Remove From My Forums

ADAL acquire token and secure the api

Question
0

Sign in to vote

User-590375999 posted

Hi,

ADAL.NET is used to acquire tokens. It's not used to protect a Web API

how can i project the web api ? Can i keep the token in the Cache and can i validate the token send by user in the header of the api method call?

Friday, March 1, 2019 3:18 AM

Answers

0

Sign in to vote
User475983607 posted

sivapooja
ADAL.NET is used to acquire tokens. It's not used to protect a Web API

According the docs ADAL.NET can be used to protect Web API.

The answer to this post and the answers to your other OAuth/OIDC posts...

https://forums.asp.net/t/2153247.aspx

https://forums.asp.net/search?q=authors%3A%28sivapooja%29&s=createdDate&d=desc

...is taking the time to learn the fundamentals. Your project requires several different grant types, not one.

I'm using OAuth/OIDC (IdentityServer4) in a current project which has the same type of clients that you are trying to implement. It took me a few weeks to learn the basics. I built a demos for each client and played around with the code. I also read the RFCs, a few times, to learn the terminology and specifications. I still refer to the RFCs.

Clearly you are throwing code at a relatively complex protocol hoping that something will magically work. This is not a good approach. Also, the linked docs provided in your other threads have all the sample source code you need. The fact that you cannot put this together indicates you need to focus on learning the terminology.

sivapooja
how can i project the web api ?

The Web API needs to know the token server which is AD Azure for your project. The clients that require access to secured Web API resources must also know the token server. The clients request a token from the token server and pass the token to the secured Web API resource. Part of the "getting the access token" process is validating the token. The NuGet and sample APIs (linked docs) handle this for you. The clients cannot validate the token if the clients do not know the token server. Therefore, you cannot take advantage of the Nuget APIs.

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview

sivapooja
Can i keep the token in the Cache and can i validate the token send by user in the header of the api method call?

All clients must cache the token(s). It's the clients responsibility to persist tokens. In a standard web app when the client is a browser (not JavaScript code) the token is stored in a cookie, generally, and the API just handles the cookie for you. If the client is code, then it is up to the code to persist the token.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, March 1, 2019 2:04 PM

All replies

0

Sign in to vote
User475983607 posted

sivapooja
ADAL.NET is used to acquire tokens. It's not used to protect a Web API

According the docs ADAL.NET can be used to protect Web API.

The answer to this post and the answers to your other OAuth/OIDC posts...

https://forums.asp.net/t/2153247.aspx

https://forums.asp.net/search?q=authors%3A%28sivapooja%29&s=createdDate&d=desc

...is taking the time to learn the fundamentals. Your project requires several different grant types, not one.

I'm using OAuth/OIDC (IdentityServer4) in a current project which has the same type of clients that you are trying to implement. It took me a few weeks to learn the basics. I built a demos for each client and played around with the code. I also read the RFCs, a few times, to learn the terminology and specifications. I still refer to the RFCs.

Clearly you are throwing code at a relatively complex protocol hoping that something will magically work. This is not a good approach. Also, the linked docs provided in your other threads have all the sample source code you need. The fact that you cannot put this together indicates you need to focus on learning the terminology.

sivapooja
how can i project the web api ?

The Web API needs to know the token server which is AD Azure for your project. The clients that require access to secured Web API resources must also know the token server. The clients request a token from the token server and pass the token to the secured Web API resource. Part of the "getting the access token" process is validating the token. The NuGet and sample APIs (linked docs) handle this for you. The clients cannot validate the token if the clients do not know the token server. Therefore, you cannot take advantage of the Nuget APIs.

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview

sivapooja
Can i keep the token in the Cache and can i validate the token send by user in the header of the api method call?

All clients must cache the token(s). It's the clients responsibility to persist tokens. In a standard web app when the client is a browser (not JavaScript code) the token is stored in a cookie, generally, and the API just handles the cookie for you. If the client is code, then it is up to the code to persist the token.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, March 1, 2019 2:04 PM
0

Sign in to vote

User-590375999 posted

Hi Mgebhard,

i want to implement this in projects

https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-webapp-webapi-openidconnect/

In some places i need to call the api from the javascript code, so i need to add token in header right or asp.net will add token with server and client side call?

if no, then can you tell me that where i can get the token on asp.net mvc client

Friday, March 1, 2019 4:11 PM
0

Sign in to vote

User475983607 posted

sivapooja
In some places i need to call the api from the javascript code, so i need to add token in header right or asp.net will add token with server and client side call?

Sivapooja, you have to realize that we have no idea how your code works or how your security is designed.

If the JavaScript application makes requests to same web application that rendered the JavaScript, then the web application (server) populates the Web API request. If the JavaScript application (running in the browser) makes a cross origin request to the Web API, then the JavaScript application makes the request. Keep in mind cross origin requests require CORS.

In either case the operational details are handled by the openly published open source APIs found in the linked documentation throughout your forum posts.

Friday, March 1, 2019 5:02 PM
0

Sign in to vote

User-590375999 posted

Dear Mgebhard,

We use ASP.NET MVC as one of a client, my question is, user go through the Azure AD Login Page and enter the application, some of the api calls from backend ( C# ) and some of the api calls from javascript i mean from the ( .cshtml ) , so when i call the api from the javascript does the system will take care of the token or we should manually append the token in the header? if we have to manually append the token in the header then how can i get the token return from the azure ad in the .cshtml ( javascript ).

Saturday, March 2, 2019 1:42 AM
0

Sign in to vote
User475983607 posted

sivapooja
We use ASP.NET MVC as one of a client, my question is, user go through the Azure AD Login Page and enter the application, some of the api calls from backend ( C# ) and some of the api calls from javascript i mean from the ( .cshtml ) , so when i call the api from the javascript does the system will take care of the token or we should manually append the token in the header? if we have to manually append the token in the header then how can i get the token return from the azure ad in the .cshtml ( javascript ).

Asking the same question many times will not change the answer. Server (back-end) requests to secured resources will use a different grant type than a JavaScript application. I have this explained this concept to you many times with comments and linked references.

The following link, that I have proved several time now, explains how to determine what grant types to use for common security scenarios.

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-types

Once you settle on a grant type, you can download the source code. To answer your question, the API generally cache the token but it is up to you to add the token to the header.

xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);

You must read the API documentation!
Saturday, March 2, 2019 2:25 AM
0

Sign in to vote

User-590375999 posted

So i can't use the token acquired by adal.net in the html page of the same application right?

Can i use adal.js in asp.net mvc ? currently only 10% of the api call from the server side so i can move the calls to front end.

Saturday, March 2, 2019 4:24 AM
0

Sign in to vote

User475983607 posted

sivapooja

So i can't use the token acquired by adal.net in the html page of the same application right?

Can i use adal.js in asp.net mvc ? currently only 10% of the api call from the server side so i can move the calls to front end.

Rather than repeating myself over and over and providing the same reference links; please explain to the community how you plan to implement adal.net in JavaScript or adal.js on the server.

Saturday, March 2, 2019 4:43 AM

Answered by:

ADAL acquire token and secure the api

Question

Answers

sivapooja

sivapooja

sivapooja

All replies

sivapooja

sivapooja

sivapooja

sivapooja

sivapooja

sivapooja