Asked by:
Implement AD authentication in Wep API 2

Question
-
User-590375999 posted
Hi,
I have implemented OWIN token based authentication in ASP.NET Web API.
- Client will send username and password to request token.
- Server will check username password in sql server table, if valid user then send token to the client.
now i need to check the username and password in Azure AD.
Wednesday, February 27, 2019 2:47 AM
All replies
-
User1724605321 posted
Hi sivapooja ,
now i need to check the username and password in Azure ADWhat you need is Resource owner flow :
But that flow is not recommend because of security problem . The prefer way is using the Code Flow which will redirect user to AAD's login page for entering their credentials :
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
But users are manged by Azure AD , You don't need to validate the credentials in your local database .
Best Regards,
Nan Yu
Wednesday, February 27, 2019 9:07 AM -
User-590375999 posted
This is my requirement.
I need to secure my web api with azure ad authentication, client applications can be Web client ( asp.net mvc app, nodejs app ), android app.
Wednesday, February 27, 2019 9:27 AM -
User-590375999 posted
But users are manged by Azure AD , You don't need to validate the credentials in your local database .I explained the current logic, i will receive username and password from client apps so i need to authenticate against ad
Wednesday, February 27, 2019 9:38 AM -
User-590375999 posted
Hi,
Can you give step by step tutorial url that explains
- web api - ad auth implementation
- client app - web and native
Wednesday, February 27, 2019 10:01 AM -
User475983607 posted
You need to learn OAuth with Azure first.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
You'll be able to design a solution once you understand the different flows.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Wednesday, February 27, 2019 11:50 AM -
User-590375999 posted
Hi mgebhard,
I have few questions
1. Should I register web api and client application (mvc, Android) on azure ad?
2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
OpenId Connect (first link) or Oauth (2nd link) ?Wednesday, February 27, 2019 2:56 PM -
User475983607 posted
It's improbable that you learned OAuth in the 3 hours since my post.
1. Should I register web api and client application (mvc, Android) on azure ad?It depends on your security needs and what you are trying to secure and how. For example, is the calling user's identity needed in Web API? Or the fact that the web server is making the call is enough? Reading the openly published documentation helps make these decisions.
2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
OpenId Connect (first link) or Oauth (2nd link) ?OAuth/Open Id Connect are protocols generally used together. The actual implementation is driven by your security requirements which are unknown at this time. I recommend learning the different OAuth/Open Id Connect flows. This will help you to find a solution.
Perhaps if you work on a team you can have a meeting and come up with security requirements.
Wednesday, February 27, 2019 3:12 PM -
User-590375999 posted
Hi,
I have clearly explained my requirements
1. I need to secure the web api with azure ad authentication
2. Client retrive token and use that token to request api methodsWednesday, February 27, 2019 3:41 PM -
User475983607 posted
sivapooja
Hi,
I have clearly explained my requirements
The fact that you think the requirements are clear indicates that you need to set aside time to learn the basics.
sivapooja
1. I need to secure the web api with azure ad authenticationThere a few ways to secure Web API resources either by the application identity, delegating the user's identity, or both. Which of these approaches fits your needs? Also it helps if you know exactly what you are trying to secure. I assume Web API is not the only resource that requires security?
sivapooja
2. Client retrive token and use that token to request api methodsWhat is the "client" or "clients" in your design? Is the client a machine, code, a browser? Maybe all of the above?
Once you figure out how your security is supposed to function and exactly what you are trying to secure, you can pick a flow from the Azure documentation linked above.
Resources
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
http://docs.identityserver.io/en/latest/intro/big_picture.html
Wednesday, February 27, 2019 4:27 PM -
User1724605321 posted
Hi sivapooja ,
Please refer to document/code sample :
Calling a web API in a web app using Azure AD and OpenID Connect
Both client app and api app are protected by Azure AD .
Best Regards,
Nan Yu
Thursday, February 28, 2019 1:43 AM -
User-590375999 posted
Hi Nan Yu,
Discussed with my team and come to the conclusion.
