Application Implementation Details -
My application is structured as follows:
MVC Web Application hosted on Azure Web App.
Angular JS is used at the client side integrated with the web application.
Services are hosted on Azure Service Fabric Cluster.
Authentication is happening using Azure AD.
Service Fabric APIs are hit from angular js files as follows -
After authentication from Azure AD, the bearer access token is received.
This token is added as Authorization header in the AJAX request from js.
The token is retrieved from the header in the API and validated.
Due to the above implementation, the bearer access token is retrievable from the developer tool in browsers. And using this token, unauthorized requests can be made to the APIs from tools like Postman etc. The default expiry of this token is 60 mins.
Problem Statement -
I need to invalidate the token once the user logs out of the application. This is to prevent unauthorized access to the APIs.
Question -
Need input on how to invalidate or expire this token? Or is there any other approach which can be used to solve this problem?
s> Question - Need input on how to invalidate or expire this token? Or is
there any other approach which can be used to solve this problem?
Upon the token is issued, you cannot invalidate the token until it expires. If you could make sure the use time, you could configure the token lifetime that is less than 1 hour. How to configure token lifetime, please read here.
Related
So I have a .net 6 rest api running as appservice in azure. the authentication is being done with AAD tokens. My app and web page can login but 1 device that needs to send some information to the database can only make simple HTTPS get, post, put and delete actions but it can never start a oauth2 authentication process to acquire a token.
The only thing the device can do is store a long url. When the get action is required it just sends the https call with that url string.
So have any of you encountered this problem before and how did you solve it?
I was thinking of a Token per device that never expires but AAD does not support this. As they should. :).
Should I create a separate endpoint with user and password login?
Thanks in advance!
I want to use azure AD as authentication.
If user who is in certain organization logged in from SPA, and give access token to backend, then I want to permit access from SPA.
So, I want to check if token passed from SPA is valid or not.
How can I do this?, Or Can I do this?
I want to build backend server with node.js app, and deploy backend app to app service or Azure Container Registry.
I think bearerStrategy would work.
Ref https://github.com/AzureAD/passport-azure-ad
BearerStrategy uses Bearer Token protocol to protect web resource/api.
It works in the following manner: User sends a request to the
protected web api which contains an access_token in either the
authorization header or body. Passport extracts and validates the
access_token, and propagates the claims in access_token to the verify
callback and let the framework finish the remaining authentication
procedure. On successful authentication, passport adds the user
information to req.user and passes it to the next middleware, which is
usually the business logic of the web resource/api. In case of error,
passport sends back an unauthorized response.
In the past, there was an ADAL version for node apps. I don't know if it's still valid or not, but here are useful links:
https://medium.com/#liangjunjiang/verify-and-decode-azure-activity-directory-token-bc72cf7010bc
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
I have a SPA that calls a PHP backend (based on Symfony currently for proof of concept).
Authentication for this application is based upon an Azure Active Directory, and all azure users are matched against the local application user table on their email address and OID - if not registered locally then a local account is created for them with basic privileges.
For authentication, a call to the backend which then redirects to Azure to authenticate, and then the access token is returned. Instead of re-inventing my own auth token system in the backend, can I just get the SPA to pass the Azure access token in the API calls and validate it on the backend, letting the SPA deal with refreshing the token as and when required?
Cheers
Yes - in this partial SPA model you will typically need to store a refresh token in an http only secure cookie. When the web UI calls an API and gets a 401 expired response it will need to call the back end to refresh the token.
I'm trying to access my Table in Azure App Service when user has an authentication. I use server side auth with Facebook. Once the user authenticated, the token was saved into my Setting class, as this post do. Whenever the user come back to App, I want user use their cached token to connect to the table in Azure App Service. How is the best approach to achieve this?
1) Implement client-side authentication with the Facebook SDK. The token provides by Facebook is long-lived (something like 60 days), so you can store it in a private store. I cover private stores in chapter 2 of the ZUMO Book at http://aka.ms/zumobook
2) When you open the app, use the stored token to get a ZUMO token. This is short lived - 1 hour. You can store this too, but it's a waste of time since you can use the unexpired Facebook token to get a new one.
3) Implement an Authentication Refresh process via a delegating handler - I describe that in the ZUMO book too.
You still need to configure Azure App Service Authentication to understand and validate your facebook token (also covered in the book!)
I'm writing multiple client apps (iPhone/android/windows phone) that are going to call into an Azure ACS secured mvc webapi controller (sorry for the acronym soup).
Securing the webapi is straight forward with WIF (well, .net 4.5), and I can passively log in without issue.
I have also created a POC iPhone application that uses a web browser to get the user to authenticate against the azure AD IP, then using the guide here I can get a javascript token.
Now I guess the next step is to use the JSON Web Token Handler on the web controller and I should be able to pull the data fine.
However how long can I store the token for? Should I try the webapi endpoint, and if it's rejected get the user to re-authenticate, or is there anyway to set the token so it either never expires, or it expires after months?
Thanks
Ross
AFAIK, ACS limits the lifetime of a JWT token to 24 hours (This is not a JWT constraint- it is an ACS one); after that you have to renew it. Storing a security token for a long time is in general not a good idea since the user may be deactivated or her claims might have changed.
You can know when a token expires by looking at the "exp" member of the security token. The security token you will receive from ACS is BASE64 encoded. If has 2 to 3 parts separated by a dot. If you decode the token, then the second part of the token will give you the "exp" member. Microsoft has provided toolkits for ios at
https://github.com/WindowsAzure-Toolkits/wa-toolkit-ios. (toolkits for android etc also exist).