How Do I Access my Azure API from my Azure App - azure

I have a .net core api and a angular node js application that I have deployed to azure add as app services. I have registered both. I was able to successfully setup both with authentication permissions with permissions only to users within my azure domain. When anyone attempts to access either the api or the application they must login and authenticate through microsoft.
What I need now is for my app, to be able to call endpoints on my api. I want my app to have full permission so that I don't have to specify permissions on specific endpoints. I also want this to all be handled through azure, not through specific token requests in my angular code when calling the api. How can I accomplish this?
I have searched a lot of the documentation, but cannot find out how to accopmlish this. I also walked through the option of setting up explicit permissions, but I can't get that to not work either.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

The suggestions in the comments already cover the information you need.
I summarize it simply as below so that this post is easier to find, which can help more people.
To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app and the other is for API app.
In the API app, you need to exposed API. By doing step 7 and step 8, you can expose the scope.
Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.
You can use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.

Related

How to get user and token details after authenticating an App Service from Azure AD?

I have a React Application for the Front end hosted on Azure in App Services. I also have another NodeJS app that I am using to create REST APIs for the front-end App. This App is hosted on another App Service.
Now, I want to integrate AD authentication for the front-end app using Azure Active Directory, which I have managed to do using the Easy Auth process. But I don't know how to get (or pass to the front end) the user and token details once the user is authenticated.
The second part of the query is, that I want to use the token to secure my REST APIs by passing it in the header and validating it in the backend. I have gone through various Microsoft documentation but I am not able to figure out how to do this.
Please help me in getting the user and token details. And please suggest how to secure my REST APIs.
You can get the tokens via http headers or via an endpoint /.auth/me. More details: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#retrieve-tokens-in-app-code
Regarding validating tokens, take a look at this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation

When to use OBO with Azure

I want to develop a SaaS application on Azure and deploy to the Azure marketplace. This app will be able to obtain information about the user's network. (for instance VNET information). Ideally I would like to have a single-page application that would authenticate with the user who subscribed to the app, and then make calls on a backend API tier, which would make calls to Azure management API endpoints.
The Azure docs layout a number of scenarios of how apps could interface with AD. how-to guides
I believe what im trying to do most closely matches the "Build a web app that calls web APIs" flow, which is an example of OBO. My question is, is that really describing what im doing? Is "calls web APIs" really an example of invoking APIs on the microsoft azure platform?
So my understanding is that I would develop my own API app, that would accept requests from my client browser code, which would contain an oauth token, and then the API layer would derive another token to pass onto the Azure API layer?
Im trying to keep the architecture as simple as possible, but im afraid I may be misinterpreting the Azure docs.
OBO (On-Behalf-Of) allows you to exchange an access token that your API received for an access token to another API.
The important bit is that the access token must have been acquired in the context of the user and must contain user information.
The new access token will then also contain this user's info.
So it allows your back-end API to call Azure Management APIs on behalf of the current user.
This means your API can't do anything the current user can't do.
It is limited to the user's own access rights.
The other option for authentication is to use client credentials authentication,
where your back-end API uses only a client id + certificate/secret to authenticate.
In this case the token will not contain user information.
To enable this approach, the target organization's users would have to assign RBAC access rights to your app's service principal, so it can act by itself.
You could also build a flow in your app where you setup these RBAC accesses on behalf of the current user.
Personally, I would prefer to use delegated access (OBO) whenever possible, as it will block the user from doing things they cannot do.
Though on the other hand, service principal-based access allows the organization to control your app's access better.

Native App Auth Flow in Azure Active Directory

I have a React Native app, calling an Azure Api App authenticated with Azure Active Directory, where the associated app in App Registrations is of type Native.
I have tried using a Web app / API application type (multi tenant). I switched away from that though, because I thought I wouldn't have to provide a client_secret. That didn't work, but I prefer that way, since I can control which tenants have access to my api.
I currently get a code by displaying https://login.microsoftonline.com/common/oauth2/authorize... in a webview where the user signs in and consents. I then try and get an access_token from aad - haven't successfully gotten an access_token without storing the client_secret in the app.
Every user of the app is registered in an Azure Active Directory tenant on another account - the app is not public, so I manage users.
All the authentication flows I have looked at don't seem like they fit my criteria though. I'm obviously not the first with this problem in Azure so I need need someone to tell me where I'm going wrong. Thanks :)

Authentication for web api using azure AD

I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.

Using ADAL to invoke Azure Service Management API

I have created an Azure AD native client application and have given delegated permissions to Azure Service Management API. Now, I'm able to invoke the service management API using my id from a Windows Phone 8.1 app using ADAL library. However, another user can't invoke operations on their subscription even though I add them as co-administrator in my directory. I get the token for the user but when I try to make an API call, I get 'Invalid token:A security token exception occurred for the JWT token'. Is there a way to allow another user to access details about his subscriptions using ADAL authentication from an AD app hosted in someone else's AD? I have searched for any related information for quite some time and I'd gladly take any help.
Here is what I interpret what you are doing.
You have a native app and it is connected to your tenant and it works fine for accessing service management APIs in your tenant/subscription.
You gave the app to a friend and they are trying to use it to access service management APIs in their tenant/subscription.
The suggestion above in the comment is on the right track, but you need to look at the steps for making your native application multi-tenant. This way, the AD service will know to look for the tenant for the authenticated user. Changing the url to use 'common' instead of the tenant id is one of the steps required. Here are a couple of posts to help with that transition.
http://www.cloudidentity.com/blog/2013/04/09/walkthrough-3-developing-multi-tenant-web-applications-with-windows-azure-ad/
This is a native client example of multi-tenant for a windows store app. I could not find one in the repo for a phone app. Hopefully, this gets you on the right track.
https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore

Resources