My structure of application is Web app calls a WebAPI(lets call it apiA) and that calls another api (lets call it apiB). Now, Web app authenticates the calls via AAD JWT tokens. So, that token would be created for apiA. But I want the api call to apiB to be as the logged in user and dont want to use client secrets etc.
So, in nutshell wants to impersonate the user and get a token for apiB from the token created for apiA or may be if possible have a token which can be good for both apiA and apiB. So, I dont have to get a new token.
Is there any way to do this?
You could try OAuth 2.0 On-Behalf-Of flow to delegate the user’s identity and authenticate to the second-tier web API. Please refer to document :
For the scenario when a server application needs to call a web API, it’s helpful to use an example. Imagine that a user has authenticated on a native application, and this native application needs to call a web API. Azure AD issues a JWT access token to call the web API. If the web API needs to call another downstream web API, it can use the on-behalf-of flow to delegate the user’s identity and authenticate to the second-tier web API.
Please click here for more details about service to service calls using delegated user identity in the On-Behalf-Of flow .
Related
I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.
I'm not an expert in security, so I would like to validate the options here because I'm a bit lost in all the possibilities.
I have an ASP.NET Core MVC web application, and added Facebook authorization to it (there will be others as well, like Microsoft Mail, and integration with an Azure AD). So users currently can click the 'Log In' button, then click the 'Facebook' button; they redirect to Facebook, enter their credentials, and finally come back to my site where they are authenticated. This works fine, and in the claims I receive nameidentifier and email address.
Now I want to add a ASP.NET Core Web API, which is called by the MVC site (and later by other consumers).
As I have to implement my own authorization mechanism in the web API, I was thinking on passing the authentication token from MVC site to the web API, so that in the web API i know the authenticated user, and based on the nameidentifier I find in the token, I handle authorization for this user.
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Yes, you could use Oauth 2.0 on-behalf-of flow to achieve your idea. The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain.
Here is work flow:
1.The client application makes a request to API A with the token A (with an aud claim of API A).
2.API A authenticates to the Azure AD token issuance endpoint and requests a token to access API B.
3.The Azure AD token issuance endpoint validates API A's credentials with token A and issues the access token for API B (token B).
4.The token B is set in the authorization header of the request to API B.
5.Data from the secured resource is returned by API B.
You can refer to the code sample: Calling a web API in an ASP.NET Core web application using Azure AD.
I secure my nodeJs API with Azure B2C. I have two web application which accesses my API.
the two Web application has its own application Id in Azure B2C. Also, those can generate access_token with B2C.
But when I validate those access_token in my API I have to put application id of the web application witch generate the access_token as an audience.
But the audience does not support array. I can only put one application id.
How do I solve this?
If I secure an API with B2C I only can make requests from one web application?
The audience (aud) claim for an access token identifies the intended recipient (i.e. the API application) of the access token.
At a high-level, you must:
Register the API application in order for any client application to acquire an access token for use with the API application.
Grant access by one or more client applications to the API application.
Configure the application identifier for the API application as the expected audience for the API middleware.
The Azure AD B2C: Requesting access tokens article describes how a client application can acquire an access token for use with an API application.
i need to get Azure token in my app (C#) to perform Graph API operations on users, but without sign in all the time when app invoked (app must be full automate, working in timer job) so i have a question how to made process of token acquiring fully automate (without user)?
All that I found about this topic:
Get access without a user
But I failed to recreate it.
The OAuth2 flow you are describing is called the "Client Credentials Grant" and is in detail described here.
In short it is relevant in this case and works like this:
First, user interaction is not possible with a daemon application,
which requires the application to have its own identity. An example of
a daemon application is a batch job, or an operating system service
running in the background. This type of application requests an access
token by using its application identity and presenting its Application
ID, credential (password or certificate), and application ID URI to
Azure AD. After successful authentication, the daemon receives an
access token from Azure AD, which is then used to call the web API.
Have a look at this implementation to see how it is done in code.
Using OAuth On-Behalf-Of works exactly what you describe. Which On-Behalf-Of method, there is no user interaction to obtain the user's consent to access to the downstream API (e.g. Graph API). In other words, the user identity & permission is silently delegated in a full request chain. In a real-world corporate environment, your app would be normally authenticated by another identity provider (e.g. Active Directory) not Azure AD, which after then requests authorization to Azure AD OAuth endpoint.
When requesting access token, you must set its type is requested_token_use=on_behalf_of
Here is reference to POST to the endpoint https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-on-behalf-of
Here is the reference of SSO authentication with OAuth On-Behalf-Of https://learn.microsoft.com/en-us/outlook/add-ins/authenticate-a-user-with-an-sso-token
I have a native client (console app) from where I am trying to access a WebAPI. The API has been authenticated using Azure AAD. So, in order to acquire a token using the method AuthenticationContext.AcquireToken(), ClientCredentials are needed which in turn need the "client secret" that one is supposed to receive from Azure while registering the application to Azure AAD. Is there any other way for me to be able to retrieve the access token to access the WebAPI?
If you want to call the WebAPI on behalf of (or "as") the current user then you can use the Resource Owner Credentials flow. Otherwise, the client credential flow you described is the appropriate solution.
Note that your client app should be registered separately from your WebAPI in AAD.