We've enabled authentication on our Azure api app and it's working well. Clients are required to retrieve a oauth2 token for authentication and authorization to the service. Our service is a Express Node.js application and we are leveraging apidoc for the service documentation.
I can't figure out from the authentication configuration how to allow access to a url path without requiring authentication. For example:
https://app-myservice-staging-001.azurewebsites.net/constituents should require authentication
but the documentation url
https://app-myservice-staging-001.azurewebsites.net/apidoc should not
Current with authentication enabled everything under https://app-myservice-staging-001.azurewebsites.net is protected.
Is this possible and if so where do I need to look?
Answer based on link provided by amit_g. We opted to add our excludepath directly to our authsettingsV2 config using the Azure Resource Explorer since the /apidoc/* path applies to all our services.
Related
I am researching the feasibility of porting an existing Vue 2 app to be an Azure Static Web App (SWA). A requirement is the ability to run the Vue app locally and authenticate against our Auth0 tenant to retrieve a access/bearer token to send along with our HTTP requests.
It appears that a SWA can utilize custom authentication (Auth0), and I was able to complete that successfully by following this article. However, I'm not seeing any information around capturing the access token. There is an /.auth/me/ endpoint which has user information, but that does not contain the access token:
I also looked into the Azure Static Web App Emulator which allows for defining an identity profile when running locally, but I'm not seeing a way to specify an access token here either.
Is it possible at the moment with a SWA to obtain an access token using a custom auth provider when running locally and when published live?
Managed Authentication in Azure is really only useful for fairly simple use cases. I think you're going to want to implement your security directly inside your Vue application.
https://auth0.com/docs/quickstart/spa/vuejs/01-login
You mentioned needing an access token but didn't say where it comes from or what you're doing with it. Are you trying to call an Auth0-secured API?
https://auth0.com/docs/quickstart/spa/vuejs/02-calling-an-api
If I deploy a spring boot application as a azure app, I can externalize the authentication by
using azure API management and configuring oauth2 etc
using the authentication options of azure app service.
As such I don't need to configure any authentication in my spring boot application.
All that works fine and I can find a lot of info about that. What I cannot find is: how do I retrieve the logged on user in my application in such case? How is that information passed to my application?
If you are using oauth2 you should be able to fetch the username from JWT token/via an api call. You can refer this link which tells you how to read jwt token. Once you have the username then you can add it to a custom header and pass to your backend application. Follow this link to understand how to add custom header to your request in api manager to be passed to your back end
I created an Azure Mobile App Service which is currently accessible 'Anonymously'
Anonymous access is enabled on the App Service app. Users will not be prompted for login.
To make it secure I can enable App Service Authentication which will ask users to log in
But this is not what I want - The data in this app is only accessed by Application without the need of each and every user to login to my app before using it.
So you might say, in this case, Anonymous access is fine but I want to restrict it with something at least like an API Key so I will have access to the API which my app can use to access the data to prevent random requests as anyone can just go and use Postman and start getting data without any authentication.
So in short, I don't want individual user authentication, but at least an API Key to ensure only requests made from my app are authenticated and nothing else.
I am using the following in my mobile app to create a connection and also doing Offline sync etc
MobileServiceClient client = new MobileServiceClient(applicationURL);
Any idea how do I do that?
FYI. My server side backend is in C#
Since you are using Azure Mobile Apps, for your requirement, you could leverage Custom Authentication for building your CustomAuthController to login and generate the JWT token for a specific user without user interaction. The core code snippet for logging would look like as follow:
MobileServiceClient client = new MobileServiceClient("https://{your-mobileapp-name}.azurewebsites.net/");
client.LoginAsync("custom", JObject.FromObject(new{Username="***",Password="***"}));
Note: As the above tutorial mentions as follows:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
And you must explicitly add [Authorize] attribute for your controllers / actions which need to be authorized access. Details you could follow Authentication in the Backend.
I'd like to use Visual Studio 2017 to build Azure Function App with HttpTrigger. However, I can't find the way how I could add Azure Active Directory authentication to secure the end point.
Will it work if I just add jwt token to the http request and then call ClaimsPrincipal.Current.Claims inside the method? Is there any other solution?
AFAIK, the authentication for the external identity data provider only can config on the Azure portal. And if you host the Azure function on Azure, the answer is yes. However if you host the Azure function on local, there is no way we can config for the authentication using Azure Active Directory.
As a workaround, you need to get the token from headers and verify the token manually before run the function code. And if you want to support to config the authentication for host Azure function on local, you can submit the feedback from here.
You can use the Microsoft OpenID Connect and JWT libraries to validate the token and get claims based on a received access token. Here's an example: https://github.com/azure-samples/ms-identity-dotnet-webapi-azurefunctions/tree/master/
Create an app registration in AD
Issue a browser request to get an access code
Issue an HTTP POST request for an access token using the code and the secret via cURL
Send the access token as an Authorization Bearer header to the local function endpoint
I had issues using newer versions of Microsoft.IdentityModel.Protocols.OpenIdConnect with .NET 6.0 and Azure Functions 4 and had to fall back to version 6.10.2.
I would like to secure my Azure WebApi with 3rd party providers (FB, G+... I basically just need a valid email). Was looking at Auth0 and seems like it will do the thing paired with Jwt middleware in web api project, but I was wondering if the same can be done using Azure only.
Azure Web App authentication confused me a bit - it does not seem to give anything to my Asp.Net web app. I still have to configure all the middleware in Startup.cs and the app still works fine if I completely turn authentication off.
I could do the same thing Auth0 does - issue my own Jwt tokens based on access tokens from FB or G+ - but would like to avoid that.
Could you please point me to the right direction?
You have a couple options:
App Service Authentication
Configure the authentication via middle ware
App Service Authentication
The App Service Authentication does not require any code inside your application because your App Service has a gateway that inspects request for authorization. Depending on the setting you can either secure the entire site or secure individual resources (by using the [Authorize] attribute on the endpoint in MVC/WebAPI).
With the latest release you can control authorization on a site by site basis including manually triggering the sign in by navigating the user to the <yoursiteurl>/.auth/login/<provider>. By defualt the token store is enabled so you can make a request to <yoursiteurl>/.auth/me and get back information from the provider.
Middleware Authentication
This is the default way authorization happens in the Single Page ASP.NET Template. The middleware authentication uses OAuth/OpenId to secure the resources. This option does it at the application layer instead of at the gateway. If you are using ASP.NET Identity (from the single page project template) the email from the persons log in will automatically be stored in the Users table. The tutorial in the link above gives lots of details on how to get it working.
Make sure you use the [Authorize] attribute to trigger the Authorization in either case.
Hope that helps you get started in the right direction.