I am trying to implement Azure App service authorization using App Role(Application).
I have created two App registrations as provider and consumer.
The provider has a Role defined which is added as Permission scope in the consumer App.
I need help about how to authorize the consumer app to call an API in app service(.net core) which is using the provider app for authentication and authorization.
I am very new to Azure development and need support.
Please help. Thanks in advance.
BR
Related
I am new to azure functions.
I created a ReactApp and used the graph API to get information about users registered in Azure ADB2C.
At this time, a client credential flow was used, but user information could not be obtained due to a CORS error.
Previous Idea(CORS error): ReactApp↔graphAPI↔Azure ADB2C
So I thought of using Azure functions.
First, ReactApp calls azure functions as an API.
Next, call the graphAPI in the azure functions.
At this point, we want to use the client credential flow.
Then, the user data of Azure ADB2C can be obtained because the graphAPI was used.
This user data is returned to Azure functions so that it can be used in ReactApp.
My Idea: ReactApp↔Azure functions ↔ graph API ↔ Azure ADB2C
Is this feasible?
If it is possible and you have a sample, please let me know.
Thanks for reading.
• Yes, you can surely do the same as per what you have stated in your post. You can surely deploy a react app in Azure functions and trigger a graph API query from the function to an Azure AD B2C tenant. To do so, you will have to first deploy an Azure Static Web app in Azure, then build and deploy it through a workflow in Github by creating a repository there, then create an Azure function API for the react app deployed. This Azure function service provides serverless APIs which allows you to focus on your TypeScript code and not have to configure a full back-end web server.
• Once done, then connect the react client app to Azure function API. The Azure static web app resource deployed earlier provides a proxy between the react client and the Azure function API. Hence, while deploying the above, I would suggest you to please follow the below Microsoft documentation link and its subsequent article series for the said above resources.
https://learn.microsoft.com/en-us/azure/developer/javascript/how-to/with-web-app/static-web-app-with-swa-cli/introduction
Please follow the series of documentation articles stated above till the end of connecting the react client to Azure function API. Once done, then register an application in Azure AD B2C for authentication purposes and copy the application’s required credentials like the client ID, tenant ID, tenant name and client secret for inserting these details in the HTTP trigger function API created earlier. Also, give the registered application in Azure AD B2C the required application permissions of ‘User.ReadWrite.All’ for the Microsoft Graph API. Ensure that you are adding the ‘Microsoft.Identity.Client’, ‘Microsoft.Graph.Auth’ and ‘Microsoft.Graph.Beta’ nuget packages to your Azure function solution created earlier. Then modify the constant parameters and variables in the Azure solution code file as in the below snapshot: -
• Once the above has been done successfully, you can then test the deployed solution through ‘Postman’ application API as well as by redirecting to the react app page there by triggering a HTTP response in the function API which will ensure that you read the logged in Azure AD B2C user in the react app. For detailed information on the above-mentioned configuration, I would suggest you to please go through the video link below as it perfectly describes your condition in detail: -
https://www.youtube.com/watch?v=4uJHSwA-TZE
We need Azure AD application permissions to be set for the scenario below.
There are multiple CLient Apps calling the Supporting App.
The Supporting app's role is to create abstraction around the Web API calls to make the Client apps light.
The problem is we need to track which Client app made the call when the call comes to the Application WebAPI from the supporting App.
How should we register our applications in Azure AD to make it possible?
Do the ClientApp need to add application permissions to Supporting App and Application WebAPI ?
Do the ClientApp need to add permission to Supporting App only and Supporting App needs to add permission to Application WebAPI?
• Since the client apps will be accessing the supporting app for specific tasks or calls or doing some function, the client apps should have access to the Supporting app’s API and data flow accordingly. The client apps should have permission to the supporting app’s API to call the web API through it. Thus, you would need to create ‘App roles’ and assign scopes to the client apps for accessing the supporting app API and further on, create ‘App roles’ and appropriate scopes to access the Web API from the supporting app.
• Thus, you would need to register each of the client apps, supporting app and the Web API to be accessed through the supporting app in Azure AD. Once registered, please ensure that you have created the required ‘App roles’ for each client application and the client application is given permission to access the supporting application with the required scope through the ‘Application permission’. Also, ensure that the supporting application credentials are included in the requests sent to the supporting app to access the Web API through it. Similarly, you would need to configure the above in supporting application API in Azure AD.
Please find the documentation link below which explains the above steps in detail for adding permission to access a Web API: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
I have 2 resource in azure
- azure functions app service that will call "feedback api"
- .net core web app service that has a feedback api controller which should be only available for the function app
I would like to setup [Authorize] attribute in the controller in the way that only azure function will be able to authorise (for example with some generated key).
Is there any out of the box solution for this, and if not how can I add it?
I am trying to configure multi-tenant authentication with Azure App Service in order to enable multi-tenant authentication for my application. I'm following this tutorial: Consume multi-tenant enterprise APIs secured with Azure AD in SharePoint Framework. But I got stuck while I'm configuring Authentication / Authorization settings.
Any help would be greatly appreciated!
Please refer to Configure your App Service app to use Azure Active Directory login to configure an Azure App to use Azure AD as a authentication provider. While selecting an existing app on express settings you need to make sure the app is registered within your tenant. You can also refer to How to Get to the Keys/Secrets From Azure Active Directory to get the keys/secrets from Azure AD for an Enterprise Application.
I have an ASP.Net Core 2.0 Web App running in an App Service in Azure that has social login configured (Google & Microsoft) according to the following docs:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins?tabs=aspnetcore2x
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?tabs=aspnetcore2x
I also have an Azure Function app that gets triggered when a message is written to an Azure Queue. I would like this function app to post the message to a Web API (Controller Action) that is running on the web app above.
How would I go about authenticating from the function app to the web API method? Would I need to somehow call the Azure AD endpoint to get a token for a given username/password?
Ideally, I would want to limit who can call this API method to just a single user account that the function app would use. Alternatively, can I somehow use the new Managed Service Identity feature to authenticate the function app against my web API method in my web app above?
Sorry, am new to API authentication, so just trying to figure out the simplest approach.