I've been searching for a couple days, and I can't seem to find a straightforward guide on how to set up Authorization (AuthZ) between an AAD App and my AAD Web API set up in App Service. I've tried things like this official guide, but I can't seem to get calls with a Bearer token from the client app to work.
Has anyone done this successfully? Is there a step by step guide out there that could help?
Please let me know if there are any questions!
To implement your requirements, you need to expose an api in your AAD Web API first.
Then go to your AAD App which used to request the token, add the permission to it.
Click "Grant admin consent for *" button.
After that, we can request the access token successfully (below I provide a sample use password flow for your reference)
In your Web API app, you need to parse the access token and get the scope permission from the access token. And then determine whether the request has permission.
Related
So I am writing a .NET 6 Core Web Api using Azure AD as authentication for the API.
Now when using Graph API as example, you need to setup Graph API scopes in the App Registration. Lets use a delegated "user.read" permission for this example.
I use Postman to receive the access token for the application by authenticating as an user against Azure AD for the API. I would expect to receive a consent-screen so I can consent to the usage of "user.read". This does not happen though.. I get logged in and receive a valid access token. In the Backend though, it will throw an error because the user / admin did not consent to the application.
How do I get around this? Why don't I get asked to consent the permissions set up in the app registration? Neither in Postman, nor in a Swagger oAuth Flow..
My current workaround for this is to use a React application and sign in over the frontend application. Using the frontend application, I get asked to consent to the permissions. After consenting, I can use postman without getting the "user didn't consent" - error.
Any ideas? What did I miss?
Let's focus on the user-consent page first. When we created an azure ad app then add api permission for it, then use this azure ad app to make your .net 6 app/react app integrate azure ad to use azure authentication, and we go to the microsoft sign in page and successfully sign in, we will see a dialog which indicating that this app require you to consent a list of permissions. The permissions are correspond to the api permissions you set for the aad app. After consent once, then it won't ask you to consent again when sign in next time.
This consent only happened when users are signed in. Let's go back to the flows used to generate access token in Azure AD. Since you used delegate permission, then you may used the recommend Auth code flow(Another flow called ROPC flow can also generate delegate access token but not recommended). When we used auth code flow, we need to sign in first, the login url should look like this:
https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=azure_ad_app_id
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=user.read
&state=12345
We need to use it to get the auth code, then we can use the code to generate access token, per my test, I created a new azure ad app and when I directly hit this url in the browser and sign in, it still required me to give the consent. So I'm afraid the reason why you didn't see the dialog when test in post man is that you've consent it when test in react app, or you don't use auth code flow.
I have React app on the frontend, I have registered it at Azure AD as REACT_AZURE and I use #azure/msal-react npm package to authenticate the user.
In order to protect my Express routes, I have registered another app at Azure AD as API_AZURE, and in "Expose an API" section I have added scope 'access_as_user'.
In REACT_AZURE app in "API permissions" section I have added permission for 'access_as_user'.
Now I can acquire access token for 'access_as_user' scope and make an API call to my express server.
In my protected route, I am using passport-azure-ad BearerStrategy to validate the access token, if it is valid I am authorized to get resources.
Is this the right flow? Do I have to register two apps with Azure AD? if not, how do I do it right?
Is this the right flow? Do I have to register two apps with Azure AD?
if not, how do I do it right?
Of course, your process is absolutely correct. You need to register two applications in Azure, one representing the client application and the other representing the api application. Then expose the api of the api application and add the client application to the api application. Then let the user log in to the client application to complete the authenticate and obtain the token, and use the token to call the api. I have answered similar questions before, you can refer to it.
But I’m not sure if you want to control which users can access the api based on the user role. If you only want certain users in the tenant to access the api, then you can add a step that is to create an app role and grants users who you wish to have access to the api. Then users in the tenant who are not granted the app role will not have permission to access the api. see more detailed answer.
I have Azure Functions which i want to authenticate using access token.
I have following things set up
Azure App which is being used by Angular SPA to authenticate user
Access token which is used to invoke graph APIs, Permissions are set in Azure app (point 1)
Azure Function which is having http triggers (APIs) which are being used by SPA
Currently, APIs are anonymous and can be invoked from anywhere. i want to secure these apis using access token which is being used by graph api (point 2)
I think the best approach for me is AAD multi tenant authentication. However, When i click on "Authentication (classic)" it gives me This app is configured using the new authentication experience. Click here to access Authentication (preview).
