locked
Secure ASP.Net Web API (Not MVC) using Azure AD. RRS feed

  • Question

  • User589811098 posted

    Hi All,

    Need some pointers on below implementation.

    1. Enable Azure AD authentication for asp.net web application (Not MVC or core)
    2. store id token, post authentication and refresh the token if expired
    3. create a classic asp.net web api (not MVC or Core)
    4. enable azure ad authentication for the web api created in step 2
    5. create access token storage and refresh mechanism to access azure hosted API from asp.net web app created in step 1

    Thank you.

    Monday, October 12, 2020 11:36 AM

All replies

  • User475983607 posted

    Enable Azure AD authentication for asp.net web application (Not MVC or core)

    This information is covered in the official documentation.  Let me warn you, you have a lot of reading to do in the near future.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview

    https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

    store id token, post authentication and refresh the token if expired

    You've decided to go with OAuth/OIDC.  The next step is deciding the type of clients that will use the authentication services. This steps determines the security flow(s) the token server supports.  Keep in mind, it's the clients responsibility to store tokens and pass the tokens to secured Web API endpoints.  

    • create a classic asp.net web api (not MVC or Core)
    • enable azure ad authentication for the web api created in step 2

    Basically, the client authenticates with Azure AD and retrieves a token.  The client passes the token to your Web API application.  The Web API application validates the token.  The Web API application can validate the token because it trusts the Azure AD service.  This is accomplished by configuration and registration and the security flow you decided to implement.

    create access token storage and refresh mechanism to access azure hosted API from asp.net web app created in step 1

    Azure AD can creates refresh tokens if configured to do so.  Generally, a token is related to the current Session and cached in running code.  If you have token storage requirements like persisting a refresh token then it is up to you to design and write this code that works with the client.

    I recommend learning OAuth/OIDC basic before moving forward.   A firm understanding of OAuth/OIDC is required before making security design decisions.  The typical steps identifying the client(s) then picking then picking the OAuth/OIDC flows that best secure the clients. 

    Monday, October 12, 2020 1:35 PM
  • User589811098 posted

    Hi,

    i have achieved the authentication using OenID by installing Owin packages.  the below article helped me achieve it.

    https://forums.asp.net/t/2140446.aspx?Azure+Authentication+using+OAuth+in+ASP+NET+WebForms+NOT+MVC 

    But , i want to hold the token received and trigger a refresh token through code to keep the user session alive.

    Can you guide me to achieve that ?

    Monday, October 12, 2020 3:13 PM
  • User475983607 posted

    siva1501

    But , i want to hold the token received and trigger a refresh token through code to keep the user session alive.

    Can you guide me to achieve that ?

    I misunderstood your original question.  You are building a Web Forms application.  You could have simply stated such.

    But the problem is still the same.   If you own the client code then it is up to you to design and write the code to deal with the tokens.  If you do not own the client code then you must supply documentation so the clients understand how the security works.

    There's no magic solution.  You have learn OAuth/OIDC and pick the security flow you wish to use.  The community cannot answer this question.  Are you services publicly accessible?  Can other clients access your services besides the Web Forms application?  

     

    Monday, October 12, 2020 3:34 PM
  • User-212682132 posted

    How can I create API keys like these grill lovers? As you can see, they are having images on ASP.net which is helping them for faster speed.

    Friday, January 15, 2021 10:31 PM