AAD B2C Authentication for Dockerized Azure Function App - azure

We are currently successfully running a Node.js Azure Function App deployed in an App Service in Azure with AAD B2C authentication as backend for a React-based Single-Page Application. User authentication in the SPA is done with Azure AAD B2C, where users obtain a JWT Token which is used as Bearer token for all requests against the backend API.
This works great.
Due to different reasons, we now need to dockerize our Function App and move it inside a Kubernetes cluster. This prevents us from using the AAD B2C integration of the Function App in the App Service for protecting the API, hence we need a different approach to validate the Bearer tokens of the requests.
From what we understand, there are two possible options to do this:
passport.js
MSAL
passport.js seems to work great for all Express-based apps and is therefore not suitable for us as our Function App is not Express-based.
We also had a look at msal-node and various examples using it, but struggle to understand exactly where and how our token validation fits and which (if any) of the examples fits our use case.
Are we looking in the right direction with msal-node and if so, how can we accomplish the task of protecting a containerized Node.js Azure Function App by validating the Bearer token with the AAD B2C?

We found a working solution. Turns out we were thinking way too complicated and "normal" JWT verification is exactly what we needed to do.
This StackOverflow post describes exactly what we were trying to achieve.

Related

Azure AD, Angular Spa and Spring Microservice Integration

We are using Azure AD for authentication and authorization. Our angular spa has been enabled SSO with Azure AD. We need to secure our backend
service and only allow API which has a valid jwt token.
What we have done so far is:
Registered our angular app in Azure AD.
We have configured spring microservice as a resource server and
application properties contain jwt.issuer-uri
spring.security.oauth2.resourceserver.jwt.issuer-uri=XXXXXXXXXXX-XXXXXXXXX-XXXXXXX-XXXXXXXXXXX
The issue is the token that we get from Azure AD is having an audience as "00000003-0000-0000-c000-000000000000" which means the token is generated for the Microsoft graph. I also tried accessing graph Api with this token and it worked. But what we want is to verify this token in our own spring microservice and grant permission
based on jwt provided.
To solve this issue I had to make some config changes in our Azure registered Angular app. I have added a custom scope api://<>/app and use
this scope while acquiring the token. Now the token is being validated in the backend and API working fine.
This config somehow works but doesn't seem correct to me. I am new to azure so am not sure how all things tie-up.
The new token which is now being generated has an audience as our
angular spa client Id. Is this correct? Shouldn't it be the backend
service? Any why it's getting validated by the backend with the
current configuration?
My understanding is that we don't have to register our spring
microservice with Azure Ad. I will just act as a resource server and
will decode the token provided by the angular app using the
issuer-url.
In case we need to register our backend services with azure AD then
would it be difficult to do the same for all microservices?
I have done all settings by referencing.
https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
In some other links, I find a completely different config for setting up backend service. I am not sure which one is correct.
https://learn.microsoft.com/en-us/java/api/overview/azure/active-directory-spring-boot-starter-readme?view=azure-java-stable
Azure AD is a little confusing when following a standards based approach. I wrote a blog post on this a couple of years back:
You have already figured out that you need at least one API registration to work, to expose an API scope - so that you get usable access tokens
The generated id from the API entry in Azure then becomes your audience, as in step 9 of the article.
What we'd really like to do is this, so that we can do things like forward the JWT in microservice to microservice calls:
Get Azure AD to issue an audience claim such as api.mycompany.com that is common to all microservices
Issue multiple scopes in the access tokens, based on areas of data in microservices - as in this Curity doc
I would aim for a single entry in Azure AD to represent your platform of APIs. Then each microservice can use the same generated audience value.
Hopefully you can get multiple custom scopes to work also, though there are some annoyances here, especially when you want to use built in OpenID Connect User Info scopes, which Azure AD exposes via the Graph API.

Azure AD SSO: Mobile app with OAuth and SAML

Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

call an azure functions from a web app using msal on-behalf

I'm developing an application that have a web front and an azure function in the backend. I have protect the azure function using easyauth. The application is multitenant and i want to call the azure function on-behalf of authenticated user on the web. I want to use MSAL. I obtain a token on be-half of the user, i check it with jwt.io and all the informations are correct, scope is ok but when i call the function adding the Authentication token "Bearer:xxxxxxxxxxx" i obtain a 401. Seems to me that the problem is on the Function side: same parameter, compatibility with MSAL...
Is there a racomandated architecture for this scenario. I found many but nothing specific about Azure Functions, EasyAuth, on-behalf msal token
Unfortunately, we cannot use v2 endpoint(msal) to authenticate Azure function in Azure Portal for now.
Currently, authentication providers in Azure Web App service contain Azure Active Directory and it use v1 ednpoint to redirect.
You can find more details here.
I'm not sure if it'd meet all your requirements, but you could front the web app with API management using OAuth2 and then set headers to appropriate values and redirect to an HTTP Trigger for your function using one of the AuthorizationLevel options available.
Sounds like EasyAuth is on people's minds already and there may be a solution for you somewhere in the comments on the github ticket.

Is it possible to have different authentication provider for my Azure App service?

The Authentication/Authorization settings for my API app only provide AAD, FB, Google and Twitter. I want to use different authorization provider (different chat app such as Kakaotalk/LINE) and eventhough their API also give me token I don't know how I can make my backend authorize those tokens.
I wonder if it's possible to have custom authorization based on different OAuth token provided by different service? If not can you suggest what steps should I take to do authorization for my api app service?
Thanks
Yes, it is possible to use custom identity providers if you're using .NET for your API app.  Some useful references:
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-backend-how-to-use-server-sdk#custom-auth
https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/

Protecticting node.js server using Azure AD OAuth 2.0

I wrote a little server in node.js and deployed it to Azure WebApp. I want to add service-to-service authentication using Azure AD OAuth (like this flow). I alredy did this in another WebApi sevice using Katana.
So, I found the official library for this, and it work great. The only problem is that the library use the ursa module, which is a native module. And, like explained here it is not easy to deploy a WebApp with native modules.
So, my question is - what is the best approach? How I could accomplish authentication using Azure AD OAuth?
Thanks,
Omer
Take a look at the Authentication / Authorization feature of Azure Web Apps. It allows you to do OAuth 2.0 service-to-service auth flows using Azure AD, no code changes necessary (also, it works with any stack, not just node.js).
More high-level info here: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
The post is a bit dated and doesn't mention the recently added support for APIs, but if your client can acquire an OAuth token from Azure AD, you can send it to your node.js server as a bearer token in the Authorization header of your HTTP request and have the authorization just work.
Two things to be aware of if you go down this route:
Authentication / Authorization currently blocks ALL unauthenticated access to your node.js API. You won't be able to say that some APIs are protected and some are not.
The JWT token that you send to your node.js API must use the client_id GUID value as the value for the "aud" claim. Using the app URI (as shown in some Azure AD samples) will not work.
Give it a try and see if it works for you.

Resources