wso2 api manager with azure ad as OAuth provider - azure-active-directory

We have a requirement to configure WSO2 api manager with Azure AD as OAuth provider. We do not intend to use the out-of-the box OAuth provider in WSO2 api platform. All other parts of API manager will be leveraged ( publisher, store, gateway). Below given is the scenario
A mobile app is the client for APIs
User authentication from the app is done via Azure Ad
Azure AD provides a token back after successful authentication
Mobile app invokes the API ( via wso2 api gateway) using the token issued by Azure Ad.
API gateway verifies the validity of the token and allows the api invocation if it is valid
What is the best way to achieve this? Any input is much appreciated

You should be able to achieve your use case by configuring a 3rd part key manager
https://docs.wso2.com/display/AM210/Configuring+a+Third-Party+Key+Manager

Related

How to use Azure AD to secure an API that needs to be accessed by a 3rd party application?

We are running an API that is configured for and secured by Azure AD. This is working for us with an Angular app where users login interactively.
Now we have a need for a partner firm to use the API in a system to system way (no user login).
What needs to be configured for their application to get an OAuth token for our API from Azure AD?
I've examined the service to service call flow, but I'm wondering if it's best practice to create an application registration in our tenant for an application we don't own/manage. However this seems to be the fastest way to give them a client ID/Secret in order for them to interact with Azure AD.
Thanks in advance!
-Doug
Azure active directory supports the OAuth 2.0 to authorize the
third-party apps too. It doesn’t actually matter where the web APIs
are hosted.You can even see Azure Active Directory
recommendation on third party apps. It actually adds up security
and different type of apps can be integrated .
But you will need to have your web app authenticate to Azure AD, and
provide the token to the web api.so it requires app registration .
Scenario for external web app to call a web api, you can refer to
this:web-app-call-api
Your application can acquire a token to call a web API on behalf of
itself (not on behalf of a user) i.e; you can achieve scenario where
non-interactive app calls a web api
But if you meant app calling a partner api using another api .
The Azure AD V2.0 doesn't support the Partner API(See Restrictions on services and APIs) when you integrated the web API with third-party application using MSAL(Azure AD V2.0 endpoint) .
One way is using the on-behalf-flow. Here third-party application initially acquires the access token to call the web API. This web API acquire the token for Partner Center API and calls it using on-behalf-flow with that token. This solution uses the Azure AD endpoint instead of v2.0( register the app on Azure portal).
Other References:
asp.net web api - Azure Active Directory Verify Access Token in Web
Api outside of Azure - Stack Overflow
Authentication vs. authorization

SSO with Keycloak and Azure Active Directory

We have integrated keycloak with Azure Active Directory and integrated it with a few applications.
We have a few applications that are directly integrated with Azure Active Directory. Is there an approach I can follow to make a person logged in to one application to be signed in all the other applications irrespective of the authentication provider used (keycloak or Azure AD)?
Normally I'll be logged into all applications integrated with keycloak if I signin into one application integrated with keycloak and vice-versa with Azure AD.
Your requirement can be fulfilled with the app service feature by leveraging the token store and authorization behavior of the configured authentication providers for the apps configured. But only tokens received from keycloak can be forwarded to Azure AD for authentication purposes and further sign in respectively to all apps registered with Azure AD. The reverse is not possible as keycloak doesn’t has the ability to forward the sign in token request received for the application configured back to Azure AD for authorization.
You will have to enter the REST API code for signing in and out of a session accordingly by incorporating the below likewise code in your environment.
Log in with the Microsoft Identity Platform
Log in with Facebook
Log in with Google
Log in with Twitter
Log in with Apple
Please find the below documentation for an approach on forwarding the authentication tokens from Keycloak to Azure AD for access authorization: -
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out
Thanking you,

Access web api using AAD from Azure Function without using secret keys

I'm working on Azure Cosmos DB Feed changer Function. My requirement is in the feed changer function I need to access Web API using AAD authentication.
How should I configure the connection between the Azure Function and Web API using AAD so that the azure function can send the change feed to Web API?
How can I call the Web API in the function code?
Thank You,
Dheeraj
Based on your requirements, I suggest you using MSI(Managed Service Identity) in your azure function app.
You could create an identity here.
Then search the identity in AAD Enterprise Application list,you could find the permissions of it.
Then please refer to this document to obtain the access token and call your web api which is using AAD authentication with that token.
In addition, you could store the secret in Azure Key Vault and get the access token from AKV to call your web api. It support you to manage multiply permissions.
More details ,please refer to this link:https://blogs.msdn.microsoft.com/benjaminperkins/2018/06/13/using-managed-service-identity-msi-with-and-azure-app-service-or-an-azure-function/

Azure API Gateway and authentication

We are looking to publish an API in an Azure B2C model where customers will use our app to access API's published using Docker Swarm based Azure Container Services. Our assumption here is that this model will require Azure B2C AD as opposed to Azure AD.
All API calls will have an OAuth token issued from B2C AD.
We want to know what is the best approach to validate the token centrally before it reaches the microservices on Azure Container Service. We were using API Gateway to route the API calls to the correct microservice while also using the WAF capability in the API Gateway. However, we realize that the API Gateway does not provide a way to verify the OAuth token before it forwards the request to the microservices.
Also please note, as per the suggestions in Microsoft Documentation we have two tenants with one tenant running all services such as database and microservice and the second tenant hosting the Azure B2C AD.
Can you please suggest the best option to implement the OAuth Verification without having to implement this in each microservice.
One thing you could do is put Azure API Management Service between your clients and services, there you'd have an option to use validate-jwt policy to inspect tokens and authorize calls.
The following is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please refer to the following document for steps in detail.

Azure AD Apps: Migrating to v2.0

This is my scenario: Client Windows Forms app authenticates with Azure AD and uses the access token to access several web api services. Until now, I was using the endpoint 1 and using the Azure portal to register both apps. It seems like there's a new way now, but I'm a little lost here.
For starters, it seems like both apps (client and server) can be registered in the same app in the new apps portal (https://apps.dev.microsoft.com). I do see a place to add platforms and I have added entries for the native and web api. But where do I go from here? For instance, in the azure portal, I must configure the client app in order for it to call the web api services. How do I that here?
Is there a complete sample for this scenario like the one we have to ADAL (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples#native-application-to-web-api)?
Thanks,
Regards,
Luis
Please firstly refer to this document to know what's different about the v2.0 endpoint .When you build applications that integrate with Azure Active Directory, you need to decide whether the v2.0 endpoint and authentication protocols meet your needs. Please see the limitations of azure ad v2.0, such as you can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID .
The v2.0 endpoint does not support SAML or WS-Federation; it only supports Open ID Connect and OAuth 2.0 ,To better understand the scope of protocol functionality supported in the v2.0 endpoint, read through OpenID Connect and OAuth 2.0 protocol reference.
You could refer to document how to call a web API from a .NET web app with Azure AD V2.0 (using MSAL to acquire and use access tokens), and here is the code sample on Github . The document includes how to add basic sign-in to a web app or how to properly secure a web API in azure ad v2.0 .

Resources