I'm not really sure what to call this but basically I have a service app that just serves up an API while occasional calling external APIs in the background to keep the data updated. Aside from authenticating to the external APIs there is no other authentication on this app.
Then, I have a front end app that uses the API of the service app to get data and display it to the user, and optionally modify some of the data. This app is setup to authenticate against Azure AD and has app roles setup to restrict access to various sections.
How would I secure the service app API so only calls from the front end app are served, and everything else gets rejected with 401?
You can protect the API by using OAuth with Azure AD. The below overview can help you out with your scenario:
Register an application in Azure AD to represent the API. Reference
Basically in this step, you will be making sure only the application (your app) who has permission can access the API.
Register another application in Azure AD to represent a client application.
Reference.
In this step, you are creating another application representing your app so that trust can be created between API and your app.
Grant permission in Azure AD. Reference.
In this step, you are giving permission to your app to access your API.
Make use of Client Credential flow to authenticate your app to your API. Reference.
In this step, you will be configuring your app with the information of Azure AD application of the API. Using that information, you will be retrieving access token and you need to pass this access token to your API.
Related
I'm trying to achieve completely "serverless" status for my app with some simple CRUD operations, so my current approach is Blazor WASM on front-end and CosmosDB as records storage. I've configured AAD (Azure Active Directory) authentication in my Blazor App, and as for now, I'm wondering, if there is any way to to restrict CosmosDB client in Blazor to read only records which belongs to current user specifically (each record has UserId field)?
So, the main thing that I want to know, if it is possible at all?
Because I've found a plenty of different documentation, but because of lack of experience with Azure, I can't completely figure it out.
Thank you in advance!
P.S. The main solution I would like to approach - completely avoid any backend (API/servers/Azure Functions), because I really want to make it just Client App <-> CosmosDB, and AFAIK Firebase with JavaScript FrontEnd allows to do such a trick, but I'm interested in Azure-specific solution here
I don't have a simple walkthrough for Blazor, but overall the process would be similar to this guidance: Authenticate Users with an Azure Cosmos DB Document Database and Xamarin.Forms but it requires setup of an API service to broker the connections, which you specifically have asked to avoid.
If you didn't use an automated Resource Token Broker then in your logic somewhere you would need to store a map of somekind to resolve the Cosmos DB Resource Tokens for the logged in user.
In the following guidance, replace Xamarin with Blazor and Facebook with Azure AD:
On login, the Blazor WASM contacts Azure App Service to initiate an authentication flow.
Azure App Service performs an Open Auth flow with Azure AD. After the authentication flow completes, the Blazor WASM receives an access token.
The Blazor WASM uses the access token to request a resource token from the resource token broker.
The resource token broker uses the access token to request the user's identity from Azure AD. The user's identity is then used to request a resource token from Cosmos DB, which is used to grant read/write access to the authenticated user's partitioned collection.
The Blazor WASM uses the resource token to directly access Cosmos DB resources with the permissions defined by the resource token.
I have an Azure Function with an HTTP trigger that I am developing in Visual Studio 2019. The intention is to have another application call the Azure Function, which will then call the Microsoft Graph to do some changes on users and groups. I'm using the Azure Function to control what groups and users can be changed and to provide some business logic.
The function has an app registration in Azure, with an app secret so it can be protected. However I try to submit a POST to the Azure Function, it never works. I get a 404 when trying to use Postman. If I use the Code + Test section in Azure Functions of the portal, I get "Value cannot be null. (Parameter 'clientSecret')"
If I run the code locally and call it via Postman, it works, but of course there is no Azure authentication happening for this call.
I assume I have a authentication/configuration issue somewhere, but I do not know how to go about debugging it.
If you want to call .net Core Web API from other .net Core Web API projected by Azure AD, you use the OAuth 2.0 Client credentials flow.
Regarding how to configure it, please refer to the following steps:
Register the web app
Register APP
Create Client secrets
Configure permissions to access another web api. (I use Microsoft graph for test)
Configure an application to expose web APIs(Add scope for the api)
Register the client app
Register Function APP
Create Client secrets
Configure permissions to access web API
Configure known client applications for web API application
In the Azure portal, navigate to your Web api app registration and click on the Manifest section.
1.In the Azure portal, navigate to your Web api app registration and click on the Manifest section.
2.Find the property knownClientApplications and add the Client IDs of the client applications.
For more details you could refer to this article.
I have created a web application through visual studio and used the options to authenticate my user with Azure automatically.
I want to make requests to Azure as the application, how do i do this?
So far I've tried using restSharp and making requests but it is asking for headers.
(I've not posted any code as I'm not sure where to find the information)
You need a service principal.
Go to App Registrations, register an app, generate a secret, and then you can use that secret + app id, to get a token as the app.
The app registration will appear as an identity, so you can assign access to it.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app
If you are hosting your web app as an App Service, you can use Managed identity, it will basically create an identity together with your app service, and then at runtime, it will have the secrets inside of environment variables. So you don't need to do app registration or secrets management.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
A good example of how the entire flow looks is the key vault guide. The app calls Azure services(or specifically key vault) as itself, not as an user that is using the app.
https://learn.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios?
1. Internal users will be able to consume the web api via the angular backend app without an explicit login page.
2. External users via the mobile app will consume the web api with their active directory account.
I found this:
https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE
I am trialling Azure B2C Customer Preview and have configured a new application, set up policies e.t.c and I now want to write some integration tests that use a non-interactive flow to connect and interact with my protected WebApi services.
However, I have just read the following quote:
Daemons/Server Side Apps
Apps that contain long running processes or that operate without the
presence of a user also need a way to access secured resources, such
as Web APIs. These apps can authenticate and get tokens using the
app's identity (rather than a user's delegated identity) using the
OAuth 2.0 client credentials flow.
This flow is not currently supported by Azure AD B2C - which is to say
that apps can only get tokens after an interactive user flow has
occurred. The client credentials flow will be added in the near
future.
from this link which suggests that what I am trying to do is not yet possible. Can anyone from the Azure team tell me whether this information is up to date, and better yet a rough timescale for delivery on this feature?