I am trying to forward to OAuth token from grafana to the datasource which is a JSON API where token will be verified in the api service. I enabled the forward OAuth identity option
But not able to see the token in any of the request header. How the grafana forwarded OAuth token can be validated in the downstream services?
Related
I see from Microsoft Docs, they provide only these 3 basic, certificate and MSI in the policy. https://learn.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#AuthenticationPolicies
Does that mean I can not accomplish the OIDC?
SHORT ANSWER: No changes in API Management if you are changing the authentication of API Consumers with Backend API.
Long Answer explaining how authentication policies are not related to API consumer authentication is given below.
Basic Concept
API Management is in the middle of your API and your consumer.
From terminology perspective, your API in this case is called as Backend API. Frontend API is the URL of API management, which can be shared with your consumer.
Refer this page for further basic terminology about API Management.
In my opinion, there are two different questions: one about consumer OAuth authentication and other about which authentication policy is required to be configured in APIM.
Consumer Authentication
So, if you want your consumer to get authenticated using JWT Authentication or OAuth authentication, the flow is simple. The consumer will get the authentication token from the identity service and then use that token to call your API.
As long as you do not modify it using API Management policies, it should work. API Management is not required to know the Authority or any other details about authority.
APIM Authentication Policies
Based on your design, you can choose if Backend API (i.e. the API which you hosted in APIM) should have logic to authenticate the Frontend API - to ensure that only known party is calling your API.
As per documentation, you can configure :
Basic Authentication policy and send username and password with every request to backend API
Certificate authentication policy and send certificate thumbprint with every request to backend API
Managed Identity to use Azure AD authentication.
All these three policies just help your backend API to ensure the identity of the caller (i.e. APIM Fronend API in this case). This has nothing to do with Consumer Authentication and OAuth.
For ex. You can set up your API in such a way that consumer needs to get authenticated using Facebook authentication. And in addition, you can have certificate authentication to identify that only valid APIM instance is redirecting the consumer request from Frontend API to Backend API.
Hope this clarifies.
As the article said:
If your backend API is already secured with OAuth2.0 using any platform, then the API consumers should pass the Authorization header to the API management.
You do not need to add any policy in the API Management. The header would be sent by API Consumer and API Management would send the same header to the Backend API.
Use basic authentication and set header manually.
<authentication-basic username="username" password="password" />
<set-header name="Authorization" exists-action="override">
<value>#("Bearer " + (string)context.Variables["token"])</value>
</set-header>
Trying to set up Azure AD OAuth client credentials grant flow for my web api. I'm following the document in https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow. I have to expose my API to a 3rd party. I've created the APP in Azure AD (this is for the client that is requesting my API), generated the secrets and was able to get a response from oauth2/token endpoint. My questions are below:
What is the best way to validate the token? Is it by passing the JWT
(bearer token) as a HTTP header to my API, and then using the SDK to
validate the token
(System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler)? I'm using
C#.
What is the significance of Azure AD -> App Registrations -> "My
API App" -> under Manage, Expose an API? It has an option to
"Authorize client applications". How could I use this feature to
conditionally block and approve the client applications?
I will have to share the secret, client id and the App Id Uri with the 3rd party for them to generate the token and I will validate the token when I receive it.
You're on the right track.
This answer, Azure AD OAuth client credentials grant flow with Web API AuthorizeAttribute Roles, will walk you through one way to do this, using the roles claim in the token to authorize the call.
You will need to:
define roles
create an App registration for each 3rd party
assign their application to your desired roles
You can then use the AuthorizeAttribute to map which roles can execute which controllers/actions, like so:
[Authorize(Roles = "Reader,Requester,Editor,Approver,Administrator")]
Token validation
Once you complete token obtaining flow, you receive a JWT bearer access token. From token consuming end (your service), you need to perform a JWT validation. This is done by validating JWT signature and Claims. One of the most important claim you validate is the audience (aud) claim which must be the identifier (ex:- your service's URL, an ID) unique to token receiving service. Where you register this ? That's your second question.
Please read through MS's guide on token validation which explains key points - Microsoft identity platform access tokens
Service registration
This is where you register valid token receivable endpoints (ex:- your api app). If you check your token request, you provide resource parameter which must match to registered identifier. This allows Azure to validate the token request and issue an access token the mentioned resource. You find this as aud claim in the token. Hope you got the connection now.
