I have an ASP.NET Web API with no user authentication serving two client apps.
The only reason this has been fine is because the API is not open to the public but only accessible to the IP addresses of those two apps.
Now there's a plan to open up the API to the internet. This means I need to secure it properly. Looks like OAuth2 and OpenID Connect are the way to go.
The problem is the client apps are authenticating against different identity providers, one is using Azure AD, the other using Azure AD B2C from a different directory.
Can this work with OAuth2?
Yes, have a look at this API sample which accepts AAD and AAD B2C tokens.
https://github.com/azure-ad-b2c/apps/tree/master/apps/spa-hellojs/source-code/.Net-Core-API-RBAC
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
We have a client that owns two separate Azure Cloud tenants: ACloud and BCloud.
ACloud contains their regular SaaS and Azure AD users log in with userName#clientACloud.onmicrosoft.com
BCloud contains only IT/sysadmin users managing cloud PaaS resources and users log in with userName#clientBCloud.onmicrosoft.com
We have deployed an API to BCloud which requires Azure AD authentication. The API is being called from a mobile app written in React. There, users are presented with a login screen and must login using username#clientBCloud.onmicrosoft.com
However, we want users to be able to log in using their normal userName#clientACloud.onmicrosoft.com
Is there a way to configure the API in BCloud to use ACloud’s Azure AD for authentication to an API hosted in BCloud?
One resource from Microsoft recommended using the graph API. I think the graph API would allow the mobile app to authenticate the user’s ACloud account, but that SAML token won’t work against BCloud’s API. We are looking for some way that the API in BCloud can accept user tokens from ACloud, so I suspect there is some configuration we need to make in BCloud to trust ACloud’s Azure AD.
Thanks in advance!
We have a Web API intended to serve multiple business partners, each of which will be customizing a white label version of our native app client.
We also have a Web API offering common functions to different apps.
We would like to use AD B2C as the identity and auth system, but cannot see how or if it is possible to use AD B2C to secure a common API for multiple apps. Is this achievable?
It depends on how you want to your partners usig the account login-in. If you expected that the partners login-in using the consumer account or local account in the Azure AD B2C you own, the answer is yes.
The Azure AD B2C supports the Access Tokens from March 23, 2017(refer here). And it supports many types of clients, including web apps, desktop and mobile apps, single page apps, server-side daemons, and other web APIs.
It is same to develop an web API server for one native app or multiples apps, you only need to register the multiple apps in your B2C tenant. More detail about acquring the access token for the Azure AD B2C, you can refer the link below:
Azure Active Directory B2C: OAuth 2.0 authorization code flow
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.
If my Web Api application is hosted outside Azure, can I use access tokens issued by Azure AD and verify the tokens in the Web Api itself or against Azure AD?
All the examples available are referring to the Web Api applications hosted on Azure. But there must be a way to do this with Web Api outside Azure.
Any reference to solution would help.
Azure active directory support the OAuth 2.0 to authorize the third-party apps. It doesn’t matter where the web API or apps hosted. Below figure is the stand OAuth flow from RFC 6749 – The OAuth 2.0 Authorization Framework.
Technically, the web API only need to verity the token from the endpoint it trust. I also explained the detail about verifying the access token from this thread.
And if you want to know more about the scenarios developing with Azure AD, you can also take a look this article.