I have created a web application through visual studio and used the options to authenticate my user with Azure automatically.
I want to make requests to Azure as the application, how do i do this?
So far I've tried using restSharp and making requests but it is asking for headers.
(I've not posted any code as I'm not sure where to find the information)
You need a service principal.
Go to App Registrations, register an app, generate a secret, and then you can use that secret + app id, to get a token as the app.
The app registration will appear as an identity, so you can assign access to it.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app
If you are hosting your web app as an App Service, you can use Managed identity, it will basically create an identity together with your app service, and then at runtime, it will have the secrets inside of environment variables. So you don't need to do app registration or secrets management.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
A good example of how the entire flow looks is the key vault guide. The app calls Azure services(or specifically key vault) as itself, not as an user that is using the app.
https://learn.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
Related
I secured my ASP.NET Core Azure Function App by modifying the configuration in Startup.cs and calling the Microsoft.Identity.Web's AddAuthentiction and AddMicrosoftIdentityWebApi extension methods on the services collection object (similar to the approach used in the AzureFunctions example in the Tests directory of the GitHub repo of Microsoft.Identity.Web). This allows me to securely call the Azure Function API from my Blazor Server app using Microsoft Identity Platform. The Azure Functions API does not call any downstream api.
This approach works perfectly fine without the need to enable the Authentication option under Function App - Setting in Azure Portal and specifying an identity provider there and linking it to an Azure AD app registration.
Does somebody know what does enabling authentication and adding an identity provider under settings of the Function App in the Azure Portal do compared to the manual configuration in Startup.cs? If I understand correctly, it does the same thing but implicitly instead of explicitly in the Startup.cs.
That option, sometimes referred as "Easy Auth" enables an additional container (or program) that will validate the token, so you don't have to. Request will first go to that middleware application and then, if validation passes, will go to your app.
For details see the docs page: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
That option is common to the webapps and function apps. The code runs separately, so it's not part of your application middleware chain.
I have an Azure Function with an HTTP trigger that I am developing in Visual Studio 2019. The intention is to have another application call the Azure Function, which will then call the Microsoft Graph to do some changes on users and groups. I'm using the Azure Function to control what groups and users can be changed and to provide some business logic.
The function has an app registration in Azure, with an app secret so it can be protected. However I try to submit a POST to the Azure Function, it never works. I get a 404 when trying to use Postman. If I use the Code + Test section in Azure Functions of the portal, I get "Value cannot be null. (Parameter 'clientSecret')"
If I run the code locally and call it via Postman, it works, but of course there is no Azure authentication happening for this call.
I assume I have a authentication/configuration issue somewhere, but I do not know how to go about debugging it.
If you want to call .net Core Web API from other .net Core Web API projected by Azure AD, you use the OAuth 2.0 Client credentials flow.
Regarding how to configure it, please refer to the following steps:
Register the web app
Register APP
Create Client secrets
Configure permissions to access another web api. (I use Microsoft graph for test)
Configure an application to expose web APIs(Add scope for the api)
Register the client app
Register Function APP
Create Client secrets
Configure permissions to access web API
Configure known client applications for web API application
In the Azure portal, navigate to your Web api app registration and click on the Manifest section.
1.In the Azure portal, navigate to your Web api app registration and click on the Manifest section.
2.Find the property knownClientApplications and add the Client IDs of the client applications.
For more details you could refer to this article.
I'm not really sure what to call this but basically I have a service app that just serves up an API while occasional calling external APIs in the background to keep the data updated. Aside from authenticating to the external APIs there is no other authentication on this app.
Then, I have a front end app that uses the API of the service app to get data and display it to the user, and optionally modify some of the data. This app is setup to authenticate against Azure AD and has app roles setup to restrict access to various sections.
How would I secure the service app API so only calls from the front end app are served, and everything else gets rejected with 401?
You can protect the API by using OAuth with Azure AD. The below overview can help you out with your scenario:
Register an application in Azure AD to represent the API. Reference
Basically in this step, you will be making sure only the application (your app) who has permission can access the API.
Register another application in Azure AD to represent a client application.
Reference.
In this step, you are creating another application representing your app so that trust can be created between API and your app.
Grant permission in Azure AD. Reference.
In this step, you are giving permission to your app to access your API.
Make use of Client Credential flow to authenticate your app to your API. Reference.
In this step, you will be configuring your app with the information of Azure AD application of the API. Using that information, you will be retrieving access token and you need to pass this access token to your API.
Context:
I have an MVC application, which uses OWIN, and connects to Azure for authentication. It stores a token in the cookie.
I have another application that is an angular spa application. This also connects to Azure for authentication. It stores the token in localstorage. (msal library)
Issue:
When I login to the MVC app first and open the spa app and click on login it again asks for credentials and vice versa.
This is due to different storage I believe.
Question :
How can the above issue be resolved? If it's not possible,
is there any other js library that will allow me to solve this?
Other inputs:
Msal silent token works on local storage, no issue on that.
Make sure you register both applications under your B2C tenant. You can test your storage theory easily by publishing another MVC application and seeing if the SSO works between that application and your existing one.
Whether it's a single page angular application or an MVC application shouldn't affect whether the user can SSO into both of them. Ensure that the user is added in your AAD and if you want to be on the safe side you can add the user manually to both application.
Please see this relevant Github repository. https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-javascript-angular2-4-spa/
Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios?
1. Internal users will be able to consume the web api via the angular backend app without an explicit login page.
2. External users via the mobile app will consume the web api with their active directory account.
I found this:
https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE