Authorize Azure Requests using Bearer toke? - azure

Is it possible to send a request to Microsoft Azure OCR using authorization token instead of Subscription-Key? I searched a lot on the internet but found nothing and thus I would be thankful If you can help.

Basically, you can follow this workflow:
users send a request to your App for an access token.
Your app checks the user's permission(you should implement the procedure yourself), if vailed, your app uses a subscription key to get an access token for the user by Authenticate with Azure Active Directory and
reply this token to the user.
Users use this token to call the OCR service from client-side.
As the doc indicated, you should create a new service principal in your Azure AD, and go to Azure Portal=>your Azure cognitive service => Access control to add a cognitive service user role to the new created SP:
So that it could request an access token for this service from Azure AD by request below:
By using this access token, we will be able to call vision ocr service:
Endpoint in this case:

Related

How can Azure Service Bus authenticate clients using Azure AD

I created Azure service bus and clients are able to access the service bus using Shared Access Token. All this is working fine and now we want to implement authentication using Azure AD.
This is what we know so far:
Using Azure AD we will register client(s).
Each registered client will get an ID and Secret.
We will use this ID, Secret and AppId (Id of service bus) to get access token from Azure AD
This call will return an access token.
We then pass the access token to Azure Service Bus using request headers to post or get messages.
My question is how does Azure service bus actually validates this token ? I have seen another example where API or Service which is consumed by the client, validates the access token using a program like this: https://github.com/mauliksoni/aad-token-validation/blob/main/DotNetFramewrork/validate.cs & then only user is allowed to access the token.
Ideally Service should validate the access token on its own and there should not be any need to validate tokens by externals programs.
You don't need to do any external validation, as long as the service principal got the right RBAC role to perform the desired operation(send/receive/management), the service will do the remaining token validation for you.

Auth0 to user delegation SAS in Azure AD

I've an API registered in Azure using App Registration which has an API permission to user_impersonation (for user delegation SAS access to a storage account)
using the azure endpoints in postman I am able to connect to the API which creates the SAS as expected.
I'd like to be able to authenticate using Auth0 and connect to the API from that route. I followed this guide: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2, it passes the test in the article and am able to get a bearer token in postman but I am getting 401 errors when calling the API

Call azure DevOps API from custom azure webapp api without user behalf

I have an Azure WebApp which needs to call the Azure DevOps API to trigger a build pipeline.
The only problem I have is to find out which is the proper way to authenticate from my web api against azure devops API.
Should I use a service principal account for that, or Managed Identity?
Do I have to create a service account in Azure AD, give him rights on Azure DevOps ?
I only have a route which then calls the DevOps API, so I need to authenticate at the moment the route was called with a Principal from the WebApp.
Iam a little bit lost how to do it the right way, because there is so much information about the auth topic.
Currently I use my personal account with PAT from Azure KeyVault, which is only a temporary solution.
Thanks & Regards
If you check this Choose the right authentication mechanism document, you will find several types of authentication mechanism from your Web App API against azure DevOps API.
But it's mostly recommended to use Azure DevOps Services Client Libraries for authentication and accessing Azure DevOps Services resources. You can authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if it's expired.
I would suggest to read this Authorize access to REST APIs with OAuth 2.0 document for the more explanation and detailed approach to achieve the result.
In case, if any required functionality is missing from the client libraries, MSAL is an alternative authentication mechanism to use with our REST APIs.

Incomplete bearer token when using authentication-managed-identity tag in azure api management

I've been trying to expose an API through azure API Management and I can't figure out what I'm doing wrong. Here's the situation:
My API is going to be called from an external application
They don't have an Azure Account in the same tenant
I want to enable external calls for my API by just using a subscription key (hence, why I'm using API Management), but also want to keep my actual API secured with Azure AD.
I have an API which is secured with Azure AD using OAuth2 and published into a Windows AppService
I have an App registration for that API, which i use to authenticate (it works from postman, for example)
app registration
I have Managed Identities turned on and permissions set.
I have added the API in API management
I added the authentication-managed-identity inbound rule, used the API Id Uri of the app registration as the resource value for it.
Api Management Config
When testing an endpoint from the APIM interface, I can successfully get a bearer token, but I get a 500 exception from the API which says: Neither scope or roles claim was found in the bearer token
bearer response
Here is the decoded bearer token, it doesn't have a scp attribute
bearer decoded
I'm not sure where I can specify a scope. If I use the full scope uri (api://guid/access.api.management) it will fail when trying to get a bearer token (The resource principal named api://guid/access.api.management was not found in the tenant).
I've even tried adding the Owner role to the APIM Identity for the AppService.
Maybe I'm not using this correctly, I'm pretty new at using Azure cloud and API Management so any suggestions are welcome.
Thanks.
You have expose an api protected by Azure, and currently you have an api application. Next, you need to create another application that represents the client, and then add the client application to the api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token:
I managed to get it working using the client credentials flow and storing the client secret in key vault.

Create access token from azure AD using assertion flow for access token received from Identity server

Requirement:
CompanyA(uses Identity server and has user store) Web API wants to call CompanyB(uses Azure AD and does not have user store) web API with user identity in the token. Becuase CompanyB has to provide user's resource on the api.
CompanyA web api called from client of companyA using access token which has user identity in that.
Please check this question for more clarity on requirement,
Requirement
Is it possible to get new access token from azure ad to call CompanyB web api from companyA web api by using the token from which it is called?
below are my references,
https://leastprivilege.com/2013/12/23/advanced-oauth2-assertion-flow-why/
https://leastprivilege.com/2013/12/23/advanced-oauth2-assertion-flow-how/
[Here token recieved from Microsoft is validated and given new token from IdentityServer. But i need reverse of it]
https://www.rfc-editor.org/rfc/rfc7521
https://www.rfc-editor.org/rfc/rfc7523#section-2.2

Resources