SignalR - Authenticating users - azure

I am using the Azure SignalR service. I've set up multiple azure function apps (Node.js) with various end points for users to join specific groups and to broadcast to those users etc.
I couldn't find detailed documentation on how to determine if a user has logged in before establishing a connection to them. On the negotiate endpoint I pass in a userID but this is just a dummy string I've made up for now. I'm trying to find a way to authorize users via a standard cookie login system.
The flow would be
- User is authorized and a cookie is created for a standard session
- Somehow pass this cookie to the SignalR negotiate method to check if user is authorized
Any ideas?
Thank you.

The simplest approach would be to setup authentication/authorization on your function app. The same is covered in the SignalR Reference doc as well.
If you are using something like Azure API Management in front of your function app(s), then you would want to enable authentication there.

Related

Using ADF for REST API authentication using client certificate

We want to call a REST API endpoint of a SaaS application. i.e. system to system interaction.
We are using Azure Data Factory to call and we could see that ADF support(Web client activity) client certificate authentication.
We have the certificate with us. Added the certificate to AKV, configured ADF to use the certificate.
Question:
Do we need an app registration to be able to use?
What details do we need to send to the SaaS vendor so that they can recognize that our call is a legit call?
Are there any other steps in the process?
From the way you're describing this issue, it sounds like the SaaS isn't an application that is protected using Azure AD. In that case, the SaaS determines what credentials are suitable - likely a username and client certificate. I can't think of a reason for you to need to create an app registration. All of this said - you need to talk to the vendor to ask them what credentials are necessary for access.

How to implement Azure signalr serverless token based authentication and authorization

I have created an azure signalr service with serverless option.
The negotiate function is able to generate JWT token with 'x-ms-client-principal-name' and the connection gets established without issues.
I have referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-concept-serverless-development-config and the function is able to send events to a particular userid/groups.
I have been asked to secure the client - server communication.
I am new to security domain. I referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-tutorial-authenticate-azure-functions this link but I am not able to configure the given sample app and not able to understand the concept.
My scenario is: I have a Client .net web app in which user can login using organization account as well as using google.
This app calls azure signlar negotiate function with userID and the deviceId in which it is interested to receive events through signalR function.
Signalr function gets events from the azure eventhub trigger and sends it to the groups.
Please help me to increase the security of this application. Is the token received from negotiate function sufficient as far as security is concerned?
Can any unauthorized user connect to my azure subscribeToGroup/sendEvent functions with the acquired jwt token from negotiate?
I am trying to use this https://github.com/Azure/azure-functions-signalrservice-extension in which idToken and claimTypeList are additional parameters along with x-ms-client-principal-name(userid). But I am not able to understand this with respect to security.
The client in this sample is index.html with auth.js. But how it is said to be secure is not understandable.
Please help and direct me for the correct setup and code.

Azure Mobile App Service APIkey

I created an Azure Mobile App Service which is currently accessible 'Anonymously'
Anonymous access is enabled on the App Service app. Users will not be prompted for login.
To make it secure I can enable App Service Authentication which will ask users to log in
But this is not what I want - The data in this app is only accessed by Application without the need of each and every user to login to my app before using it.
So you might say, in this case, Anonymous access is fine but I want to restrict it with something at least like an API Key so I will have access to the API which my app can use to access the data to prevent random requests as anyone can just go and use Postman and start getting data without any authentication.
So in short, I don't want individual user authentication, but at least an API Key to ensure only requests made from my app are authenticated and nothing else.
I am using the following in my mobile app to create a connection and also doing Offline sync etc
MobileServiceClient client = new MobileServiceClient(applicationURL);
Any idea how do I do that?
FYI. My server side backend is in C#
Since you are using Azure Mobile Apps, for your requirement, you could leverage Custom Authentication for building your CustomAuthController to login and generate the JWT token for a specific user without user interaction. The core code snippet for logging would look like as follow:
MobileServiceClient client = new MobileServiceClient("https://{your-mobileapp-name}.azurewebsites.net/");
client.LoginAsync("custom", JObject.FromObject(new{Username="***",Password="***"}));
Note: As the above tutorial mentions as follows:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
And you must explicitly add [Authorize] attribute for your controllers / actions which need to be authorized access. Details you could follow Authentication in the Backend.

Azure AD Login/logout implementation for Spring cloud microservices

I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.

Azure web api authentication

I would like to secure my Azure WebApi with 3rd party providers (FB, G+... I basically just need a valid email). Was looking at Auth0 and seems like it will do the thing paired with Jwt middleware in web api project, but I was wondering if the same can be done using Azure only.
Azure Web App authentication confused me a bit - it does not seem to give anything to my Asp.Net web app. I still have to configure all the middleware in Startup.cs and the app still works fine if I completely turn authentication off.
I could do the same thing Auth0 does - issue my own Jwt tokens based on access tokens from FB or G+ - but would like to avoid that.
Could you please point me to the right direction?
You have a couple options:
App Service Authentication
Configure the authentication via middle ware
App Service Authentication
The App Service Authentication does not require any code inside your application because your App Service has a gateway that inspects request for authorization. Depending on the setting you can either secure the entire site or secure individual resources (by using the [Authorize] attribute on the endpoint in MVC/WebAPI).
With the latest release you can control authorization on a site by site basis including manually triggering the sign in by navigating the user to the <yoursiteurl>/.auth/login/<provider>. By defualt the token store is enabled so you can make a request to <yoursiteurl>/.auth/me and get back information from the provider.
Middleware Authentication
This is the default way authorization happens in the Single Page ASP.NET Template. The middleware authentication uses OAuth/OpenId to secure the resources. This option does it at the application layer instead of at the gateway. If you are using ASP.NET Identity (from the single page project template) the email from the persons log in will automatically be stored in the Users table. The tutorial in the link above gives lots of details on how to get it working.
Make sure you use the [Authorize] attribute to trigger the Authorization in either case.
Hope that helps you get started in the right direction.

Resources