How to invoke a REST API from Azure AD B2C using token(say client credential flow)
Currently, there isn't any built-in support for this, since AuthenticationType must be set to one of None, Basic or ClientCertificate.
If your REST API does allow for this, then you can acquire an access token in a previous step and pass it in to your REST API, via the request query or body.
Related
I am currently following this user guide for adding a custom policy to my B2C sign up process
I have created the API and configured the various XML files. I can generate a token to access the API via the implict flow.
The API is secured under the app service with Azure Active Directory authentication.
The page linked to describes how to add basic authentication and a client ID / secret, which is a Client Credentials flow, so I was trying to test this in postman
However, having failed to get it to work I went looking and found a variety of posts stating implict credentials are not supported by Azure B2C?
If that is the case I'm puzzled how it is I'm supposed to ensure the claims of the API I am calling to carry out the business logic can be accessed by the custom policy?
My API is hosted on Azure in the same subscription. I can generate tokens for this API fine to use within my native / client app.
Please could someone advise how I should go about testing access to this API from a B2C context via Postman?
The page linked to describes how to add basic authentication and a client ID / secret, which is a Client Credentials flow, so I was trying to test this in postman
To be exact, it should not be called Client Credentials, because it isn't it.
It's just HTTP Basic authentication.
You are adding an alternative authentication method to your API in that case.
The fact that B2C does not support client credentials auth does not matter here.
What matters is that you have enabled AAD authentication on App Service.
This will block the calls that try to use Basic auth against your API.
Here are a couple options that you can do:
Disable authentication on the App Service and implement the two alternative authentication methods in your API code
Allow anonymous calls through from App Service auth and implement Basic auth for unauthenticated requests in your API code
As for testing from Postman, it should then be the same as testing any API supporting Basic authentication.
You don't authenticate against B2C, so there is nothing special about it.
I followed this tutorial to setup authentication for my Azure Bot. After a successful login, it returns a token for me. I believe that this is an authorization token to access the Microsoft Graph API. If I wanted to use this same token to exchange for an access token to another web application, is that possible? And how would I be able to do it?
Yes, it's possilbe.
You should be able to get a refresh_token after the authorization is finished.
Use this refresh_token to exchange another access_token with the scope of another web application. Like this:
Then we can get an access_token for another scope:
You can see that the scope has changed from https://graph.microsoft.com to api://{id}/user.write which is another web API.
UPDATE:
Maybe I have a misunderstanding because I see you want to exchange a new access token.
If you just want to access your own web api from Bot application and don't need to call Microsoft Graph API, just modify the Resource URL (Azure AD v1) or Scopes (Azure AD v2). It's unnecessary to exchange a new access token.
For Azure AD v1, you should set Resource URL as: api://{api id}.
For Azure AD v2, set Scopes as: api://{api id}/.default.
Please note that api://{api id} is your web api.
We are looking to publish an API in an Azure B2C model where customers will use our app to access API's published using Docker Swarm based Azure Container Services. Our assumption here is that this model will require Azure B2C AD as opposed to Azure AD.
All API calls will have an OAuth token issued from B2C AD.
We want to know what is the best approach to validate the token centrally before it reaches the microservices on Azure Container Service. We were using API Gateway to route the API calls to the correct microservice while also using the WAF capability in the API Gateway. However, we realize that the API Gateway does not provide a way to verify the OAuth token before it forwards the request to the microservices.
Also please note, as per the suggestions in Microsoft Documentation we have two tenants with one tenant running all services such as database and microservice and the second tenant hosting the Azure B2C AD.
Can you please suggest the best option to implement the OAuth Verification without having to implement this in each microservice.
One thing you could do is put Azure API Management Service between your clients and services, there you'd have an option to use validate-jwt policy to inspect tokens and authorize calls.
The following is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please refer to the following document for steps in detail.
I Followed the Active Directory .NET WebAPI onBehalfOf sample.
In the web api created another endpoint to access Intune app protection policy from url
https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies,
in azure provided permission to app to access Graph API.
In the call to AquireTokenAsync changed the resource Id to https://graph.microsoft.com/.
This returned the JWT token that contained:
"aud": "https://graph.microsoft.com/",
"scp": "DeviceManagementApps.ReadWrite.All User.Read",
However fetching the endpoint
https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies
Returns an HTTP response of 401 Unauthorized.
What is missing?
This generally implies one or both of the following issues:
You need to obtain Admin Consent. The DeviceManagementApps.ReadWrite.All scope requires that an Admin consent to the permissions before a normal user can can authorize the scope.
You're app's registration doesn't have the correct scopes defined in Azure. Make sure your registration is selection scopes for Microsoft Graph and not Azure AD Graph API. These are two distinct APIs and the differences are greater than simply the resource URI.
Also note that the Client Credentials grant (aka Application scope) isn't supported by the Intune APIs. You can only call these endpoints using Delegated permissions (Authorization Code or Implicit grants).
On my initial analysis on the fetching the access token from Azure AD using OpenID connect protocol, I came to know that there are two ways to consider
Fetching access token using the signed in user's context where caching is used.
Fetching access token using application context.
Can anyone help me to know which needs to be consider with some example code.
Fetching access token using the signed in user's context where caching is used.
OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
Please refer to code sample :Calling a web API in a web app using Azure AD and OpenID Connect ,this sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net. In controller , you could get access token for specific resource using the signed in user's context :
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
Fetching access token using application context.
What do you mean by "application context" ? If you are talking about OAuth 2.0 Client Credentials Grant Flow , which permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. You could refer to this scenario explanation and code samples .
To fetch an access token to the graph API, you need to:
redirect the user to the Azure authorization endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/authorize),
to get back an authorization token,
that you need to provide Azure with, on the access token endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/token), with your application credentials.
Finally, you can provide this access token to the userinfo endpoint on the graph API: https://graph.microsoft.com/v1.0/me
with some example code
I've written a sample code, but it depends totally on the language, environment and OIDC library you are using. In case you are using Java in a servlet environment with the MIT implementation of OIDC (MITREid Connect), my example to access the Microsoft graph API by means of OIDC on Azure is available on GitHub here: https://github.com/AlexandreFenyo/mitreid-azure