I have JavaScript website which access Azure AD protected WebAPI with IDToken.
Is there any way to call Graph API (to get groups) from WebAPI which is already authenticated with IDToken.
I use msal in my JS to get access to the WebAPI. I pass scope to the WebAPI, I tried to add another scope to Graph but then I had an error.
I tried to call Graph with Authorization key in the header and Bearer as the value from my WebAPI but this didn't work.
You are using an ID token wrong.
The ID token should not be used for authorization in a back-end.
Your front-end needs to acquire an access token for your back-end. Your back-end can then exchange that access token for an access token for Graph API.
Or your front-end can call Graph API.
You cannot specify both scopes when acquiring a token because a token is only valid for one API.
You can however make two separate calls to acquire the tokens.
Related
I followed this tutorial to setup authentication for my Azure Bot. After a successful login, it returns a token for me. I believe that this is an authorization token to access the Microsoft Graph API. If I wanted to use this same token to exchange for an access token to another web application, is that possible? And how would I be able to do it?
Yes, it's possilbe.
You should be able to get a refresh_token after the authorization is finished.
Use this refresh_token to exchange another access_token with the scope of another web application. Like this:
Then we can get an access_token for another scope:
You can see that the scope has changed from https://graph.microsoft.com to api://{id}/user.write which is another web API.
UPDATE:
Maybe I have a misunderstanding because I see you want to exchange a new access token.
If you just want to access your own web api from Bot application and don't need to call Microsoft Graph API, just modify the Resource URL (Azure AD v1) or Scopes (Azure AD v2). It's unnecessary to exchange a new access token.
For Azure AD v1, you should set Resource URL as: api://{api id}.
For Azure AD v2, set Scopes as: api://{api id}/.default.
Please note that api://{api id} is your web api.
I have a ReactJs frontend making requests to an API. Both hosted in Azure with app registrations in AAD as well.
I used to be able to use v1.0 auth endpoint, and create a valid token for the API:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<AAD_WEB_APP_ID>&resource=<AAD_API_ID>&response_type=token ...
If I understand the documentation correctly, this type of auth flow isn't allowed/possible in v2.0:
However, that Web API can receive tokens only from an application that has the same Application ID. You cannot access a Web API from a client that has a different Application ID. The client won't be able to request or obtain permissions to your Web API.
The reason for changing from v1.0 to v2.0 is that I need access to Microsoft Graph (Groups in particular).
My question is: How can I create an access_token that works for Microsoft Graph and my API? If that isn't possible, what would the correct auth flow be?
You don't need to switch to the v2 Endpoint for this, Microsoft Graph supports both v1 and v2 tokens (actually, every API I can think of that supports v2 also supports v1 but there might be an exception I'm forgetting).
The steps are pretty straightforward:
Update your AAD registration in the Azure Portal and add the Permissions for Microsoft Graph you're going to be using.
Instead of passing resource=<AAD_API_ID> in your URI, use resource=graph.microsoft.com. This will return a token that can be used with Microsoft Graph.
Important: You must request the Offline Access scope (offline_access) for this to work.
Where this gets confusing is that technically you cannot use the same Access Token to access both your API and Microsoft Graph. What is supported is switching the Resource when refreshing your token. So while, yes, you are using two different tokens, you're reusing the same credentials/authorization code.
Here is an example flow:
A user authenticates using your API as the Resource (resource=<AAD_API_ID>). This returns an Authorization Code back to your application.
The application posts the Authorization Code to the /token endpoint (also using your API as the Resource). This will return both an access_token and a refresh_token to the application.
Use this access_token to make calls into your API.
The application posts the refresh_token to the /token endpoint using graph.microsoft.com as the Resource. This will return a new access_token and refresh_token keyed to Microsoft Graph.
Use this new access_token to make calls into Microsoft Graph.
The application again posts the refresh_token to the /token endpoint but this time using your API as the Resource again. This will return a new access_token and refresh_token keyed to your API.
Call your API
You can repeat this cycle as needed. Depending on how often you need to switch, you can also keep access tokens for both your API and Graph in memory and reuse them until they expire. Just be sure and always store the last Refresh Token you received so you can fetch a refreshed token for either resource as needed.
For multiple AngularJS services that makes it's own Web API calls, we need to store the authentication token in a centralized place and it shouldn't be repeated. Where should we save the authentication token? I guess we need to write a authentication AngularJS service that would be responsible for log-in/log-out and it stores the generated token in client local storage so this token can be sent with each request to access secure resources on the back-end API. Kindly answer me if my understanding in correct.
I need to implement angularjs Single page application role based authentication using OWIN bearer token and JWT. But i have separate web service to check the user available or not and also get the user roles.
There for i need to generate bearer token by using that rest resource results without using Identity database.
For now I have Asp.Net WebAPI and client application (Angular) on separate hosts. As for authentication, WebAPI uses default external OAuth provider (Google) implementation with middlewares, external bearer token and cookie. Since web application is being hosted separately, for security reasons it is using Implicit grant flow, so access_token is being returned after hash symbol in URI. Also, it means that refresh token can not be implemented.
Here comes the part I am a bit confused about.
As for my WebAPI I am using Local accounts, which have to be created for every new user that comes to my application externaly (from Google) using basic information it provides. So the external bearer token and cookie are only used till I register the user, sign him in and provide LOCAL AUTHORITY bearer token which can be used to access secured API endpoints. It means I still have the LOCAL AUTHORITY provider which lives in my WebAPI and manages access_tokens.
Does it mean that I can implement refresh token?
If I understand correctly refresh token is not valid between Google and my app (because it is using implicit grant flow), but it is viable between my WebAPI and Client application without leaving security holes?
I am a bit confused about the refresh token here. Is it possible?
Thanks for your time.
Kind of Solution
Read this answer for the solution