APIs - AAD and OAUTH2 Client Credentials - How to Harden Security


  • I have a directory configured with a number of Api apps registered as apps with Client Ids and Keys.

    I like that I can use credentials for Api1 and the resourceId of Api2 to call the AAD token endpoint (ADAL and Postman, etc) and generate a token to call Api2 from Api1.

    However that works maybe too easy in my opinion.  I can add Api3, 4, and 5 and do the same.  Granted I need to know the resource Ids, methods, etc.

    • Api1 + Api1 Client Creds + Api2 Resource ID -> Token for Api2 Access
    • Api1 + Api1 Client Creds + Api3 Resource ID -> Token for Api3 Access
    • Api1 + Api1 Client Creds + Api4 Resource ID -> Token for Api4 Access
    • Api1 + Api1 Client Creds + Api5 Resource ID -> Token for Api5 Access

    I have seen examples where you are supposed to go to Api1's configuration and then assign permissions to call Api2.  However I have not had to do this to allow Api1 creds to call Api2.

    Is there a way to restrict / harden this behavior in the same directory?  

    Are there some best practices I may need to implement to make this more secure or is this more secure than I realize?

    • Edited by JEFFWS Wednesday, April 26, 2017 3:40 AM
    Tuesday, April 25, 2017 7:11 PM


All replies

  • If you own API2 through API6, you should consider exposing app-only permissions, which would require any clients (ie: API1) to express those permissions requests in the configuration. Then, in the API2>API6 resources, it would be the resource's responsibility to crack open the token, look at the "roles" claim, see what permissions are being requested, then decide if it's OK for the identity of the caller to be requesting them. Also, because these are app permissions being used w/client_credentials, the user doing the client configuration would have to be an admin, otherwise they would fail AAD's consent framework at runtime.

    • Marked as answer by JEFFWS Friday, April 28, 2017 9:03 PM
    • Unmarked as answer by JEFFWS Monday, May 1, 2017 6:24 PM
    Thursday, April 27, 2017 6:26 PM
  • How do I enrich / configure the "roles" claim?  PowerShell? At first I thought you meant the "Groups" in users and groups of the directory.  However it appears Groups only apply to Users and not Applications.  I would need to be able to assign custom roles to the application.  Is this an extension to the schema?.  Hopefully as you are inferring the role would be emitted or enriched in the JWT.

    • Edited by JEFFWS Monday, May 1, 2017 6:54 PM
    Monday, May 1, 2017 6:29 PM
    • Marked as answer by JEFFWS Tuesday, May 2, 2017 4:21 PM
    • Unmarked as answer by JEFFWS Tuesday, May 2, 2017 4:24 PM
    • Marked as answer by JEFFWS Saturday, June 17, 2017 11:33 PM
    Tuesday, May 2, 2017 6:08 AM
  • I am still working this when I can so sorry for the delays.  Your links were very helpful.

    I was able to create application roles by editing the manifest for WebApi4.  

    In addition I was able to assign the role permission of WebApi4 to WebApi1.

    I see the roles in WebApi1 manifest.

    I can generate a JSON Web token (OAUTH2 client credentials) for WebApi4 from the WebApi id and secret.

    However I don't see any role claims in the JSON Web token.  

    If I check/restrict claims in WebApi4 wouldn't it fail or does it query the directory/authority to enrich the claims?

    Sunday, May 14, 2017 4:06 AM