I want to build an API using node.js that will require getting data from another API service. The API service uses grant of Authorization code.
I don't need the users to have access credentials to the API service. I want to use my credentials to pull the data from the API service and present the filtered data to the end-user.
How can I use Oauth2.0 for this purpose?
Related
I have a React Application for the Front end hosted on Azure in App Services. I also have another NodeJS app that I am using to create REST APIs for the front-end App. This App is hosted on another App Service.
Now, I want to integrate AD authentication for the front-end app using Azure Active Directory, which I have managed to do using the Easy Auth process. But I don't know how to get (or pass to the front end) the user and token details once the user is authenticated.
The second part of the query is, that I want to use the token to secure my REST APIs by passing it in the header and validating it in the backend. I have gone through various Microsoft documentation but I am not able to figure out how to do this.
Please help me in getting the user and token details. And please suggest how to secure my REST APIs.
You can get the tokens via http headers or via an endpoint /.auth/me. More details: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#retrieve-tokens-in-app-code
Regarding validating tokens, take a look at this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation
We have a REST API built for our company products listing and user accounts. We want to expose this REST API for external clients so they can use integrate our API into their websites. We have the client domains registered in our database. We will be giving them a API key specific to each client for access to our API. The users from the external sites will be registered via our API using phone number and verification code. Can you please advice me on the Oauth 2 Grant type to be used for authentication in this case?
I am finding it hard to understand how I can differentiate multiple client applications using oAuth 2.0.
Using APIM I mapped my backend webservice to Azure API Gateway Service URL. I have configured Oauth 2.0 with grant type as client credentials because its a service to service integration.
In Oauth registration, I have mapped my client and backend app Id's with secret keys - (OauthSample1.0).
It doesnot have the provision to configure multiple clients for the same backend service.
And, in my API, i can add only one Oauth reference - (OauthSample1.0). Even if i would go ahead and create multiple Oauth 2.0 references for different clients, technically it cannot work with the API configuration.
This means I can have my API validate only one specified client using one oAuth 2.0 reference.
If I want my API to be accessed by different partners / Client applications, my understanding is that I would need to create different Clients in Azure AD. But unfortunately not able to design the solution here.
The official doc for protecting your API using OAuth 2.0 covers the steps required in detail.
To summarize, the steps are
Register an application to represent the API
This app is setup to expose an API
Register separate applications to represent each of your client applications
These apps would also have a secret generated for the client credential flow
These apps would have been granted access to the exposed API
Setup a Validate JWT policy to pre-authorize requests.
Your clients would have to get the token using the client credentials flow before making the requests.
Also, if your clients are services that directly access the APIs, then you could setup app roles that show up as Application Permissions instead of Delegated Persmissions.
Im creating a simple azure logic app to make a get request to api endpoint. How do I pass the access token to authorize?
I’m requesting another api from Logic app.
Here are the ways that you can secure access
Generate shared access signatures
Restrict incoming IP addresses
Add Azure Active Directory, OAuth, or other security
At the moment I have an app that uses Azure Mobile App Services to manage offline sync as well as authentiation. Authentication is done with Azure Active Directory and the way that I have it setup is that the web api is published as an app service on azure and it is configured as an app in the Active Directory Section. The Native App which is done in Xamarin.Forms is also configured in azure so that whenever the app makes a request it can properly authenticate with the api.
What I want to do now is take this web api and put it in an on-premise server. I have to do this in order to optimize some latency issues that I am having when retrieving data. My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
Where I am mostly having issues is with the authentication part of the implementation.
I appreciate any help.
According to your description, you are using Authentication and authorization in Azure App Service for build-in authentication without having to change code on the app backend. Authentication / Authorization for Azure App Service (Easy Auth) is implemented as a native IIS module that runs on Azure side, details you could follow Architecture of Azure App Service Authentication / Authorization.
My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
AFAIK, we could not install the native IIS module easyauth.dll. Based on your scenario, you need to do some additional work to achieve your purpose.
For .NET backend, you could use Microsoft.Azure.Mobile.Server.Authentication OWIN middleware to validate tokens (the JWT authenticationToken). Note: This middle-ware is used to local development and debugging the mobile app .net server on your side.
For Client-managed authentication flow
You need to add a additional endpoint in your app backend for receiving the access_token returned by AAD to the client user, then your app backend would use the access token to access the signed-in user endpoint (e.g. https://graph.windows.net/me?api-version=1.6) to retrieve the user basic info, then encode user info into a JWT token and return to your client. Here is an example for generating the JWT token, you could refer to it.
Note: The App Service build-in authentication would also generate the JWT authenticationToken to the mobile client. For this approach, you retrieve the signed-in user information manually and follow the custom-auth to generate the token by yourself.
For Server-managed authentication flow
You need to provide a login endpoint and redirect the user the AD authorization endpoint, then your app backend receive the authorization_code and retrieve the access_token, then access signed-in user info via the access_token, then encode the user claims to JWT authenticationToken and redirect the token (e.g. https://{your-domain}/.auth/login/done#token={the-json-string-of-LoginResult}) to the client user.
Note: The above two approaches are used to implement some similar features from Easy Auth in your on-premise server.
Moreover, you could just use the middlewares UseWindowsAzureActiveDirectoryBearerAuthentication for AAD v1.0 endpoint or UseOAuthBearerAuthentication for AAD v2.0 endpoint to project your web API instead of the authentication middleware provided by Microsoft.Azure.Mobile.Server.Authentication. Here are some tutorials, you could follow them:
Azure AD .NET Web API getting started
Secure an MVC web API with AAD v2.0 endpoint
For this approach, your mobile client could leverage the ADAL or MSAL client library for acquiring the token. Then when you implement the MobileServiceClient instance, you could specific a custom DelegatingHandler for adding the authorization header with the value to the access token you acquired as the bearer token against your Web API backend. Details you could follow the How to: Customize request headers section under Working with the client SDK.