We want to use the AAP to communicate from an Azure App to an on premise application. We want to the App to authenticate and call the Proxy Api and not delegate the user. Right now, we are able to get an token for the Resource of the Proxy Api and call the api from the application, but we get an error page (imho from the proxy api) saying "This corporate app can't be accessed right now.", with StatusCode: InternalServerError.
Calling the proxy url from an browser and Azure Authentication enabled on the proxy, and with an Azure Account logged in that browser, it works.
Calling the proxy url from an browser with Passthrough on the proxy, anonymously, it works.
Calling the proxy url from an browser with Azure Authentication on the proxy, anonymously, it return access denied.
Calling the proxy url from an Web Api hosted on Azure with a token requested on the Proxy resources and with Azure Authentication on the proxy, it fails with InternalServerError.
Is the AAP only working for use with Users and not Applications? I suspect this because in the documentation has this quote:
The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector.
It is intended to give users access to your on-premises applications, not applications.
The user is authenticated through Azure AD and given access to the on-premises application. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
Related
I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.
My setup is:
An App Service "myapp.azurewebsites.com" with built-in authentication.
App Registration "app-auth" as auth provider.
I have "app-auth" configured in my App Service for automatic authentication via Provider.
Front Door "frontdoor.example.com" forwards requests to my App Service.
My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".
Problems I'm having:
App Service keeps sending it's own name "myapp.azurewebsites.com" as request_uri query string login in to Azure Active Directory. It must send the Front Door URL.
Setting up "frontdoor.example.com" host header in Front Door fails, as it requires it to match the App Service name.
Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?
In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.
Go to your App Service
Go to Custom Domains
Copy the Custom Domain Verification ID
Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>
To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.
Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.
it seems you have misconfigured the redirect URI in your APP service registration in Azure AD, that is where you specify the redirect_URI, it has nothing to do with the app service or the front door itself.
Instead of inbuilt Azure AD authentication in Azure App service i used custom Azure AD authentication in my dotnet core app by following this stackoverflow answer:
Authentication with Azure AD redirect_uri is incorrect using FrontDoor
I wrote an article on the same refer it here:
https://www.lkgforit.com/2022/10/how-to-setup-azure-front-door-for.html
I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.
Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?
For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.
Any idea how to do this?
This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.
I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.
I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.
I have an Angular 5 app and a web api app, both of which are hosted in Azure.
They have been secured with Azure AD at the website level e.g. no anonymous access is allowed.
When browsing the Angular site, it asks me to log in fine and I can access .auth/me which uses the local cookie to get token/claim information.
I now want to call the separate api but not sure how to go about it.
Both sites have an application in Azure AD, and I've set the client to have delegated permissions of 'Access to API'.
I've tried accessing the api using both the local cookie from the client (not sure if this would work) and the token returned .auth/me but neither work.
In my client manifest I have the following:
"resourceAppId": "3cddd33c-2624-4216-b686-7f8fa48f38cf", // api id
"resourceAccess": [
{
"id": "c2712c68-ea93-46d2-9874-61b807b19241",
"type": "Scope"
}
]
but haven't seen any additional scopes added to the claims, should it?
According to your description, you have both created the separate AAD application for your Angular app and your web api app, and configured the delegated permissions for your Angular AAD app to access the web api AAD app.
Based on my understanding, you are using the build-in App Service Authentication / Authorization for authentication, at this point you could do not need to change code on your app backend. You may have set Action to take when request is not authenticated to Log in with Azure Active Directory instead of allowing anonymous access, at this time your app service would directly redirect the user for authentication. After logged, your client could access https://{your-angular-app-name}.azurewebsites.net/.auth/me for retrieving the logged user info. For accessing your web api website, you could just send the request as follows in your angular client:
GET https://{your-webapi-app-name}.azurewebsites.net/api/values
Header Authorization:Bearer {id_token or access_token of AAD}
UPDATE:
That is exactly the route I'm trying to implement. One thing missing though, I had to add the client application id to the allowed token audience of the api app in Azure.
For retrieving the access_token, you need to set additional settings for the AAD provider in your Angular web app as follows:
"additionalLoginParams": [
"response_type=code id_token",
"resource=<AAD-app-id-for-your-webapi-webapp>"
]
Details you could follow this similar issue.
Use the EasyAuth server flow for logging, you would get the access_token, and you could leverage https://jwt.io/ to decode your token as follows:
Pass the access_token as the bearer token to your webapi web app, at this time you do not need to specific the ALLOWED TOKEN AUDIENCES.
At this time, you could invoke .auth/refresh against your Angular web app for refreshing the access_token, then you could use the new access_token to access your webapi web app.
I want roles included in the token so might have to stick with id?
If you want your Web API exposing access scopes to your Angular application which would be contained in the access_token as the scp property, you could follow the Configuring a resource application to expose web APIs section in this tutorial. Moreover, you could also follow Application roles.
UPDATE2:
You could follow Authorization in a web app using Azure AD application roles & role claims for detailed tutorial and code sample.
The usual approach would be to use ADAL.JS (or MSAL.JS with AAD v2 endpoint/B2C) to get an access token for the API.
ADAL.JS uses a hidden iframe to get an access token using the user's active session in Azure AD.
You can find an example Angular app here: GitHub.
An especially important part of the ADAL.JS configuration is here:
var endpoints = {
// Map the location of a request to an API to a the identifier of the associated resource
"https://myapi.azurewebsites.net/": "https://myaadtenant.onmicrosoft.com/MyApi"
};
The property name/key should be the URL for your API. ADAL-Angular detects calls to URLs starting with that, and attaches the correct access token to them.
The value should be the App ID URI of the API. You can find it from your API's App Registration from Azure Active Directory -> App registrations -> All Apps -> Your API -> Settings -> Properties.
You do need to enable implicit grant flow on the Angular app from the app registration for the SPA. You can find it from the Manifest.
I'm using the Azure Application Proxy with pre-authentication enabled for Azure Active Directory. Everything is working as expected, getting prompted to login and then being redirected to the site (SPA) via the proxy connector.
Is there a way to receive the access token in the single page application, so that it can be used to interact with the Graph API to validate membership rights?