I am using Azure AD to secure my service to service calls. (Each service having an application identity in Azure AD).
Example: Application A wants to access Application B.
I noticed that when requesting an accesstoken from Application A using Client Credential Flow (with Certificate), an accesstoken is issued without having me to explicitly set the permissions to access Application B.
This seems odd to me because the token returned has its audience set to Application B even thought I haven't explicitly given it access.
If I understand correctly, all registered app have access to each other by default?
Is there a way in Azure AD to explicitly require permissions to be set in order for application to access each other?
Below is a screenshot of Application A required permissions. As you can see, Application B is not listed here.
In the following screenshot, I assigned TodoListService (aka Application B) to the required permissions of Application A
I noticed that when requesting an accesstoken from Application A using Client Credential Flow (with Certificate), an accesstoken is issued without having me to explicitly set the permissions to access Application B.
Yeah, that one can be a bit surprising and I'm not sure why that is the case either.
What you need to do is define application permissions on the API, and then assign it on the client.
Then you need to check the caller has the required app permission in the token.
I have an article on this topic: Defining permission scopes and roles offered by an app in Azure AD.
To define an app permission on the API, you'll have to edit its manifest in Azure AD, and add an app role with member type of Application, something like:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
IIRC you have to generate a GUID for the id.
After defining this permission on the API, go to your client app, and add the app permission in the Required permissions.
Then you should press Grant permissions to grant the app permission.
Now then when the client acquires a token with client credentials, the token will contain:
{
"roles": [
"Todo.Read.All"
]
}
So you'll have to check that that is present.
Related
We want to achieve an authorization at our APIs.
Ex. We have API-A and API-B and both are exposed to our different consumers.
We have setup of scope based authorization in place with IdentityServer4 where we decorate endpoints with different policies. With IdentityServer4 we are able to achieve this as IdentityServer4 token has scopes claims present in all the grant types but with Azure AD, we found we can't have scope claim in token generated with Client Credential flow.
In our case, Web API B is also exposed to consumers and again they have scope based authorization. To call, Web API B from Web API A we use client credential flow and it will not have scopes claim in token so we are not able to authorize our call to Web API B.
How to achieve scope based authorization with Azure AD in microservices architecture where we call other context APIs from one context.
When you are using client credential flow and using
application permission , you get roles and not scope i.e; scp claim in the token.
Application permissions are sort of roles given to the application
itself and the scope in client credentials should be used as
api://<APP_ID>/.default . They only apply when doing client
credentials authentication, where no user is involved.
See quickstart to configure app access web-apis
Scopes are usually delegated permissions that only apply when a
user is involved in the login process. They allow you to act on
behalf of a user i.e; In the user context only, we will get
scp claims in case of client credential flow.
See azure-ad-scope-based-authorization
So , If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.
As scopes in expose an api page are for Authorization Code Grant flows and where the user is involved, in this case (client credential) its not possible, we have to add our own scopes that is availible for applications to use which are indirectly called roles that we need to add in the manifest itself under approles in the app registration or through the app roles blade.
ex:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8dxxxxxxxxxxxxf98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
After that , those has to be granted admin consent.
So now when requesting a token with a default scope of api://<app id>/.default the "scopes" are returned in the roles claim.
So we can use role claim for authorization purpose.
Also as a work around
Try to make sure to add additional scope like profile, offline_access open_id.
And give response_type=token instead of id_token
Example request:
......&redirect_uri=https://jwt.io&scope=openid profile offline_access&response_type=token&prompt=login
References:
Scope-based authorization in your API with Azure AD – the IT generalist (wordpress.com)
Scope is not being added to Access Token returned from Azure Ad - Stack Overflow
EDIT:
To call a web api from other , there need to be scopes defined in
one api i.e (api2 that you want to call) and those scopes need to be
selected in calling api(api1) . Please go through the process
here
When login in first Api include scope in the request and also try
response type as Token and see if scp available or then with idtoken
https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TenantSignUpIn&client_id=<appid>&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline profile https://tenant.onmicrosoft.com/b2capi/write https://tenant.onmicrosoft.com/b2capi/read https://tenant.onmicrosoft.com/b2capi/user_impersonation&response_type=id_token&prompt=login.
Please note that scopes are present as roles depending on the flow
type.
I have an Azure Function with Azure Active Directory authentication enabled (including "Action to take when request is not authenticated" = "Log in with Azure Active Directory"). Additionally the option "User assignment required?" of the Azure Function related service principal (sp_func) is set to "Yes" to avoid everybody in the tenant being able to in the end run the function.
The goal is to have a single security group (that can include users as well as service principals) that is added to "Users and groups" of sp_func so that the assignment to the group decides if the function can be accessed or not. With users this works fine but not with service principals (sp_nonfunc). For them (sp_nonfunc) to work I have to set the permissions for them (sp_nonfunc) what in the end allows them to interact with the Azure Function no matter if they (sp_nonfunc) are assigned to the group or not.
Is it possible that I can just add a service principal (sp_nonfunc) to a group with the group being added to sp_func and then be able to execute the Function by using sp_nonfunc (without giving explicit permissions to sp_nonfunc)?
EDIT: it also does not seem to be possible to add sp_nonfunc to sp_func directly even if I defined an own appRole in the Manifest. The only way currently seems to be to add permissions on sp_nonfunc for sp_func - but that is what I want to avoid.
