Creating an Azure Function App

Now that we have our Cosmos DB account created, we need to create a a backend to serve up the resource token for the authenticated user.

Two of the more simple options include creating an App Service or creating a Functions App. Both are great options, however, since the resource token can have a validity period for up to 5 hours, and most if not all other data access calls will be directly to Cosmos DB (thanks Resource Token!), we really just need something small and lightweight to serve up the resource token. An Azure Function App will work perfect for this, since it can be billed at a consumption plan, meaning that if it isn't getting hit, you aren't paying for it, and it can easily scale without us needing to do anything (you want to handle your app showing up on Shark Tank right?).

Create a Function App

---

Head back to your Azure Portal if you aren't still their, and click "+ Add", search for "Function App", and lets create a new one.

Pick a name for your Function App, resource group, etc, and make sure to select the "Consumption" plan, so we don't get charged when users aren't requesting tokens. A storage account is created as well, and this is used for different types of Triggers within Azure Functions.

Enable Authentication

---

Now that our Function App has been created, let's enable Authentication the easy way, by clicking on the Platform Features in your Functions App, and selecting "Authentication \ Authorization".

Use the information within the portal (help links) to setup the authentication you would like over your Functions app. For this example I am using both Azure Active Directory Authentication (Express) as well as Google Authentication to show how different users will have access to only their documents based on their permissions and using their user id as the partition in in Cosmos DB.

Note: This entire example and included code assumes you are using the built in Authenticaiton\Authorization options available to you. While you don't need to use this, the code in the functions app would need to be modified for you to accept a different form of authentication and to be able to get a user id for the user making the resource token request.

Application Settings

---

Now that we have authentication setup on our Functions App, we will need to enter in some Application Settings that our Functions App C# code expects. Back on the main page of your functions app, you can click on "Application settings" to find where to enter in these details.

We have 4 values that our Function App code is using:

• myCosmosDB - this is the connection string from the Cosmos DB Account
• cosmosDatabase - this is the name of the database that was created in the Cosmos DB account
• cosmosCollection - this is the name of the collection in the database that was created
• host - this is the url of the functions app itself, this is used to the user_id from the token that is passed in.
• cosmosDBEndpoint - this isn't needed if you are using the connection string set in the 'myCosmosDB' in the first bullet.

Publish Code

---

Finally you can use the code in this repository to publish to your Functions App!

Congratulations, you now have an Azure Function that will serve up a resource token that your users can directly use to call Cosmos DB.

Once your functions have been published to your Azure Functions account, you can expand the "Functions" node on the left and see the new functions that appear. Our example includes the main CosmosDBResourceToken function, as well as a couple example functions to add and get dog's to show how only a user with the correct permissions and resource token will be able to access items in the partition that is associated to them.