Restrict Access to API in Azure App Service - azure

One Azure App service hosts a asp.net core API, another different Azure app service hosts a Web app. The web app can be accessed by end users that don't need to sign in (public). The web app calls the API. How can the API access can be restricted so that only the web app hosted in Azure can make calls to it, but end users cannot directly call the API end points, but the end users can still access the website (webapp)?

You asked a simple question that risks taking you down a rabbit hole. There are many ways to secure an API. The good ones require some thought.
On way is to involve a token server. The application and the token server share secrets. When application that wants to call an API, it is somehow redirected to the token server, and is granted a token. The session is redirected back at the API. The API checks with the token server that the token is authentic. If it is, the API serves the data, otherwise it fails.
This is an incredibly simplistic description of what really happens. Read everything in https://oauth.net/2/ for more details. Azure has mechanisms in the portal that can be used. https://identityserver4.readthedocs.io/en/latest/endpoints/token.html talks about how Identity Server could be used. There are other services of varying complexity and expense to do this. There are experts with varying rates that can help. I hope these couple links can get you started on your security journey.

you should be able to tweak the access restrictions of the app service to control the inbound access.
It allows to IP restrict/ Service tag based restrictions for an app service to accept traffic only from these entities.

Related

KeyCloack Settings behind Azure WAG (Web Application Gateway)

We have a corporative KeyCloak server which sits on Azure Account “A”.
We are now developing an ASP.Net Core Application that is on Azure Account “B”. This application is behind an Azure WAG.
The users access the application from the internet through the WAG and hits the Azure WebApp:
"https://myexternaldomain.com" => "https://myinternalazuredomain.azuresites.net".
As expected the users is redirected to Keycloak corporate server ("https://sso.corporate.com"). Once the user is logged in, he is being redirected to the callback address "https://myexternaldomain.com/oauth/callback".
At this moment we get a exception “Correlation Failed”, “Unknown Location”.
Architecture and Exception below:
Architecture and Exception
We believe that the problem is related to the address the users is using ("https://myexternaldomain.com") being different from the actual address the server is on ("https://myinternalazuredomain.azuresites.net"). And this makes even more sense when we take into account that it was working fine before the addition of the WAG.
Can you guys give us some insight?
Thanks
Best Regards
Take Care
There were a couple things that needed to be done to get KeyCloak + AppService to work in this scenario.
We had to add the same Certs to Wag and AppService, so KeyCloak would understand it as the same request.
Also the network team misconfigured the WAG, and some of the headers were not being forwarded, and KeyCloak would not accept the given Auth Token as valid for the current request.

Authenticating end users in a first-party native app

We are in the process of developing a mobile (native) app, and are looking at how we should do user authentication. Most of the information I have found have been about web apps and / or third-party apps accessing public APIs. OAuth 2 is therefore recommended to be used most of the time.
Since we develop the app and our API isn't public, it seems like the Resource Owner Password Credentials OAuth 2 flow could be an option, but according to oauth.net that is not recommended any more.
We are using Google App Engine (with Node.js) and Cloud Endpoints (Not sure if end-points would be needed since it's a private API, but that is another question) as the back-end, and both Firebase Auth and Auth0 has built in support in Endpoints. However, we have some special requirements that doesn't make those services suitable (Swedish BankID for example).
What other options are there when authenticating users? Could we write an app in App Engine to check the users credentials against our database, and then send back a JWT (Cloud Endpoints supports custom authentication methods as long as they use JWT)? Would it be safe to do this ourselves? I have found some Node.js libraries for authentication, but most seem to be aimed at web apps. Are there any that are suited for a native app front end?
For authentication, yes, you can perform the check yourselves, in your database and deliver or not a JWT according with the authentication result.
However, and it's obvious, this authentication service must be public (because it's for authenticated unauthenticated users!). And thus, you can be expose to attacks on this service. And because it's the authentication service, if the service goes down, no one can no longer sign in, or worse, if you have a security breach, your user database can be stolen.
That's why, to use existing services, with all the protections, all the resources (people, monitoring, automatic response, high availability,...) deployed to managed a large number of threats. Firebase auth, Auth0, Okta (...) are suitable providers but I don't know your Swedish requirement and you might not avoid specific developments

Open Azure App Service Endpoint to Only a Few Applications

I've implemented an ASP.NET Web API app as an Azure App Service. It has an App Registration, everything works as expected. I can hit the API from a browser and see all the JSON it returns. Now what I want to do is ensure that nothing except one or more applications from a set list can actually get anything from this endpoint. The applications needing access will all be custom ones in my organization/tenant. With all the flexibility and options, I'm having a very hard time determining what I need to do to lock the API down in this way.
I was envisioning having some client secrets the API knows about, and let the authorized applications supply them. Other methods would certainly be acceptable.
I'm certain this must be a duplicate question, but due to the plethora of information out there, and the myriad techniques for running applications on Azure, I can't seem to find just the right solution for my simple case.
It sounds like you have implemented interactive browser redirect-based authentication on the API.
Instead, you should implement JWT authentication on the API.
Then in Azure AD you can define permissions that can be granted to client applications.
In that way you can control which app can do what.
https://joonasw.net/view/azure-ad-authentication-aspnet-core-api-part-1
https://joonasw.net/view/azure-ad-authentication-aspnet-core-api-part-2
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

