I have asp.net core 3.1 Web API project that needs to call Microsoft Azure API ( for e.g. Storage API on behalf of other user (Impersonation).
I believe this can be achieved by Azure App Registration and then creating Impersonation for user by acquiring token interactive first and then silently with Microsoft.Identity.Client library.
But how do I do this from my API since I don't want to use any interactive authentication from within API.
What is the ASP.NET Core 3.0 friendly version for Web API authentication for Microsoft.Identity.Client .NET library
Any examples would be helpful...
You can implement getting tokens on behalf of a user (Service to service calls) use on-behalf-of flow (OBO) with MSAL , you can check the document & code snippets from document here using MSAL 2.3 + .
If your web api is protected by Azure AD, you can use On behalf of flow. Here is the scenario regarding a web API that calls web APIs.
If your web api is not protected by Azure AD and you want to use user token, you must use interactive authentication or ropc flow to call Azure API.
Reference:
Web API calling Microsoft Graph.
Related
I am developing an Web API .net core and hosting it in Azure as we are migrating to Azure. To secure the web API and for Authorization (Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory). But I have some questions as following below:
Question 1. if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
Questions 2 Can we protect an Api that is hosting in OAuth without Active Directory.
Question 3. What is securing an api with Microsoft Identity vs OAuth. It is confusing to me why should I not use Microsoft identity over OAuth for Authorization. Is it something new that came out from Microsoft?
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api
Thanks
if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
If your protecting your web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory, you cannot expose your API to any 3rd party application or an organization so easily.
For that purpose you will have to
federate that application/SAAS with azure AD for users in that platform to be able to access the API.
You have to give permission/privileges to the federated users of that platform to be able to access the web API and its scope.
Can we protect an Api that is hosting in OAuth without Active Directory?
No, we cannot protect an API hosting in OAuth without Active Directory.
Because, OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.
It's used to perform authentication and authorization in the majority of app types, including web apps and natively installed apps.
What is securing an api with Microsoft Identity vs OAuth?
A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault.
We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/
The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I want to implement Azure AD B2C with .net core web API application.
The purpose of Web API application, to create/register users, provide bearer token, also when a new user create/register in Azure ADb2c the same entry it will create in SQL DB also.
The Web API application will be accessed by other .Net core web site applications, Android APK, IOS APP.
Using AD B2C how the sign-in/sign up will be handle by Web API with the other application.
Similarly how to get the bearer token and pass to Postman to test/run Web API with Authorize attribute.
Can anyone please guide me on how to implement it with a sample of code.
Thanks.
The Web API's are be used to protect and accept the B2C access tokens from client applications.
You can implement Azure AD B2C .Net Core MVC web application with web api.
Please go through the available code samples which can help you more.
In the web API using the Access token you can connect with Microsoft Graph API using which you can create Users.
Please go through the documentation on how to expose you API service
I am using Microsoft Authentication (Azure AD) to log in a user to an app.
I have a separate node.js API which I'd like an authenticated user to call but as it is an external API how do I check that the user who is requesting a resource is authenticated?
What is the flow, are there any good Node.js resources?
You need to protect the node js api with Azure AD. After that, you can implement a client(the app you used to login) that is able to pass authentication tokens to the API.
Here is an sample which contains a web API running on ASP.NET Core 2.0 protected by Azure AD. The web API is accessed by an ASP.NET Core 2.0 web application on behalf of the signed-in user.
The scenario is the same as yours, but I only find .net samples.
We are building a Xamarin Native mobile apps and using Azure AD B2C for authenticating users using their social logins.
We decided use MSAL native library (Xamarin) for authenticating using B2C. And our mobile app required to manage(full access) the signed-in user profile. Since this feature isn't available in MSAL we have decided to go with ADAL for the time being. Followed the instruction provided in the link below and the sample works. But I started experimenting by deleting the API access provided in the application (created in b2c tenant) and the ran the application with "Get-user" parameter. And the application is still able to get the users from AD. Not sure how secure is this thing?
Then deleted the application key from the B2c tenant application and ran the console application sample. And received an error AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: cef09957-06bf-462e-a0c3-4ed6bae11e00
Correlation ID: afab126d-8694-479a-8a21-c12eb7cb176c
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any Idea why this is happening. I would like to implement this on a xamarin.ios app and any guidance much appreciated.
The answer to this is very similar to the answer to your other question: Exception access Azure AD B2C using ADAL library for user management, which can be summarized as:
Azure AD B2C does not yet support delegated permissions to the Azure AD or Microsoft Graph. The correct way to work around this limitation at this time is to have your native client application call a web API (using MSAL) which would in turn call the Graph API (using ADAL). This web API is an API you build which has authorization logic to scope the user management operations.
Once user management in Azure AD B2C is supported via the Microsoft Graph, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.
UPDATE: the Azure AD v2.0 endpoint and Microsoft Graph API now support client credentials flow, so you can also use MSAL for your Microsoft Graph API calls. However if you need to call the Azure AD Graph, then you will still need to use ADAL.