locked
Implement AD authentication in Wep API 2 RRS feed

  • Question

  • User-590375999 posted

    Hi, 

    I have implemented OWIN token based authentication in ASP.NET Web API.

    1. Client will send username and password to request token.
    2. Server will check username password in sql server table, if valid user then send token to the client.

    now i need to check the username and password in Azure AD.

    Wednesday, February 27, 2019 2:47 AM

All replies

  • User1724605321 posted

    Hi sivapooja ,

    now i need to check the username and password in Azure AD

    What you need is Resource owner flow :

    https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/ 

    But that flow is not recommend because of security problem . The prefer way is using the Code Flow which will redirect user to AAD's login page for entering their credentials :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code 

    But users are manged by Azure AD , You don't need to validate the credentials in your local database .

    Best Regards,

    Nan Yu

    Wednesday, February 27, 2019 9:07 AM
  • User-590375999 posted

     This is my requirement.

    I need to secure my web api with azure ad authentication, client applications can be Web client ( asp.net mvc app, nodejs app ), android app.

    Wednesday, February 27, 2019 9:27 AM
  • User-590375999 posted

    But users are manged by Azure AD , You don't need to validate the credentials in your local database .

    I explained the current logic, i will receive username and password from client apps so i need to authenticate against ad 

    Wednesday, February 27, 2019 9:38 AM
  • User-590375999 posted

    Hi,

    Can you give step by step tutorial url that explains

    1. web api - ad auth implementation
    2. client app - web and native

    Wednesday, February 27, 2019 10:01 AM
  • User475983607 posted

    You need to learn OAuth with Azure first.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code

    You'll be able to design a solution once you understand the different flows.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

    Wednesday, February 27, 2019 11:50 AM
  • User-590375999 posted
    Hi mgebhard,
    I have few questions
    1. Should I register web api and client application (mvc, Android) on azure ad?

    2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
    OpenId Connect (first link) or Oauth (2nd link) ?
    Wednesday, February 27, 2019 2:56 PM
  • User475983607 posted

    It's improbable that you learned OAuth in the 3 hours since my post.

    1. Should I register web api and client application (mvc, Android) on azure ad?

    It depends on your security needs and what you are trying to secure and how.  For example, is the calling user's identity needed in Web API?  Or the fact that the web server is making the call is enough?  Reading the openly published documentation helps make these decisions.

    2. Which one is best for above requirement ( server : web api, Client ( mvc, Android)
    OpenId Connect (first link) or Oauth (2nd link) ?

    OAuth/Open Id Connect are protocols generally used together.  The actual implementation is driven by your security requirements which are unknown at this time.  I recommend learning the different OAuth/Open Id Connect flows.  This will help you to find a solution.

    Perhaps if you work on a team you can have a meeting and come up with security requirements.

    Wednesday, February 27, 2019 3:12 PM
  • User-590375999 posted
    Hi,
    I have clearly explained my requirements

    1. I need to secure the web api with azure ad authentication
    2. Client retrive token and use that token to request api methods
    Wednesday, February 27, 2019 3:41 PM
  • User475983607 posted

    sivapooja

    Hi,
    I have clearly explained my requirements

    The fact that you think the requirements are clear indicates that you need to set aside time to learn the basics.

    sivapooja


    1. I need to secure the web api with azure ad authentication

    There a few ways to secure Web API resources either by the application identity, delegating the user's identity, or both.  Which of these approaches fits your needs?  Also it helps if you know exactly what you are trying to secure. I assume Web API is not the only resource that requires security?

    sivapooja

    2. Client retrive token and use that token to request api methods

    What is the "client" or "clients" in your design?  Is the client a machine, code, a browser?  Maybe all of the above?

    Once you figure out how your security is supposed to function and exactly what you are trying to secure, you can pick a flow from the Azure documentation linked above.

    Resources

    https://auth0.com/docs/api-auth/which-oauth-flow-to-use

    http://docs.identityserver.io/en/latest/intro/big_picture.html

    Wednesday, February 27, 2019 4:27 PM
  • User1724605321 posted

    Hi sivapooja ,

    Please refer to document/code sample :

    Calling a web API in a web app using Azure AD and OpenID Connect

    Both client app and api app are protected by Azure AD  .

    Best Regards,

    Nan Yu

    Thursday, February 28, 2019 1:43 AM
  • User-590375999 posted

    Hi Nan Yu,

    Discussed with my team and come to  the conclusion.

    1. Register Web APi in Azure AD.
    2. We don't want to register client applications in AD.
    3. Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
    4. Client add the token information in the header of the API method call.

    My question is how the server (web API) will validate the token send by client and authorize?