Also, if i keep authenticated with following options, i get "You do not have permission to view this directory or page." error
Most of the articles which i find online are talking about AAD. for me that option is not enabled.
I have tried following articles to make it work but somehow its not happening. can anyone suggest. how can i achieve this.
https://medium.com/medialesson/protecting-azure-function-apps-with-azure-ad-authentication-authorization-fd167ce4fe33
https://medium.com/geekculture/easyauth-in-functions-app-with-azure-active-directory-29c01cad8477
is there something i need to do in my existing Azure app to make it work ?
Per my understanding, your Azure function is protected by AAD using Authentication(Easy auth). And now, your angular SPA would like to access this function. Pls follow the steps below:
Go to Azure AD => App registrations => The App you created to protect your Azure function=> Expose an API to add a scope, for instance, access_as_user so that your SPA could require an access token for this scope:
Got to Azure AD => App registrations => The App you created for your SPA app=> API permissions => Add a permission => My APIs to grant the scope we just created:
Click the grant admin consent button to finish the process.
In your SPA app, use MsalService to acquire an access token with scope: api://<your azure function app id>/access_as_user, by this token, you can access your Azure function. For a quick test, I just test it in post man and it works perfectly:
Not use this access token
Bring this access token
UPDATE
Basically, your app request diagram as below:
SPA (request with access token)==> Easy Auth of Azure function (valideate token,if pass,goes into Azure function code logic,if not, return 401)==> code logic of Azure function (obo flow to get access token for Graph API) ==> call Microsoft Graph API
By now, we have finished steps 1 and 2: get access token for easy auth and pass easy auth goes into Azure function code logic.
So in the Azure function code logic, we need to do 2 things:
Get the access token in the request header
Use the access token and OBO flow to exchange a new access token for Microsoft Graph API. Just refer to request below to use OBO flow to exchange an access token for Microsoft Graph API:
BTW, pls make sure that your Azure function app has been granted with permission user.read and Calendars.Read:
So that you can get a new access token to call Microsoft Graph API:
May be this will help someone, I have tried using above suggestions but could not achieve 😭 instead i am using Key for each Azure function. and storing those keys in azure Key/Vault and retrieving those keys within App settings of the application using managed identity. This may be not be the ideal situation but i think it will do for me at the moment. I really hope MS will improve their documentation some day along with sample code/steps
I have configured Azure Function with Azure AD auth, follow this doc - Enable Azure Active Directory in your App Service app.
After the configuration, it will add the function app url e.g. https://appname.azurewebsites.net to the Allowed Token Audiences like below automatically, then we can easily use the client credential flow to get the token to call the e.g. http trigger in my function app.
If I add the Azure AD Graph resource url https://graph.windows.net to the Allowed Token Audiences, I can also use this flow to get the token to call my function.
But if I add the Microsoft Graph resource url https://graph.microsoft.com and get the token to call the function, I will get the error.
You do not have permission to view this directory or page.
How to solve this issue? Is this correct usage of Allowed Token Audiences? If not, why the https://graph.windows.net work fine?
Any ideas are appreciated.
Can you please check in your app registration in azure AD under api permissions if Microsoft graph has been added ? If not please add it as a delegated permission and give it a try.
According to the document you need to provide Application ID URI in Allowed Token Audiences. Please refer to the document
If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. The configured Client ID is always implicitly considered to be an allowed audience.
In my application I want to call Azure Web API using Resource Owner Password Credential flow. I have implemented Azure AD b2c Auth for my Web API. I have created 2 Application in Azure, one for Web API and Native client App for ROPC. I gave WEB Api Access in ROPC app. I followed this article and got the Token from ROPC app. But when i pass my ROPC token to Web API I am getting 401. I dont know how to pass the scope of my web api scope in ROPC Token Request. Any help would be appreciated
Thanks in Advance,
Subbiah K
When you are requesting /token from Native APP (ROPC flow), you can add scopes in the request.
From the doc scope default set to
openid <ApplicationId/ClientId> offline_access
Modify this to like below to add scopes from Web API app. Make sure you should not put ClientId in scope
`openid https://tenant.onmicrosoft.com/hello/demo.read https://tenant.onmicrosoft.com/hello/user_impersonation offline_access`
Hope you already given API access (scopes) to Native Application.
Once you get access_token, that token will contain all the scopes you requested and you can send this to Web API to authorize.