I have created a API app in Azure portal. Then after I have configured Azure Active Directory and Facebook for Authentication/Authorization in Azure Portal (Portal -> My API APP -> Authentication / Authorization). Now my requirement is some API should be Allow Anonymous and other APIs should ask for Authentication either from Azure Active Directory or Facebook.
Same issues like my case: Question-1 Question-2
Please help !!
I think, your solution may benefit from using other authentication broker service called Azure Active Directory B2C. Basically, you configure the providers you want on the backend side, then integrate it into your application. Then, you are able to use mechanisms like policies, etc, in your app. For WebApp integration with AD B2C - tutorial.
I would do that in your situation because i believe that it would be better to offload authentication boilerplating to the backend instead of doing a lot of custom things in the application.
Other way of doing that would be to use custom attribute that will add the capabilities to authenticate, cache user information, authentication context (regarding your question about how to detect if someone is logged in) etc.
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
I want to Authenticate user using Azure AD.
I had application registration in Azure AD and everything is set up ,I am using Authentication link from Azure Portal Web app settings section.
According to Microsoft dcoumentation MSAL library is recommended
when to use MSAL library and when to use Azure Portal Authentication
Azure Portal => Settings=> Authentication.
Authentication link from Web App Azure Portal is Easy Auth.
It does not conflict with whether you use MSAL.
You can take a look at Why use the built-in authentication?.
An important reason is:
The built-in authentication feature for App Service and Azure
Functions can save you time and effort by providing out-of-the-box
authentication with federated identity providers, allowing you to
focus on the rest of your application.
When you enable Easy Auth, Azure will create an app registration which represents your web app. Any attempts to access your web app will require sign-in with your Azure AD account.
You can also use the app registration Azure created for you (or create your own app registration without enabling Easy Auth) to configure with MSAL. MSAL is a mature framework and you can find the following benefits here.
Easy Auth uses Implicit Flow by default to sign in. If your web app requires other auth flows (eg. auth code flow, client credentials flow), using MSAL would be a better choice.
I have a SaaS product, it has it's own cloud-based authentication, and it is hosted in Azure. This works for most of my customers, but supposing a customer has their own on-prem AD - is it possible my SaaS product (cloud-hosted, external to the customer's network) can swap out my own authentication for the AD? What technologies/APIs are available to me for this?
Further Context
This is a vue app (client-side) with a .Net back-end (.Net core API in Azure).
I'm currently using okta, I pass okta data from a login form, and it returns a token.
If I could do a straight swap with okta for AD instead and call off to the client's AD server and receive a token (on successful authentication) and then pass that token as part of every request as I do with okta, that would be ideal.
What I've Tried
I know Okta itself has options for single-sign-on with AD, but I don't see the need for Okta if it's only going to be used as a way of interfacing to my customer's AD server, I'd like to just go 'straight there' instead.
Okta is not required to do Azure AD authentication. I have successfully completed azure ad single sign-on authentication using MSAL in Angular and Python.
Go to your portal.azure.com -> Azure Active Directory -> APP Registration -> Select you app -> Quick Start -> Select programming language -> Click download the source code.
To understand the code, use this link https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular
As you mentioned. you have used on-premise code, use the same code for authentication, this below tutorial explains how to do authentication
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
I have an ASP .Net Core 2.2 Web API hosted as an Azure App Service. Then there is an Angular SPA which consumes this API, hosted on Azure Storage as a static website.
I am currently using Auth0 as our authentication and identity server. I am looking at replacing Auth0 with Azure, but I've spent a couple of days now trying to figure out what I should be doing and I am completely lost.
So, the purpose that Auth0 is currently serving, and which I would like Azure to serve instead, is to protect my Web API, as well as give it identity services so that the API knows which user is logged in. So when the front end makes a call to the API, Auth0 automatically redirects it to a login page. Here the user can log in using an existing account (including social accounts) or she can create a new account. Once logged in, Auth0 provides the front end with an access token. The front end then includes this access token in the header of every API call. The access token includes identity information which the API uses to know which user is making the call. All users are stored in Auth0. So when a new user uses the front end web app, Auth0 redirects them to the login screen, where they select "Sign Up", and create an account in Auth0. Any user can do this btw - it is a public web app which anyone can sign up and use.
So, when looking at using Azure instead of Auth0, what first confuses me is that there are various authentication services:
In the Azure portal, under my app service, under "Authentication / Authorization", there is a toggle switch labelled "App Service Authentication". If I turn this on, I can set up Authentication Providers.
In the Azure portal, there is Azure Active Directory, which I guess ties in with the above?
There is also Azure B2C.
What is the difference between Azure App Service Authentication and Azure B2C? Which one should I be using? What is the difference between points 1 and 2 above? Some examples I've seen use point 1 and some use point 2.
Sorry if this is a very vague question. I am just struggling to figure out in which direction to head. I found Auth0 quite simple, but unfortunately I cannot say the same about Azure authentication. I basically just want to figure out which Azure option would be best suited to replace Auth0 as I am using it now. Thanks
Azure B2C is the proper option to replace user authentication, however you would have to go with OWIN or another solution to actually provide application specific identity/authorization pipeline.
For public-facing site I would not go with straight up azure AD for customer logins, that’s targeted more towards enterprise customer with identities in federated, office365 or on prem Active Directory.
To be honest I’m surprised you’re planning on moving from auth0 to AAD. I’m thinking about doing the opposite.
I think the "replacement" would be using Identity Server, but there's no PaaS version for it on Azure. So you should go with Azure AD or Azure AD B2C.
If you want just to create users and groups you should use Azure AD. But if you have plans to enable 3rd party identities to access your app (such as Facebook, Google or Linkedin), then you should use Azure AD B2C. For more info, please read: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.