    Thursday, February 28, 2019 2:56 AM
  • User1724605321 posted

    Hi sivapooja,

    You can use token validate middleware to decode and validate the token :

      app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                    {
                        Audience = ConfigurationManager.AppSettings["ida:Audience"],
                        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                        
                    });

    And related document below is for your reference :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-dotnet-webapi 

    Best Regards,

    Nan Yu

    Thursday, February 28, 2019 7:46 AM
  • User-590375999 posted

    Hi,

    i run the below code from my web app but i am getting "Bad Request"

       using (HttpClient client = new HttpClient())
                {
                    var tokenEndpoint = @"https://login.windows.net/xxxxxxxxx/oauth2/token";
                    var accept = "application/json";
    
                    client.DefaultRequestHeaders.Add("Accept", accept);
                    string postBody = @"resource=https%3A%2F%2Fgraph.microsoft.com%2F
      &client_id=xxxxxxx
      &grant_type=password
      &username=xxxxxx
      &password=xxxxxx
      &scope=openid";
    
                    using (var response = await client.PostAsync(tokenEndpoint, new StringContent(postBody, Encoding.UTF8, "application/x-www-form-urlencoded")))
                    {
                        if (response.IsSuccessStatusCode)
                        {
                            var t = await response.Content.ReadAsStringAsync();
                            var jsonresult = JObject.Parse(await response.Content.ReadAsStringAsync());
                            var toekn = (string)jsonresult["access_token"];
                        }
                    }
                }
    
                return View();
            }

    i receive this registration details from support team

    OAuth 2.0 authorization endpoint:
    
    https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/authorize 
    
    Application (client) ID:
    
    XXXXXXXX

    Thursday, February 28, 2019 10:01 AM
  • User475983607 posted

    sivapooja

    Hi Nan Yu,

    Discussed with my team and come to  the conclusion.

    1. Register Web APi in Azure AD.
    2. We don't want to register client applications in AD.
    3. Client send username and password to web api to request token , Web api call and retrieve the token from AD and pass it to Client.
    4. Client add the token information in the header of the API method call.

    My question is how the server (web API) will validate the token send by client and authorize?

    Your design is an Azure AD proxy.  The API clients will not be able to validate the Azure AD token.  One approach is to proxy user credentials (security vulnerability) to the Azure AD services.  On success, extract any claims needed by the API clients then create a new token using your existing OWIN token design.  Implementing refresh token or really any other OAuth/Open ID connect protocol will require code updates to the API.  

    Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/external-authentication-services

    Thursday, February 28, 2019 1:53 PM
  • User-590375999 posted

    Hi,

    Another approach is implementing an External Login from Web API if you do not want to use Azure AD for SSO.

    I should use Azure AD, 

    Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.

    Thursday, February 28, 2019 2:34 PM
  • User753101303 posted

    Hi,

    A forum for the mobile development platform you are using would be better. If using Xamarin try perhaps https://blog.xamarin.com/put-adal-xamarin-forms/ 

    Thursday, February 28, 2019 2:48 PM
  • User-590375999 posted

    Hi mgebhard,<br>
    Is the following approach is suitable for my requirement?<br>
    <br>
    https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>
    <br>
    I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web api<br>
    Thursday, February 28, 2019 2:57 PM
  • User475983607 posted

    sivapooja

    Hi mgebhard,
    Is the following approach is suitable for my requirement?<br>

    https://azure.microsoft.com/en-us/resources/samples/active-directory-angularjs-singlepageapp-dotnet-webapi/<br>

    I need to secure my web app with azure ad, client apps (mvc, spa, andriod) need consume web api

    ADAL JS uses the implicit grant is the least secure grant type and only recommended for use in JavaScript (code that runs in the browser) applications.  The implicit grant is not suitable, IMHO, for MVC, Web API, or Device (android) applications.  This information is clearly and openly published in the linked documentation above.  Aside form the grant type issues ADAL is used in an Angular application and only relevant in a SPA application that implements Angular. 

    IMHO, there is no way to design an OAuth/Open ID Connect solution without understanding the protocol.  I recommended hiring an expert to help you get through the tech if you do not have the time to learn the fundamentals.

    Thursday, February 28, 2019 4:28 PM
  • User1724605321 posted

    Hi sivapooja ,

    Ok i can convince my team to register the Client application on Azure AD, In this case which flow is suitable. Can i register android application as client in azure, if possible then can you provide the tutorial that Android App authenticate over azure ad.

    The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries 

    Each platform should have document and code sample provide .

    Best Regards,

    Nan Yu

    Friday, March 1, 2019 1:41 AM