App secret
No, only the token obtaining party require the client credentials. Your API or any token consuming party does not need the secret. They only require a valid access token and token signing certificate details. certificate details are exposed at jwks_uri in openid-configuration endpoint.
I have deployed one webapi into azure. After that I have register my API into Azure AD.
I got my API client-id and client-secret, now i just want to test my API not like
3rd application will access it so what will be recourse id in this case.
I have used oauth for authentication into that webapi.
I want to test that webapi so into POSTMAN i used this url to generate oauth token
which i will pass as header Authentication bearer token.
step 1 -
https://login.microsoftonline.com/{{OAuth_Tenant}}/oauth2/token
in header -
grant_type:client_credentials
client_id:{{client_id}} // i have my API client-id
client_secret:{{client_secret}} // i have my API client-secret
resource:{{resource}} // i have my API client-id
when i generate token using above values and send that bearer token it fail error unauthorized.
You need to register an app in Azure Active Directory to acquire access tokens.
Register an app there, and you can find the client id/application id there.
Then you can create a key for the app, that's your client secret.
Finally the resource should be the client id or app id URI for your API's app registration in Azure AD.
To implement this according to best practices, you'll also want to look into defining app permissions for your API, so you can then assign privileges to apps to call your API.
I have created app service for mobile app. Then i have added Authentication to the app service. Then Selected Authentication type as "Log on with Azure AD". It is working fine.
Is it possible to have custom login page instead of browser based login screen?
I was able to get the token by using https://login.microsoftonline.com//oauth2/token. But not able to authorize the app service with this bearer token.
Is it possible to have custom login page instead of browser based
login screen?
This page is the authentication endpoint of AzureAD. Though it can be configured by Company branding, I think it cannot be customlized by yourself for Moblie APP.
I was able to get the token by using
https://login.microsoftonline.com//oauth2/token. But not able to
authorize the app service with this bearer token.
Authencation/Authorization for Web App is a feature that securing Web App behind those IDPs, NOT just like other azure resources you can use REST API to access it. I understand what you want to do . But this action is not recommended or supported.
I was able to get the token by using https://login.microsoftonline.com//oauth2/token. But not able to authorize the app service with this bearer token.
As juunas answered, your token may does not match the AAD provider you configured on Azure Portal. Details you could follow here to check your configuration. Moreover, you could use https://jwt.io/ to decode your access_token and validate the related properties (e.g. the aud should be the clientId you configured on Azure Portal,etc.).
As App Service Authentication / Authorization (EasyAuth) states as follows:
Users who interact with your application through a web browser will have a cookie set so that they can remain authenticated as they browse your application. For other client types, such as mobile, a JSON web token (JWT), which should be presented in the X-ZUMO-AUTH header, will be issued to the client. The Mobile Apps client SDKs will handle this for you. Alternatively, an Azure Active Directory identity token or access token may be directly included in the Authorization header as a bearer token.
For Azure Web App or Azure Mobile App, you could just access your endpoint as follows:
https://{your-app-name}.azurewebsites.net/api/values
Header: Authorization:Bearer {the id_token or access_token of AAD}
Or
https://{your-app-name}.azurewebsites.net/api/values
Header: x-zumo-auth:{authenticationToken}
Moreover, if you retrieve the access_token in your mobile app, you could also use it to retrieve the authenticationToken and use the authenticationToken for communicating with the backend endpoint.
POST https://{your-app-name}.azurewebsites.net/.auth/login/{provider-name,for your scenario, it would be AAD}
Body: {"access_token":"<your-access-token>"}
For your mobile client, you could use the client for Azure Mobile Apps, details you could follow here. Also, you could follow Authenticate users to understand the client-flow and server-flow authentication for App Service Authentication.
As Wayne Yang said, customization of the login page is limited to logos and some text.
I'm not sure if you can use the "Easy Auth" for APIs.
You might need to actually implement the authentication in your app.
In that case your API would validate the incoming JSON Web Token so that its signature is valid and that the audience and issuer are what is expected.
Most frameworks have JWT authentication available, so it mostly comes down to configuring that properly.
I've programmatically registered a web application in WAAD through POST HTTP Request. The HTTP response returns the client Id however am unable to get the client secret. Is there a way from Graph API could get the client secret for the registered apps.
This scenario is not supported. But you can add extra one client secret and both will be valid.