I have an Azure B2C custom policy that uses the Web.TPEngine.Providers.RestfulProvider in order to enhance the Reset Password flow.
I have no issue if the Web.TPEngine.Providers.RestfulProvider endpoint is public.
But for the production, my endpoint ( a spring boot app) will be running on an AKS cluster and its URL will be only accessible through a VPN connection which makes my endpoint invisible for my Azure B2C custom policy.
The question is: How can I make my Custom policy reach an endpoint deployed on AKS and accessible only using VPN?
Thanks a lot for your help
Azure AD B2C API Connectors (Including the Restful Provider) publicly accessible HTTPS APIs and endpoints. It's not possible to connect to APIs trough VPNs.
Related
We are running an API that is configured for and secured by Azure AD. This is working for us with an Angular app where users login interactively.
Now we have a need for a partner firm to use the API in a system to system way (no user login).
What needs to be configured for their application to get an OAuth token for our API from Azure AD?
I've examined the service to service call flow, but I'm wondering if it's best practice to create an application registration in our tenant for an application we don't own/manage. However this seems to be the fastest way to give them a client ID/Secret in order for them to interact with Azure AD.
Thanks in advance!
-Doug
Azure active directory supports the OAuth 2.0 to authorize the
third-party apps too. It doesn’t actually matter where the web APIs
are hosted.You can even see Azure Active Directory
recommendation on third party apps. It actually adds up security
and different type of apps can be integrated .
But you will need to have your web app authenticate to Azure AD, and
provide the token to the web api.so it requires app registration .
Scenario for external web app to call a web api, you can refer to
this:web-app-call-api
Your application can acquire a token to call a web API on behalf of
itself (not on behalf of a user) i.e; you can achieve scenario where
non-interactive app calls a web api
But if you meant app calling a partner api using another api .
The Azure AD V2.0 doesn't support the Partner API(See Restrictions on services and APIs) when you integrated the web API with third-party application using MSAL(Azure AD V2.0 endpoint) .
One way is using the on-behalf-flow. Here third-party application initially acquires the access token to call the web API. This web API acquire the token for Partner Center API and calls it using on-behalf-flow with that token. This solution uses the Azure AD endpoint instead of v2.0( register the app on Azure portal).
Other References:
asp.net web api - Azure Active Directory Verify Access Token in Web
Api outside of Azure - Stack Overflow
Authentication vs. authorization
I have an application which I am trying to migrate to the App services. The authentication was windows auth before migration so I moved it to Azure SSO.
Background -
The application is registered within Azure to leverage single sign on
and we have a reply URL configured within the application and
redirect URI configured in Azure SSO for URL -
https://abc.customdomain.com
The app is hosted within App services and the Azure endpoint URL of
the app services is https://abc.azurewebsites.net
We have also setup a TXT record created within the custom Domain and
added this to App service to verify the ownership of the DNS.
The custom DNS https://abc.customdomain.com is configured and
pointing to the application gateway.
The application gateway is configured to point to the App service.
Issue
When I try testing the application the SSO works as expected but the moment it tries redirecting to the application after Sign on it breaks because of the incorrect redirect URL as the app services has the URL – https://abc.azurewebsites.net
After setting up a CNAME and pointing it to the App services the hosted site works, but we want to have the traffic flow from the Application gateway.
We are looking to publish an API in an Azure B2C model where customers will use our app to access API's published using Docker Swarm based Azure Container Services. Our assumption here is that this model will require Azure B2C AD as opposed to Azure AD.
All API calls will have an OAuth token issued from B2C AD.
We want to know what is the best approach to validate the token centrally before it reaches the microservices on Azure Container Service. We were using API Gateway to route the API calls to the correct microservice while also using the WAF capability in the API Gateway. However, we realize that the API Gateway does not provide a way to verify the OAuth token before it forwards the request to the microservices.
Also please note, as per the suggestions in Microsoft Documentation we have two tenants with one tenant running all services such as database and microservice and the second tenant hosting the Azure B2C AD.
Can you please suggest the best option to implement the OAuth Verification without having to implement this in each microservice.
One thing you could do is put Azure API Management Service between your clients and services, there you'd have an option to use validate-jwt policy to inspect tokens and authorize calls.
The following is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please refer to the following document for steps in detail.
This is my scenario: Client Windows Forms app authenticates with Azure AD and uses the access token to access several web api services. Until now, I was using the endpoint 1 and using the Azure portal to register both apps. It seems like there's a new way now, but I'm a little lost here.
For starters, it seems like both apps (client and server) can be registered in the same app in the new apps portal (https://apps.dev.microsoft.com). I do see a place to add platforms and I have added entries for the native and web api. But where do I go from here? For instance, in the azure portal, I must configure the client app in order for it to call the web api services. How do I that here?
Is there a complete sample for this scenario like the one we have to ADAL (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples#native-application-to-web-api)?
Thanks,
Regards,
Luis
Please firstly refer to this document to know what's different about the v2.0 endpoint .When you build applications that integrate with Azure Active Directory, you need to decide whether the v2.0 endpoint and authentication protocols meet your needs. Please see the limitations of azure ad v2.0, such as you can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID .
The v2.0 endpoint does not support SAML or WS-Federation; it only supports Open ID Connect and OAuth 2.0 ,To better understand the scope of protocol functionality supported in the v2.0 endpoint, read through OpenID Connect and OAuth 2.0 protocol reference.
You could refer to document how to call a web API from a .NET web app with Azure AD V2.0 (using MSAL to acquire and use access tokens), and here is the code sample on Github . The document includes how to add basic sign-in to a web app or how to properly secure a web API in azure ad v2.0 .
We have an instance based web app on IIS which uses active directory for authentication.
This web app has an external public web address for remote users to work with.
OKTA provides Active directory integration which sync directory and provide SSO for users inside the active direcory domain.
But for remote users as far as i know OKTA can provide SSO through their SWA (secure web application) type of application but which means using a browser plugin from OKTA for remote users.
Is there any other way for us to authenticate from active directory
for remote users through SAML or WS-FED using OKTA?
Okta supports SAML 2.0 for this use case. Please reference the documentation at https://support.okta.com/pkb_Home?q=SAML&l=en_US for details on how to configure this.
Also note that there's a sample app demonstrating SAML integration via the Spring framework (if the app in question is Java-based). http://developer.okta.com/docs/examples/spring_security_saml.html