- Register Web APi in Azure AD.
- We don't want to register client applications in AD.
- Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
- Client add the token information in the header of the API method call.
My question is how the server (web API) will validate the token send by client and authorize?
Thursday, February 28, 2019 2:56 AM -
User1724605321 posted
Hi sivapooja,
You can use token validate middleware to decode and validate the token :
app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Audience = ConfigurationManager.AppSettings["ida:Audience"], Tenant = ConfigurationManager.AppSettings["ida:Tenant"], });
And related document below is for your reference :
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-dotnet-webapi
Best Regards,
Nan Yu
Thursday, February 28, 2019 7:46 AM -
User-590375999 posted
Hi,
i run the below code from my web app but i am getting "Bad Request"
using (HttpClient client = new HttpClient()) { var tokenEndpoint = @"https://login.windows.net/xxxxxxxxx/oauth2/token"; var accept = "application/json"; client.DefaultRequestHeaders.Add("Accept", accept); string postBody = @"resource=https%3A%2F%2Fgraph.microsoft.com%2F &client_id=xxxxxxx &grant_type=password &username=xxxxxx &password=xxxxxx &scope=openid"; using (var response = await client.PostAsync(tokenEndpoint, new StringContent(postBody, Encoding.UTF8, "application/x-www-form-urlencoded"))) { if (response.IsSuccessStatusCode) { var t = await response.Content.ReadAsStringAsync(); var jsonresult = JObject.Parse(await response.Content.ReadAsStringAsync()); var toekn = (string)jsonresult["access_token"]; } } } return View(); }
i receive this registration details from support team
OAuth 2.0 authorization endpoint: https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/authorize Application (client) ID: XXXXXXXX
Thursday, February 28, 2019 10:01 AM -
User475983607 posted
sivapooja
Hi Nan Yu,
Discussed with my team and come to the conclusion.
- Register Web APi in Azure AD.
- We don't want to register client applications in AD.
- Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
- Client add the token information in the header of the API method call.
My question is how the server (web API) will validate the token send by client and authorize?
Your design is an Azure AD proxy. The API clients will not be able to validate the Azure AD token. One approach is to proxy user credentials (security vulnerability) to the Azure AD services. On success, extract any claims needed by the API clients then create a new token using your existing OWIN token design. Implementing refresh token or really any other OAuth/Open ID connect protocol will require code updates to the API.
Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.
https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/external-authentication-services
Thursday, February 28, 2019 1:53 PM -
User-590375999 posted
Hi,
Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.I should use Azure AD,
Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.
Thursday, February 28, 2019 2:34 PM -
User753101303 posted
Hi,
A forum for the mobile development platform you are using would be better. If using Xamarin try perhaps https://blog.xamarin.com/put-adal-xamarin-forms/
Thursday, February 28, 2019 2:48 PM -
User-590375999 posted
Hi mgebhard,<br>
Is the following approach is suitable for my requirement?<br>
<br>
https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>
<br>
I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web api<br>Thursday, February 28, 2019 2:57 PM -
User475983607 posted
sivapooja
Hi mgebhard,
Is the following approach is suitable for my requirement?<br>
https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>
I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web apiADAL JS uses the implicit grant is the least secure grant type and only recommended for use in JavaScript (code that runs in the browser) applications. The implicit grant is not suitable, IMHO, for MVC, Web API, or Device (android) applications. This information is clearly and openly published in the linked documentation above. Aside form the grant type issues ADAL is used in an Angular application and only relevant in a SPA application that implements Angular.
IMHO, there is no way to design an OAuth/Open ID Connect solution without understanding the protocol. I recommended hiring an expert to help you get through the tech if you do not have the time to learn the fundamentals.
Thursday, February 28, 2019 4:28 PM -
User1724605321 posted
Hi sivapooja ,
Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls :
Each platform should have document and code sample provide .
Best Regards,
Nan Yu
Friday, March 1, 2019 1:41 AM