EDIT2: here how I have defined the role in the sp_func manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "AzureFunctionAccess",
"id": "xxx-xxx-xxx-xxx-xxx",
"isEnabled": true,
"description": "Access Azure Function.",
"value": "AzureFunctionAccess"
}
]
EDIT3: when I don't assign a role directly to sp_nonfunc but just add sp_nonfunc to the security group I get, when making a request to https://login.microsoftonline.com/<tenant id>/oauth2/token with resource = Application ID URI of the registered app of sp_func:
{
"error": "invalid_grant",
"error_description": "AADSTS501051: Application 'xxx-xxx-xx-xx-xx'(xxx) is not assigned to a role for the application 'https://xxx'(xxx).\r\nTrace ID: xxx-xxx-xx-xx-xx\r\nCorrelation ID: xxx-xxx-xx-xx-xx\r\nTimestamp: xx-xx-xx xx:xx:xxZ",
"error_codes": [
501051
],
"timestamp": "xx-xx-xx xx:xx:xxZ",
"trace_id": "5xxx-xxx-xx-xx-xx",
"correlation_id": "xxx-xxx-xx-xx-xx",
"error_uri": "https://login.microsoftonline.com/error?code=501051"
}
This way will not work, to use a service principal(in your case, the sp_nonfunc) get the token for the function app(sp_func), you need to give the API permission for the sp_nonfunc.
Navigate to the App Registration related to the sp_nonfunc in the portal -> API permissions -> add the AzureFunctionAccess you defined, at last click the Grant admin consent for xxx button.
Then get the token with the client credential flow, it will work fine. (I use the v2.0 endpoint, if you use the v1.0, it will also work.)
For more details about the steps, I wrote in this post before, you could refer to it.
I have an API App registered under Azure Active Directory -> App Registrations. This API App is exposing endpoints which will be accessed by clients from within the organization. The clients are not users but background services who will accessing the endpoints.
When I am trying to grant API Permission for the clients to access the API App I see the Application Permission as disabled/greyed out. Do I need to do something different when setting the API Permissions.
Please see the attached picture.
Has anyone come across this issue or am I doing something silly. Azure Admin in our organization told me he can't help with this as he hasn't see anything like this before.
Most probably you haven't defined any roles (i.e. Application Permissions) for your app registration and hence when you try to add permissions for the client application you only see an option for Delegated Permissions.
How to define Roles/Application Permissions
Go to Azure Portal > Azure AD > App Registrations > Registration for your API application > Manifest
Find the "appRoles" collection in Manifest JSON and if it's empty, add your own appRoles here. Example:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Apps that have this role have the ability to invoke my API",
"displayName": "Can invoke my API",
"id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "MyAPIValidClient"
}
]
Notice that I have kept "allowedMemberTypes" as "Application" so that it can only be used as Application Permission. Other possibility is to have "User" as the allowedMemberType, but that is for a different use case when you want to assign roles to users and that's not what you're looking for.
Now if you go to the client application registration to which you want to grant this role (Application Permission), you should be able to see "Application Permissions" as enabled.
You should also be able to see the Application Permission "MyAPIValidClient" with it's description available to be selected. Now I have defined only one Application Permission in example above, but as you can see it's an array, so you can define multiple ones as well. Just make sure you generate new GUID's to be assigend as "id" for each Application Permission.
I'm struggling to determine the best route to authenticate using Azure Active Directory for my dotnet core web API.
Here is the situation:
An application created in Azure Active Directory that the Web API authenticates users. It has multiple application roles associated with it.
A daemon application that needs to authenticate to the Web API.
What is the best solution to solve the authentication situation? It's difficult to find clear documentation on how to actually solve this.
Thank you for your advice and help!
Your daemon app will need to use application permissions (app roles with member type = Application) to call the API.
You can see how to define those here: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
For example, this is how one looks like in the manifest:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
Then you assign the app permission to your daemon app.
After that it's a simple matter of authenticating with client credentials from the daemon app.
With ADAL.NET for example, you would acquire a token with ClientCredential + the resource URI of the API.
You can find the URI from your API's app registration (Properties blade, App ID URI).
You can then attach the resulting access token to HTTP requests and the API can find from the appid claim who the calling app is, and from the roles claim what app permissions they have.
I have a single page application (SPA) and an API. Both are secured using Azure Active Directory using role based access control (RBAC). I can login and viewview my SPA using ADAL. I can also login, call my API and see the role claims I have given myeself.
I want to call the API from the SPA. I have added the API delegated permissions to the SPA. I have also hit the 'Grant Permissions' button so I don't see a consent screen.
The problem is when the SPA calls the API, no role claims appear, so the API always returns a 403 Forbidden response. How can I solve this?
Update
This is the manifest for my API:
{
"appId": "[API Client ID]",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Read Device",
"id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
"isEnabled": true,
"description": "Can read a device.",
"value": "Device.Read.All"
}
],
...
}
In my SPA, I'm using ADAL and adal-angular like so:
var azureActiveDirectory = {
'instance': 'https://login.microsoftonline.com/',
'tenant': '[My Tenant ID]',
'clientId': '[SPA Client ID]',
'redirectUri': 'http://localhost:8080/',
'endpoints': {
'http://localhost:5000': '[API Client ID]'
}
adalAuthenticationServiceProvider.init(azureActiveDirectory, $httpProvider);
Apparently, roles in nested groups are not transitive i.e. If I am a member of Group 2, I do not have the Role granted to Group 1, even though Group 2 is a member of Group 2:
Group 1
Has a Role from Application 1
Has a Member called Group 2
This is absolutely unbelievable that such a feature has not been implemented. I've raised a suggestion on UserVoice. Please upvote the suggestion.
you should create the appRole in your API app, when your spa call API, it will get access token with the role in api app that the login user belongs to. so to make sure you create role and verify role in api app, not spa app.