我可以想到三种可行的方法.

I can think of three different approaches that would work.

使用不记名令牌.

创建两个单独的应用程序注册，一个用于Web应用程序，一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能，同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限，以访问功能应用程序的AAD应用程序注册.

Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.

为确保Web应用程序的访问令牌是可用于联系功能应用程序的JWT，您需要向Web应用程序添加其他登录参数.为此，请按照

To make sure that the access token of your web application is a JWT that can be used to contact your function application, you need to add additional login parameters to your web application. To do this, follow the instructions here, but instead set additionalLoginParams to resource=<your-function-app-registration-client-id>.

当用户向Web应用程序发出经过身份验证的请求时，应填充一个名为X-MS-TOKEN-AAD-ACCESS-TOKEN的标头，该标头应该是具有您的Function应用程序的应用程序注册受众的访问令牌.然后可以将其用作功能应用程序API调用的承载令牌，该令牌应满足功能应用程序的身份验证/授权要求.

When a user makes an authenticated request to the web app, a header should be populated called X-MS-TOKEN-AAD-ACCESS-TOKEN which should be an access token with an audience of your Function application's app registration. This can then be used as a bearer token to the Function application API calls, which should satisfy the authentication/authorization requirements of the function application.

使用代表流量

创建两个单独的应用程序注册，一个用于Web应用程序，一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能，同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限，以访问功能应用程序的AAD应用程序注册.

Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.

然后，按照 ADAL 应用注册是AAD V1应用，或 MSAL 如果您的应用程序注册是AAD V2应用程序.

Then, follow the on-behalf-of flow so that the web application can get an access token for an authenticated user user for the function application. There are several libraries that help with this flow. See ADAL if your app registrations are AAD V1 apps, or MSAL if your app registrations are AAD V2 apps.

使用客户端定向流(X-ZUMO-AUTH)

创建两个单独的应用程序注册，一个用于Web应用程序，一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能，同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限，以访问功能应用程序的AAD应用程序注册.

Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.

要确保可以使用Web应用程序的访问令牌来对功能应用程序进行身份验证，您需要向Web应用程序中添加其他登录参数.为此，请按照

To make sure that the access token of your web application can be used to authenticate against your function application, you need to add additional login parameters to your web application. To do this, follow the instructions here, but instead set additionalLoginParams to resource=<your-function-app-registration-client-id>.

当用户向Web应用程序发出经过身份验证的请求时，应填充一个名为X-MS-TOKEN-AAD-ACCESS-TOKEN的标头，该标头应该是具有您的Function应用程序的应用程序注册对象的访问令牌，以及标头.使用有效负载向https://.azurewebsites.net/.auth/login/aad发出POST请求
{"id_token": <id-token>, "access_token": <access-token>}.这将返回一个会话令牌，您可以将其作为X-ZUMO-AUTH标头附加以验证请求.

When a user makes an authenticated request to the web app, a header should be populated called X-MS-TOKEN-AAD-ACCESS-TOKEN which should be an access token with an audience of your Function application's app registration, along with an id token in the header X-MS-TOKEN-AAD-ID-TOKEN. Make a POST request to https://.azurewebsites.net/.auth/login/aad with the payload
{"id_token": <id-token>, "access_token": <access-token>}. This will return a session token, that you can attach as an X-ZUMO-AUTH header to authenticate requests.

注意:此选项中的声明将是身份验证令牌的声明，而不是像前两个选项中那样的身份提供者的声明.要获得与其他选项相同的声明，请将应用程序设置WEBSITE_AUTH_ZUMO_USE_TOKEN_STORE_CLAIMS设置为true.

NOTE: The claims in this option will be the claims of the authentication token, which are not the claims of the identity provider like in the first two options. To get the same claims as the other options, set the application setting WEBSITE_AUTH_ZUMO_USE_TOKEN_STORE_CLAIMS to true.