I have a React Application for the Front end hosted on Azure in App Services. I also have another NodeJS app that I am using to create REST APIs for the front-end App. This App is hosted on another App Service.
Now, I want to integrate AD authentication for the front-end app using Azure Active Directory, which I have managed to do using the Easy Auth process. But I don't know how to get (or pass to the front end) the user and token details once the user is authenticated.
The second part of the query is, that I want to use the token to secure my REST APIs by passing it in the header and validating it in the backend. I have gone through various Microsoft documentation but I am not able to figure out how to do this.
Please help me in getting the user and token details. And please suggest how to secure my REST APIs.
You can get the tokens via http headers or via an endpoint /.auth/me. More details: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#retrieve-tokens-in-app-code
Regarding validating tokens, take a look at this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation
Related
I am working on a project, in which I am building a publish-subscribe system through Azure Web PubSub Service. The JavaScript clients (subscribers) are connected through socket and able to receive the published message on the Hub and in the Group. For this I followed this tutorial: https://learn.microsoft.com/en-us/azure/azure-web-pubsub/tutorial-pub-sub-messages?tabs=javascript
Everything is working fine, as I am in the POC phase yet. So currently I am publishing messages through JavaScript from above tutorial. But now I am starting to integrate it in my existing app which is developed in PHP. So I am thinking to use following Azure REST API for Web PubSub operation: https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub
Before this I worked on the Azure Graph APIs, in which I did an App Registration at Azure Portal with some Redirect URLs, and assign some permissions to access the resources. I did this for Outlook Mail, Overdrive, SharePoint and its very straight forward process to get the access token (JWT) to access the resources.
But I am stuck and unable to get the access token for Azure Web PubSub API. I need token to just Publish a message from PHP end by REST API. I checked in App Registration's > API permissions section, there is no permission for the Azure Web PubSub Service. I checked the same app in Enterprise application also. Did some hit and try, but didn't get the access token. I know the issue is with the permission.
Please help me to get the token for this, so will call the Web PubSub API, Or if I am missing something please help me to trace. Any suggestion are welcome.
Thanks.
I think you can make use of the following REST API endpoints:
Web Pub Sub - Grant Permission
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/grant-permission#webpubsubpermission
Web Pub Sub - Generate Client Token
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token
We are using Azure AD for authentication and authorization. Our angular spa has been enabled SSO with Azure AD. We need to secure our backend
service and only allow API which has a valid jwt token.
What we have done so far is:
Registered our angular app in Azure AD.
We have configured spring microservice as a resource server and
application properties contain jwt.issuer-uri
spring.security.oauth2.resourceserver.jwt.issuer-uri=XXXXXXXXXXX-XXXXXXXXX-XXXXXXX-XXXXXXXXXXX
The issue is the token that we get from Azure AD is having an audience as "00000003-0000-0000-c000-000000000000" which means the token is generated for the Microsoft graph. I also tried accessing graph Api with this token and it worked. But what we want is to verify this token in our own spring microservice and grant permission
based on jwt provided.
To solve this issue I had to make some config changes in our Azure registered Angular app. I have added a custom scope api://<>/app and use
this scope while acquiring the token. Now the token is being validated in the backend and API working fine.
This config somehow works but doesn't seem correct to me. I am new to azure so am not sure how all things tie-up.
The new token which is now being generated has an audience as our
angular spa client Id. Is this correct? Shouldn't it be the backend
service? Any why it's getting validated by the backend with the
current configuration?
My understanding is that we don't have to register our spring
microservice with Azure Ad. I will just act as a resource server and
will decode the token provided by the angular app using the
issuer-url.
In case we need to register our backend services with azure AD then
would it be difficult to do the same for all microservices?
I have done all settings by referencing.
https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
In some other links, I find a completely different config for setting up backend service. I am not sure which one is correct.
https://learn.microsoft.com/en-us/java/api/overview/azure/active-directory-spring-boot-starter-readme?view=azure-java-stable
Azure AD is a little confusing when following a standards based approach. I wrote a blog post on this a couple of years back:
You have already figured out that you need at least one API registration to work, to expose an API scope - so that you get usable access tokens
The generated id from the API entry in Azure then becomes your audience, as in step 9 of the article.
What we'd really like to do is this, so that we can do things like forward the JWT in microservice to microservice calls:
Get Azure AD to issue an audience claim such as api.mycompany.com that is common to all microservices
Issue multiple scopes in the access tokens, based on areas of data in microservices - as in this Curity doc
I would aim for a single entry in Azure AD to represent your platform of APIs. Then each microservice can use the same generated audience value.
Hopefully you can get multiple custom scopes to work also, though there are some annoyances here, especially when you want to use built in OpenID Connect User Info scopes, which Azure AD exposes via the Graph API.
