I have a native client (console app) from where I am trying to access a WebAPI. The API has been authenticated using Azure AAD. So, in order to acquire a token using the method AuthenticationContext.AcquireToken(), ClientCredentials are needed which in turn need the "client secret" that one is supposed to receive from Azure while registering the application to Azure AAD. Is there any other way for me to be able to retrieve the access token to access the WebAPI?
If you want to call the WebAPI on behalf of (or "as") the current user then you can use the Resource Owner Credentials flow. Otherwise, the client credential flow you described is the appropriate solution.
Note that your client app should be registered separately from your WebAPI in AAD.
Related
I am using Azure B2C in my react SPA to sign in the user with external identity providers e.g. Google and Facebook. I have some .net core web API that needs to be called by signed-in users only. I have followed Azure documents for my scenario. As per the docs, I need to register another AD B2C application for web API security and my client app needs to acquire the token with the scope defined in the server-side AD app and pass that token while calling the web API.
Why can't I use the same access token received from azure AD B2C as part of the sign-in flow to pass it to my web API and validate it on the server side to secure the Web API? In that case, I don't need to create another server-side AD application for securing the API.
You can, but it’s simply against the protocol spec. Each client needs to be registered and have a unique client Id/AppId.
Plus if you do it with one App Registration, your logs would never differentiate access to your front end vs access to your api.
I want to create an Azure Web Application that can authenticate an external/internal (from any Organization) user upon opening the Web Application link through Azure AD Credentials and acquire its Access token in return.
I want to use that Access Token to programmatically create an application registration in User's tenant.
First, you need to register an application and set it as a multi-tenant application, then use the auth code flow to authenticate the user and obtain an access token.
Next, you need to use the access token to call the MS graph api to create an application, because you are using the auth code flow to obtain the token, so you need to grant delegation permissions to the application.
see: sample.
I secure my nodeJs API with Azure B2C. I have two web application which accesses my API.
the two Web application has its own application Id in Azure B2C. Also, those can generate access_token with B2C.
But when I validate those access_token in my API I have to put application id of the web application witch generate the access_token as an audience.
But the audience does not support array. I can only put one application id.
How do I solve this?
If I secure an API with B2C I only can make requests from one web application?
The audience (aud) claim for an access token identifies the intended recipient (i.e. the API application) of the access token.
At a high-level, you must:
Register the API application in order for any client application to acquire an access token for use with the API application.
Grant access by one or more client applications to the API application.
Configure the application identifier for the API application as the expected audience for the API middleware.
The Azure AD B2C: Requesting access tokens article describes how a client application can acquire an access token for use with an API application.
i need to get Azure token in my app (C#) to perform Graph API operations on users, but without sign in all the time when app invoked (app must be full automate, working in timer job) so i have a question how to made process of token acquiring fully automate (without user)?
All that I found about this topic:
Get access without a user
But I failed to recreate it.
The OAuth2 flow you are describing is called the "Client Credentials Grant" and is in detail described here.
In short it is relevant in this case and works like this:
First, user interaction is not possible with a daemon application,
which requires the application to have its own identity. An example of
a daemon application is a batch job, or an operating system service
running in the background. This type of application requests an access
token by using its application identity and presenting its Application
ID, credential (password or certificate), and application ID URI to
Azure AD. After successful authentication, the daemon receives an
access token from Azure AD, which is then used to call the web API.
Have a look at this implementation to see how it is done in code.
Using OAuth On-Behalf-Of works exactly what you describe. Which On-Behalf-Of method, there is no user interaction to obtain the user's consent to access to the downstream API (e.g. Graph API). In other words, the user identity & permission is silently delegated in a full request chain. In a real-world corporate environment, your app would be normally authenticated by another identity provider (e.g. Active Directory) not Azure AD, which after then requests authorization to Azure AD OAuth endpoint.
When requesting access token, you must set its type is requested_token_use=on_behalf_of
Here is reference to POST to the endpoint https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-on-behalf-of
Here is the reference of SSO authentication with OAuth On-Behalf-Of https://learn.microsoft.com/en-us/outlook/add-ins/authenticate-a-user-with-an-sso-token
My structure of application is Web app calls a WebAPI(lets call it apiA) and that calls another api (lets call it apiB). Now, Web app authenticates the calls via AAD JWT tokens. So, that token would be created for apiA. But I want the api call to apiB to be as the logged in user and dont want to use client secrets etc.
So, in nutshell wants to impersonate the user and get a token for apiB from the token created for apiA or may be if possible have a token which can be good for both apiA and apiB. So, I dont have to get a new token.
Is there any way to do this?
You could try OAuth 2.0 On-Behalf-Of flow to delegate the user’s identity and authenticate to the second-tier web API. Please refer to document :
For the scenario when a server application needs to call a web API, it’s helpful to use an example. Imagine that a user has authenticated on a native application, and this native application needs to call a web API. Azure AD issues a JWT access token to call the web API. If the web API needs to call another downstream web API, it can use the on-behalf-of flow to delegate the user’s identity and authenticate to the second-tier web API.
Please click here for more details about service to service calls using delegated user identity in the On-Behalf-Of flow .