How to implement Authentication Across MVC 5 Application and Seperate Web API Application

I am building an online application using AngularJS on the front-end, hosted in an MVC 5/Web API application (basically a single-page application). However I have a hard constraint: the application's data will be held in a private network. I have to build a second Web API application inside the private network that exposes the web application's functionality. Further, the user authentication needs to happen inside the private network API (so the private network API will act as the authentication provider), as this is where the user tables exist.
The app in the DMZ is basically going to act as a proxy to the web API in the private network. So every request received in an ApiController in the UI API will be calling the private network API, ideally passing the token on received in the initial request.
From an authentication perspective, this is what I need:
User navigates to the site, can see only certain pages (I want to use MVC filters in the view controllers to control access).
They will log in once with a username and password.
After login the user can navigate to application pages and as a result the pages will call into the DMZ API for data.
This DMZ's API controllers will be calling into the private network API.
Both APIs whould be able to identify and apply authorization on their controller methods, based on the user's credentials.
If I didn't have a need for the second tier of API I would just use the MVC Single User Authentication implementation, which provides support for both cookie (UI) and token (API) authentication.
Any help providing insight into how I can do a similar thing with the above scenario would be much appreciated. (I guess my requirement is a bit like Windows impersonation for the UI web app).
See below for a high level view of the static architecture:
You may want to look at Azure service bus relays, which are designed to bridged the corporate firewall and call on-premise APIs.
Your WebAPI service would authenticate against the service bus to be allowed to call your service through it. You can pass user credentials using a bearer token in the request.
I'm not sure, but you may need to change your backend service implementation to use WCF though. You can find an explanation of the use of relays in Microsoft Dynamics in this link.

Single Sign-On in Microservice Architecture

I'm trying to design a green-field project that will have several services (serving data) and web-applications (serving HTML). I've read about microservices and they look like good fit.
The problem I still have is how to implement SSO. I want the user to authenticate once and have access to all the different services and applications.
I can think of several approaches:
Add Identity service and application. Any service that has protected resources will talk to the Identity service to make sure the credentials it has are valid. If they are not it will redirect the user for authentication.
Use a web-standard such as OpenID and have each service handle it own identities. This means the user will have to authorize individually each service/application but after that it will be SSO.
I'll be happy to hear other ideas. If a specific PaaS (such as Heroku) has a proprietary solution that would also be acceptable.
While implementing a microservice architecture at my previous job we decided the best approach was in alignment with #1, Add identity service and authorize service access through it. In our case this was done with tokens. If a request came with an authorization token then we could verify that token with the identity service if it was the first call in the user's session with the service. Once the token had been validated then it was saved in the session so subsequent calls in the user's session did not have to make the additional call. You can also create a scheduled job if tokens need to be refreshed in that session.
In this situation we were authenticating with an OAuth 2.0 endpoint and the token was added to the HTTP header for calls to our domain. All of the services were routed from that domain so we could get the token from the HTTP header. Since we were all part of the same application ecosystem, the initial OAuth 2.0 authorization would list the application services that the user would be giving permission to for their account.
An addition to this approach was that the identity service would provide the proxy client library which would be added to the HTTP request filter chain and handle the authorization process to the service. The service would be configured to consume the proxy client library from the identity service. Since we were using Dropwizard this proxy would become a Dropwizard Module bootstrapping the filter into the running service process. This allowed for updates to the identity service that also had a complimentary client side update to be easily consumed by dependent services as long as the interface did not change significantly.
Our deployment architecture was spread across AWS Virtual Private Cloud (VPC) and our own company's data centers. The OAuth 2.0 authentication service was located in the company's data center while all of our application services were deployed to AWS VPC.
I hope the approach we took is helpful to your decision. Let me know if you have any other questions.
Chris Sterling explained standard authentication practice above and it makes absolute sense. I just want to put another thought here for some practical reasons.
We implemented authentication services and multiple other micro services relying on auth server in order to authorize resources. At some point we ran in to performance issues due to too many round trips to authentication server, we also had scalability issues for auth server as number of micro services increased. We changed the architecture little bit to avoid too many round trips.
Auth server will be contacted only once with credentials and it will generate the token based on a private key. Corresponding public key will be installed in each client (micro service server) which will be able to validate the authentication key with out contacting auth server. Key contain time generated and a client utility installed in micro service will validity as well. Even though it was not standard implementation we have pretty good success with this model especially when all the micro services are internally hosted.

Resources