I have a .net core api and a angular node js application that I have deployed to azure add as app services. I have registered both. I was able to successfully setup both with authentication permissions with permissions only to users within my azure domain. When anyone attempts to access either the api or the application they must login and authenticate through microsoft.
What I need now is for my app, to be able to call endpoints on my api. I want my app to have full permission so that I don't have to specify permissions on specific endpoints. I also want this to all be handled through azure, not through specific token requests in my angular code when calling the api. How can I accomplish this?
I have searched a lot of the documentation, but cannot find out how to accopmlish this. I also walked through the option of setting up explicit permissions, but I can't get that to not work either.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
The suggestions in the comments already cover the information you need.
I summarize it simply as below so that this post is easier to find, which can help more people.
To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app and the other is for API app.
In the API app, you need to exposed API. By doing step 7 and step 8, you can expose the scope.
Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.
You can use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.
I'm developing an application that have a web front and an azure function in the backend. I have protect the azure function using easyauth. The application is multitenant and i want to call the azure function on-behalf of authenticated user on the web. I want to use MSAL. I obtain a token on be-half of the user, i check it with jwt.io and all the informations are correct, scope is ok but when i call the function adding the Authentication token "Bearer:xxxxxxxxxxx" i obtain a 401. Seems to me that the problem is on the Function side: same parameter, compatibility with MSAL...
Is there a racomandated architecture for this scenario. I found many but nothing specific about Azure Functions, EasyAuth, on-behalf msal token
Unfortunately, we cannot use v2 endpoint(msal) to authenticate Azure function in Azure Portal for now.
Currently, authentication providers in Azure Web App service contain Azure Active Directory and it use v1 ednpoint to redirect.
You can find more details here.
I'm not sure if it'd meet all your requirements, but you could front the web app with API management using OAuth2 and then set headers to appropriate values and redirect to an HTTP Trigger for your function using one of the AuthorizationLevel options available.
Sounds like EasyAuth is on people's minds already and there may be a solution for you somewhere in the comments on the github ticket.
At the moment I have an app that uses Azure Mobile App Services to manage offline sync as well as authentiation. Authentication is done with Azure Active Directory and the way that I have it setup is that the web api is published as an app service on azure and it is configured as an app in the Active Directory Section. The Native App which is done in Xamarin.Forms is also configured in azure so that whenever the app makes a request it can properly authenticate with the api.
What I want to do now is take this web api and put it in an on-premise server. I have to do this in order to optimize some latency issues that I am having when retrieving data. My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
Where I am mostly having issues is with the authentication part of the implementation.
I appreciate any help.
According to your description, you are using Authentication and authorization in Azure App Service for build-in authentication without having to change code on the app backend. Authentication / Authorization for Azure App Service (Easy Auth) is implemented as a native IIS module that runs on Azure side, details you could follow Architecture of Azure App Service Authentication / Authorization.
My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
AFAIK, we could not install the native IIS module easyauth.dll. Based on your scenario, you need to do some additional work to achieve your purpose.
For .NET backend, you could use Microsoft.Azure.Mobile.Server.Authentication OWIN middleware to validate tokens (the JWT authenticationToken). Note: This middle-ware is used to local development and debugging the mobile app .net server on your side.
For Client-managed authentication flow
You need to add a additional endpoint in your app backend for receiving the access_token returned by AAD to the client user, then your app backend would use the access token to access the signed-in user endpoint (e.g. https://graph.windows.net/me?api-version=1.6) to retrieve the user basic info, then encode user info into a JWT token and return to your client. Here is an example for generating the JWT token, you could refer to it.
Note: The App Service build-in authentication would also generate the JWT authenticationToken to the mobile client. For this approach, you retrieve the signed-in user information manually and follow the custom-auth to generate the token by yourself.
For Server-managed authentication flow
You need to provide a login endpoint and redirect the user the AD authorization endpoint, then your app backend receive the authorization_code and retrieve the access_token, then access signed-in user info via the access_token, then encode the user claims to JWT authenticationToken and redirect the token (e.g. https://{your-domain}/.auth/login/done#token={the-json-string-of-LoginResult}) to the client user.
Note: The above two approaches are used to implement some similar features from Easy Auth in your on-premise server.
Moreover, you could just use the middlewares UseWindowsAzureActiveDirectoryBearerAuthentication for AAD v1.0 endpoint or UseOAuthBearerAuthentication for AAD v2.0 endpoint to project your web API instead of the authentication middleware provided by Microsoft.Azure.Mobile.Server.Authentication. Here are some tutorials, you could follow them:
Azure AD .NET Web API getting started
Secure an MVC web API with AAD v2.0 endpoint
For this approach, your mobile client could leverage the ADAL or MSAL client library for acquiring the token. Then when you implement the MobileServiceClient instance, you could specific a custom DelegatingHandler for adding the authorization header with the value to the access token you acquired as the bearer token against your Web API backend. Details you could follow the How to: Customize request headers section under Working with the client SDK.