I need some help with implementing authorization infrastructure for my application.
I have a Angular SPA application that works with a Web API. This Web API in turns uses another Web API to serve its request. So, I have totally 2 Web APIs and a Angular SPA application.
I want the users of the Angular SPA application to be authenticated by our Azure AD account, and then share this token with other two Web APIs to authenticate the requests.
Please advise how to go about it, any thoughts are much appreciated.
So the flow looks like:
1.Sign-in the user in the SPA application.
2.Acquire a token to A Web API and call it.
3.A Web API then calls B Web API.
Take a look at this sample. It uses the On-Befalf-Of flow which applies to your scenario.
Related
Is it possible to run Azure Active Directory B2C on two apps in tandem?
The platform have two things:
full-stack front-end application (Next.js) on a server. Needs: Authentication+Authorization.
ASP.Net Core Web API on another server. Needs: Authorization.
The platform would have social logins on the next.js client/server and then use that to authorize endpoints on either the next.js server api or the net core webapi.
What would be a general description to get this flow working?
Yes. You can integrate all of those clients with Azure AD B2C. You can find guides to integrate with all application types here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/integrate-with-app-code-samples
Your front end application sounds like a 'Single Page App' or 'Web App' as shown at that URL and your backend application would be under "API's".
The scenario you described is exactly what Azure AD B2C is for. Your user authenticates from a front-end application and then you can use their session token to authorize access on your backend service.
I would recommend you take a look at the guides on that page.
I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.
Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?
For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.
Any idea how to do this?
This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.
I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.
I want to implement Azure AD B2C with .net core web API application.
The purpose of Web API application, to create/register users, provide bearer token, also when a new user create/register in Azure ADb2c the same entry it will create in SQL DB also.
The Web API application will be accessed by other .Net core web site applications, Android APK, IOS APP.
Using AD B2C how the sign-in/sign up will be handle by Web API with the other application.
Similarly how to get the bearer token and pass to Postman to test/run Web API with Authorize attribute.
Can anyone please guide me on how to implement it with a sample of code.
Thanks.
The Web API's are be used to protect and accept the B2C access tokens from client applications.
You can implement Azure AD B2C .Net Core MVC web application with web api.
Please go through the available code samples which can help you more.
In the web API using the Access token you can connect with Microsoft Graph API using which you can create Users.
Please go through the documentation on how to expose you API service
The graphic pretty much tells the story. This is all single tenant, fwiw.
I have my Web API, which is being accessed by a "swagger" UI (which is really a kind of spa) served up from the same location, as well as an MVC app, which has some traditional MVC controllers interacting with the Web API, as well as some SPA experiences that interact directly with the web api.
From what I've read, in addition to my Web API having an app registration in my AD tenant (which has the roles declared in it's manifest in order to support RBAC), I also need to have a separate app registration for the swagger UI, which is granted permissions to access the Web API.
I'm unsure if my MVC app needs 1 AD Tenant registration, or 2 registrations (1 for MVC, 1 for the SPA served up from MVC)
Main questions..
Should my MVC/SPA share the same AD registration, or, they should be separated?
Does my Web API registration's manifest need to have "oauth2AllowImplicitFlow": true, or only the swagger and SPA app registrations' manifest need that?
My MVC, based on this github sample for SPAs, currently uses this middleware: app.UseWindowsAzureActiveDirectoryBearerAuthentication .. but if my MVC is going to do selective things in it's razor or with it's contoller logic, should I also be using these add'l middlewares UseCookieAuthentication and UseOpenIdConnectAuthentication as shown in this non-SPA web app sample
You can probably make it work with the same application (getting the access token server-side and supplying it with the rendered page), but you might run into a few things where you can't use that token to get a token to go to the next app (the WebAPI one). It does mean a potential extra trip to Azure AD, but I'd have the SPA be it's own app.
Only the Swagger and SPA registrations need "oauth2AllowImplicitFlow": true.
Your MVC app should not use the bearer auth middleware - it should use the normal OpenIdConnect one. The only app in this setup that should be using bearer auth is your WebAPI one.
A couple of additional notes re: the SPA served from the MVC app. When you're making a call to the WebAPI app, you'll need to make sure a bearer auth token is included on the call, which you get using something like ADAL-JS. If/when you're making a call to the MVC app, no bearer token will be used, you'll be usually the cookie+openid authentication.
I have a web api rest web service. The web api, is already configure to authenticate to azure.
Now I want to call the rest web service from a web page using angular. the question is how can I get an access token so I can send it ?
Thanks for any help.
have you seen this sample? Call an Azure AD protected Web API in an AngularJS Single Page App
In this sample, there's a Single Page Application using AngularJS, that also calls another backend Web API.
I hope this helps.