Add "Deny" option when Request is not Authenticated
I have a function app set up as a private API that requires users to authenticate via Azure AD B2C to be able to make calls. My mobile app does the auth and then provides the Bearer token in the service calls.
This all works but if someone happens to browse an endpoint in a browser I don't want them to be redirected to the login page as the API is only meant to be requested from within the mobile app.
I would like an option to just deny access to the API when a request is not authorised.
This remains unscheduled, but is still a good item that we would like to get to.
Maybe adding richer policy management (like e.g. in api management) into function proxy settings UI and handling this kind of access policy, token validation policy and caching policies there. What do you think about that? Personally, I like keeping function settings as lightweight as possible - less configuration & management.