I’m using web applications secured with Azure Active Directory B2C. Those applications call services using JavaScript hosted by Azure API Management.
I was surprised to read that I can only secure front end APIs using App Keys or client certificate.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-create-subscriptions
How can I secure those applications using an Oauth token?
You can configure B2C as an identity provider in Azure API Manager:
How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management
This article explains how to authorize access to the developers portal but think about the developers portal as "ANY API"
You can validate the JWT issued by Azure AD B2C using an API Management policy:
API Management access restriction policies - Validate JWT
Take into account this detailed document that published a few months ago :
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
Related
I am developing an Web API .net core and hosting it in Azure as we are migrating to Azure. To secure the web API and for Authorization (Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory). But I have some questions as following below:
Question 1. if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
Questions 2 Can we protect an Api that is hosting in OAuth without Active Directory.
Question 3. What is securing an api with Microsoft Identity vs OAuth. It is confusing to me why should I not use Microsoft identity over OAuth for Authorization. Is it something new that came out from Microsoft?
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api
Thanks
if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
If your protecting your web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory, you cannot expose your API to any 3rd party application or an organization so easily.
For that purpose you will have to
federate that application/SAAS with azure AD for users in that platform to be able to access the API.
You have to give permission/privileges to the federated users of that platform to be able to access the web API and its scope.
Can we protect an Api that is hosting in OAuth without Active Directory?
No, we cannot protect an API hosting in OAuth without Active Directory.
Because, OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.
It's used to perform authentication and authorization in the majority of app types, including web apps and natively installed apps.
What is securing an api with Microsoft Identity vs OAuth?
A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault.
We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/
The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I have two APIs.
Admin API (.NET Core API)
Healthcare API (Azure function API)
I need to call an endpoint in Healthcare API, and it should be called from admin API. I know the best way is to use gRPC but no time for that now.
Healthcare API is authorized with an azure b2c application. And the admin API is authorized with another azure b2c application. So from Admin API, I can't call the Healthcare API because of this authorization. (Can't use allow anonymous because it's an azure function API)
One solution that came to my mind is to get a jwt token in Admin API, from the b2c application that used to authorize healthcare API. But o idea of how to do this.
Is the above solution is good? And is it doable? Are there any ways of doing this without moving into gRPC?
Thanks in advance.
If these 2 B2C apps belong to the same B2C tenant, and you just want to make admin API to call Healthcare API, maybe you can just use OAuth 2.0 client credentials grant flow.
Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.
just as below:
I am struggling to redirect to Azure AD endpoint (MS Login page) for authentication from API Management.
I tried OAuth2/Openidconnect in APIM but not succeeded.
What is the use of OAuth2 in APIM? Is it only for testing from Developer Portal?
It ensure that only valid users have access, and they can only access resources to which they're entitled.
In order to use Azure API Management's interactive Developer Console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.
Follow the doc for more info. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2
Is it possible to use MSAL to allow a windows service to access a web api protected by Azure AD B2C? If not, what is the best way to allow a autonomous service to access an API protected by B2C.
This scenario should be addressed with the Client Credentials OAuth flow.
This is possible in Azure AD B2C, however, the experience isn't ideal.
To do achieve this, use "App Registration" blade in the Azure Portal to register a apps that define application permissions and then register apps that use client credentials to request these. You would effectively be using the same mechanism that you use in regular Azure AD, see Azure AD's "Daemon or Server Application to Web API" documentation
Important note: Make sure you are not using the Azure AD B2C blades for this.
You can support the ask for a first class experience by voting for this entry in the Azure AD B2C feedback forum: Support OAuth 2.0 Client Credential Flow