In a AzureAD authenticated app hosted in Azure i get the access token in the api controller like this
public override void OnActionExecuting(ActionExecutingContext context)
{
base.OnActionExecuting(context);
_client.DefaultRequestHeaders.Accept.Clear();
var tokenHeader = Request.Headers["X-MS-TOKEN-ADD-ACCESS-TOKEN"];
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenHeader );
}
Since Azure AD app service injects the token it works only when hosted in Azure.
How can i make it work in my development environment? This of course generates an exception.
Im following this tutorial:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad#enable-authentication-and-authorization-for-back-end-app
Both backend and frontend are secured with AzureAD authentication.
The frontend app has had permission set to the backend app in AzureAD section in the portal.
In the code, there is nothing configured in appsettings.json.
According to your describe, you're using Easy Auth for your web App service. You know, Easy auth is for Azure Web App service, it's managed by Azure. So, I'm afraid of that you cannot use Easy Auth authentication for your app from your local machine.
For more detials about Easy Auth for Azure Web App service, you can refer to this documentation.
If you run the application locally on your development system, Easy
Auth will not be available and you will not have the access tokens,
etc. that you may need in your application. In order to debug those
features of your application, you will need to deploy to an Azure Web
App. An alternative approach is to do the login and authentication
workflow in the application code, but then you are no longer
leveraging Easy Auth.
However, there is a method to do Local Debugging of .NET Core Web App with Easy Auth.Here is a blog which introducts an approach to that. This blog may be helpful to give a thought for your scenario.
Related
I am trying to set up a test case for Azure B2C authentication from scratch. I need to authenticate from a Winforms application and access a protected web API running as an Azure App Service.
I have found several tutorial but most of them seem out of date.
I eventually found this tutorial for the client side (it is a WPF app but this is OK).
I can not find a good tutorial for the server part. The previous tutorial, at chapter Step 3: Configure the sample web API, points to https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-api?tabs=csharpclient
Apparently, this server-side example is for .Net5. As I would like my API to run as an App Service, I must use .Net6 in order to deploy it. If I try to build my web API in .Net6, the code is quite different : no startup.cs file for instance, only an appsettings.json file automatically populated by Visual Studio. But any call to the web API running in Azure from my client App fails with an Internal Server Error.
When using the auth_settings, this is creating my app service settings within the Authentication (Classic) tab. Is there any new way to use terraform to update the Authentication tab?
It seems not supported yet as of azurerm version 2.67.0
One of complain I have is that the application cannot be tested locally, this is the case with Authentication Classic which uses built in authentication of app service(easy auth).
The newer Authentication seems configure the app registration for the popular oauth2 identity providers, but still keep some of client settings on Azure, where it should be kept at web.config.
For this reason I would not use this setting for now, just manually configure the app registration and make configuration in web.config/appsettings.json, and use an authentication library of my pick(MASL that is)
I am developing a .NET Core 3.1 MVC App and then publishing it to Azure Web App. In the Azure portal, for this hosted app -> I enabled App Service Authentication with AzureAD Login. But then the authentication doesn't work as "User.Identity.IsAuthenticated" is always coming as false in the Controller and I can't fetch other user details I want to, like email etc. Upon searching I found there is a workaround using a Nuget Package for >Net Core 2.2 (https://github.com/MaximRouiller/MaximeRouiller.Azure.AppService.EasyAuth), but I don't see any solution for 3.1.
However, when I setup custom auth by disabling the App Service Authentication in Azure, and set the auth in Startup.cs like this:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme).AddAzureAD(options => Configuration.Bind("AzureAd", options));
and this:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints => ...
with config in appsettings.json, the auth works fine and I can fetch user details as well.
But our preferred solution is not to have any auth settings/custom auth in code and rather handle it fully on the portal using Azure AD Easy Auth with .NET Core 3.1 MVC app. Would really appreciate any help.
This is a known limitation for EasyAuth and .NET Core as documented. The User Principal is implemented differently in .NET Core and EasyAuth can't grab those details automagically like it can in .NETFX. That is why you need to use Maxime's workaround.
I've configured my UWP app to authenticate using a MobileServiceClient. This appears to be working fine. The ClaimsPrincipal object is authenticated when executing remotely. However, I'm unable to retrieve the ClaimsPrincipal from my Azure Function when debugging locally.
I believe this is because I need to configure my local server with a matching SigningKey, ValidAudiences, and ValidIssuers settings; as described in this article covering Mobile App Services.
But I'm working with Azure Functions and not a Mobile App Service, and configuration appears to work differently.
How can I configure my local server to correctly interpret the credentials passed from my mobile app?
I believe the reason it works remotely and not locally is because the Azure Functions local tooling does not currently support the Authentication / Authorization identity features. Until it does you'll need to find a way to mock the ClaimsPrincipal for local development/testing.
UPDATE: Same answer for Sept. 2020. We've done some work to get closer to this goal, but still not quite there yet.
I have two applications:
MVC Site (User-facing Web App secured via OAuth -> Google)
Web API Site ("Private" Web Services)
These are hosted in an App Service Plan in Azure. These web services will only be consumed by my own applications - I don't need to worry about outside consumption. In fact, I specifically don't want outside consumption. My Web App is using OAuth to Google - that shouldn't matter here.
So to get to the heart of my question: My web services currently have no authentication/authorization model in the code but I don't want it just publicly available to anybody. On prem, we just lock this down via IIS using Windows Auth and set the service account for the consuming web app to run as a user that Windows Auth allows access to. I'd like to do the equivalent in Azure.
I understand Azure isn't exactly the same but I have to believe this is possible. I have even gotten my web services locked down the way I want using the settings in the Authentication/Authorization tab (I can try to navigate to it but I only get my Swagger UI once I login with a valid organizational account). So half of my battle is solved but I cannot figure out how to do the other half - the equivalent of setting the service account for my consuming MVC application to run as.
Can I do this via the portal without having to code specifically to this scenario? I'd really like a PaaS-level or IaaS-level solution for the security portion of consuming the above locked-down services. I'm also open to other avenues if I'm going down the wrong path in having a PaaS or IaaS security solution to this problem. I'm not against making code changes - we did have a one-liner in our RestSharp code to engage Windows Authentication, but the bulk of the work/configuration was outside of code and that's what I'm going for here.
If going the IaaS path you can host the application inside of an VM in the exact same way as you did before when running it directly on-top of IIS. The benefit is that you can get running the same way as before but you will still need to manage the VM; i.e install updates and take care of its security.
However, if you want to have a PaaS solution, then you need to modify the code of your front-end application to pass on the authentication token to the back-end API, assuming the back-end accepts the same authentication as the front-end. See https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-get-started/ as an example on how to pass on authentication information from one app to another.
Alternatively you can use the app identity to make calls to your back-end API. This way the calls are not related to any user but are instead done in the context of the app. See https://github.com/Azure-Samples/active-directory-dotnet-daemon for more details on how to set it up, both configuration and needed code.
If you want to allow your users to sign-in using their Google accounts then you could handle authorization to your API using the app identity (second alternative above), assuming the API is independent of the requesting users identity.
Enabling authentication for a Azure Web App directly through the menus in the Azure Portal adds Azure AD authentication in-front of your application and require your to pass an access token generated by Azure AD to your API for it to work.