If my Web Api application is hosted outside Azure, can I use access tokens issued by Azure AD and verify the tokens in the Web Api itself or against Azure AD?
All the examples available are referring to the Web Api applications hosted on Azure. But there must be a way to do this with Web Api outside Azure.
Any reference to solution would help.
Azure active directory support the OAuth 2.0 to authorize the third-party apps. It doesn’t matter where the web API or apps hosted. Below figure is the stand OAuth flow from RFC 6749 – The OAuth 2.0 Authorization Framework.
Technically, the web API only need to verity the token from the endpoint it trust. I also explained the detail about verifying the access token from this thread.
And if you want to know more about the scenarios developing with Azure AD, you can also take a look this article.
Related
I am developing an Web API .net core and hosting it in Azure as we are migrating to Azure. To secure the web API and for Authorization (Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory). But I have some questions as following below:
Question 1. if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
Questions 2 Can we protect an Api that is hosting in OAuth without Active Directory.
Question 3. What is securing an api with Microsoft Identity vs OAuth. It is confusing to me why should I not use Microsoft identity over OAuth for Authorization. Is it something new that came out from Microsoft?
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api
Thanks
if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
If your protecting your web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory, you cannot expose your API to any 3rd party application or an organization so easily.
For that purpose you will have to
federate that application/SAAS with azure AD for users in that platform to be able to access the API.
You have to give permission/privileges to the federated users of that platform to be able to access the web API and its scope.
Can we protect an Api that is hosting in OAuth without Active Directory?
No, we cannot protect an API hosting in OAuth without Active Directory.
Because, OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.
It's used to perform authentication and authorization in the majority of app types, including web apps and natively installed apps.
What is securing an api with Microsoft Identity vs OAuth?
A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault.
I have an Azure WebApp which needs to call the Azure DevOps API to trigger a build pipeline.
The only problem I have is to find out which is the proper way to authenticate from my web api against azure devops API.
Should I use a service principal account for that, or Managed Identity?
Do I have to create a service account in Azure AD, give him rights on Azure DevOps ?
I only have a route which then calls the DevOps API, so I need to authenticate at the moment the route was called with a Principal from the WebApp.
Iam a little bit lost how to do it the right way, because there is so much information about the auth topic.
Currently I use my personal account with PAT from Azure KeyVault, which is only a temporary solution.
Thanks & Regards
If you check this Choose the right authentication mechanism document, you will find several types of authentication mechanism from your Web App API against azure DevOps API.
But it's mostly recommended to use Azure DevOps Services Client Libraries for authentication and accessing Azure DevOps Services resources. You can authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if it's expired.
I would suggest to read this Authorize access to REST APIs with OAuth 2.0 document for the more explanation and detailed approach to achieve the result.
In case, if any required functionality is missing from the client libraries, MSAL is an alternative authentication mechanism to use with our REST APIs.
We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/
The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I have a .NET core application hosted on Azure App Service. The application is secured with Azure App Service Authentication.
I need to get an access token to access Microsoft Graph.
Since I have Azure App Service Authentication turned on, and all the users that access the web application should already be authenticated, I was wondering if it is possible to get the access token from /.auth/me or Request.Headers["x-ms-token-aad-access-token"].
I tried to follow the example posted on here
, where I configured my additionalLoginParams /config/authsettings to ["resource=https://graph.windows.net"] (or ["resource=https://graph.microsoft.com"] as per Rohit suggestion), which in turn should give me an access token to MS Graph either via /.auth/me on client side or Request.Headers["x-ms-token-aad-access-token"] on C#.
However I checked both server side and client side, and there were no access token found. Any idea what went wrong?
since this was tagged azure-gov I presume the App Service is running in Azure Government? If so, what AAD authority are you specifying in the authentication context or /config/authsettings when calling Graph? If it's in Azure Gov, and you're planning to authenticate Azure Gov users, the AAD authority should be login.microsoftonline.us. What was the HTTP response to the request?
Also, as others have mentioned there are two "Graph" APIs (Azure AD Graph and Microsoft Graph) available at the moment. Microsoft Graph will ultimately replace Azure AD Graph but for now either can be used.
The resource uri for AAD Graph in Azure Gov, for now, is the same as Azure Public: graph.windows.net.
The resource uri for Microsoft Graph in Azure Gov, however, is graph.microsoft.us compared to graph.microsoft.com in Azure Public.
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.