev]

In out-of-proc azure function app, was able to secured the swagger endpoints from the sample examples. Is there a way to secure the swagger ui page (/swager/ui) itself using openapi extension ?

[morten-b]

You can implement IOpenApiHttpTriggerAuthorization, but you need to figure out what way you wan't it to be implemented yourself, depeding on the use case.

I've create functionality, so that it looks up its on function app, app key. Remember to provide the needed role for the function app to access its own key, if doing the same thing.

public class MyOpenApiHttpTriggerAuthorization : IOpenApiHttpTriggerAuthorization
{
    public async Task<OpenApiAuthorizationResult> AuthorizeAsync(IHttpRequestDataObject req)
    {
        var subscriptionId = $"{Environment.GetEnvironmentVariable("SubscriptionId")}";
        var resourceGroupName = $"{Environment.GetEnvironmentVariable("FunctionAppRg")}";
        var functionAppName = $"{Environment.GetEnvironmentVariable("FunctionAppName")}";

        var credential = new DefaultAzureCredential();
        var armClient = new ArmClient(credential);

        var resourceIdentifier = new ResourceIdentifier($"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{functionAppName}");
        var functionApp = armClient.GetWebSiteResource(resourceIdentifier);

        var keys = await functionApp.GetHostKeysAsync();
        var code = req.Query["code"].FirstOrDefault();
                
        if (keys.Value.FunctionKeys["default"] != code)
        {
            return await Task.FromResult(new OpenApiAuthorizationResult
            {
                StatusCode = HttpStatusCode.Unauthorized,
                ContentType = "text/plain",
                Payload = "Unauthorized",
            });
        }

        return await Task.FromResult<OpenApiAuthorizationResult>(null);
    }
}