Implement AD authentication in Wep API 2

Question

User-590375999 posted

Hi, 

I have implemented OWIN token based authentication in ASP.NET Web API.

1. Client will send username and password to request token.
2. Server will check username password in sql server table, if valid user then send token to the client.

now i need to check the username and password in Azure AD.

Answer 1

User1724605321 posted

Hi sivapooja ,

now i need to check the username and password in Azure AD

What you need is Resource owner flow :

https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/ 

But that flow is not recommend because of security problem . The prefer way is using the Code Flow which will redirect user to AAD's login page for entering their credentials :

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code 

But users are manged by Azure AD , You don't need to validate the credentials in your local database .

Best Regards,

Nan Yu

Answer 2

User-590375999 posted

 This is my requirement.

I need to secure my web api with azure ad authentication, client applications can be Web client ( asp.net mvc app, nodejs app ), android app.

Answer 3

User-590375999 posted

But users are manged by Azure AD , You don't need to validate the credentials in your local database .

I explained the current logic, i will receive username and password from client apps so i need to authenticate against ad 

Answer 4

User-590375999 posted

Hi,

Can you give step by step tutorial url that explains

1. web api - ad auth implementation
2. client app - web and native

https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/ 

Answer 5

User475983607 posted

You need to learn OAuth with Azure first.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code

You'll be able to design a solution once you understand the different flows.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

Answer 6

User-590375999 posted
Hi mgebhard,
I have few questions
1. Should I register web api and client application (mvc, Android) on azure ad?

2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
OpenId Connect (first link) or Oauth (2nd link) ?

Answer 7

User475983607 posted

It's improbable that you learned OAuth in the 3 hours since my post.

1. Should I register web api and client application (mvc, Android) on azure ad?

It depends on your security needs and what you are trying to secure and how.  For example, is the calling user's identity needed in Web API?  Or the fact that the web server is making the call is enough?  Reading the openly published documentation helps make these decisions.

2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
OpenId Connect (first link) or Oauth (2nd link) ?

OAuth/Open Id Connect are protocols generally used together.  The actual implementation is driven by your security requirements which are unknown at this time.  I recommend learning the different OAuth/Open Id Connect flows.  This will help you to find a solution.

Perhaps if you work on a team you can have a meeting and come up with security requirements.

Answer 8

User-590375999 posted
Hi,
I have clearly explained my requirements

1. I need to secure the web api with azure ad authentication
2. Client retrive token and use that token to request api methods

Answer 9

User475983607 posted

sivapooja

Hi,
I have clearly explained my requirements

The fact that you think the requirements are clear indicates that you need to set aside time to learn the basics.

sivapooja

1. I need to secure the web api with azure ad authentication

There a few ways to secure Web API resources either by the application identity, delegating the user's identity, or both.  Which of these approaches fits your needs?  Also it helps if you know exactly what you are trying to secure. I assume Web API is not the only resource that requires security?

sivapooja

2. Client retrive token and use that token to request api methods

What is the "client" or "clients" in your design?  Is the client a machine, code, a browser?  Maybe all of the above?

Once you figure out how your security is supposed to function and exactly what you are trying to secure, you can pick a flow from the Azure documentation linked above.

Resources

https://auth0.com/docs/api-auth/which-oauth-flow-to-use

http://docs.identityserver.io/en/latest/intro/big_picture.html

Answer 10

User1724605321 posted

Hi sivapooja ,

Please refer to document/code sample :

Calling a web API in a web app using Azure AD and OpenID Connect

Both client app and api app are protected by Azure AD  .

Best Regards,

Nan Yu

Answer 11

User-590375999 posted

Hi Nan Yu,

Discussed with my team and come to  the conclusion.

1. Register Web APi in Azure AD.
2. We don't want to register client applications in AD.
3. Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
4. Client add the token information in the header of the API method call.

My question is how the server (web API) will validate the token send by client and authorize?

Answer 12

User1724605321 posted

Hi sivapooja,

You can use token validate middleware to decode and validate the token :

  app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Audience = ConfigurationManager.AppSettings["ida:Audience"],
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    
                });

And related document below is for your reference :

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-dotnet-webapi 

Best Regards,

Nan Yu

Answer 13

User-590375999 posted

Hi,

i run the below code from my web app but i am getting "Bad Request"

   using (HttpClient client = new HttpClient())
            {
                var tokenEndpoint = @"https://login.windows.net/xxxxxxxxx/oauth2/token";
                var accept = "application/json";

                client.DefaultRequestHeaders.Add("Accept", accept);
                string postBody = @"resource=https%3A%2F%2Fgraph.microsoft.com%2F
  &client_id=xxxxxxx
  &grant_type=password
  &username=xxxxxx
  &password=xxxxxx
  &scope=openid";

                using (var response = await client.PostAsync(tokenEndpoint, new StringContent(postBody, Encoding.UTF8, "application/x-www-form-urlencoded")))
                {
                    if (response.IsSuccessStatusCode)
                    {
                        var t = await response.Content.ReadAsStringAsync();
                        var jsonresult = JObject.Parse(await response.Content.ReadAsStringAsync());
                        var toekn = (string)jsonresult["access_token"];
                    }
                }
            }

            return View();
        }

i receive this registration details from support team

OAuth 2.0 authorization endpoint:

https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/authorize 

Application (client) ID:

XXXXXXXX

Answer 14

User475983607 posted

sivapooja

Hi Nan Yu,

Discussed with my team and come to  the conclusion.

1. Register Web APi in Azure AD.
2. We don't want to register client applications in AD.
3. Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
4. Client add the token information in the header of the API method call.

My question is how the server (web API) will validate the token send by client and authorize?

Your design is an Azure AD proxy.  The API clients will not be able to validate the Azure AD token.  One approach is to proxy user credentials (security vulnerability) to the Azure AD services.  On success, extract any claims needed by the API clients then create a new token using your existing OWIN token design.  Implementing refresh token or really any other OAuth/Open ID connect protocol will require code updates to the API.  

Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/external-authentication-services

Answer 15

User-590375999 posted

Hi,

Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.

I should use Azure AD, 

Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.

Answer 16

User753101303 posted

Hi,

A forum for the mobile development platform you are using would be better. If using Xamarin try perhaps https://blog.xamarin.com/put-adal-xamarin-forms/ 

Answer 17

User-590375999 posted

Hi mgebhard,<br>
Is the following approach is suitable for my requirement?<br>
<br>
https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>
<br>
I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web api<br>

Answer 18

User475983607 posted

sivapooja

Hi mgebhard,
Is the following approach is suitable for my requirement?<br>

https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>

I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web api

ADAL JS uses the implicit grant is the least secure grant type and only recommended for use in JavaScript (code that runs in the browser) applications.  The implicit grant is not suitable, IMHO, for MVC, Web API, or Device (android) applications.  This information is clearly and openly published in the linked documentation above.  Aside form the grant type issues ADAL is used in an Angular application and only relevant in a SPA application that implements Angular. 

IMHO, there is no way to design an OAuth/Open ID Connect solution without understanding the protocol.  I recommended hiring an expert to help you get through the tech if you do not have the time to learn the fundamentals.

Answer 19

User1724605321 posted

Hi sivapooja ,

Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.

The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls :

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries 

Each platform should have document and code sample provide .

Best Regards,

Nan Yu