I need to implement angularjs Single page application role based authentication using OWIN bearer token and JWT. But i have separate web service to check the user available or not and also get the user roles.
There for i need to generate bearer token by using that rest resource results without using Identity database.
Related
I am using ASP.NET MVC application and using Azure AD authentication.
I am trying to search to store and retrieve an IDToken and to refresh the token best practices. I have seen some example but not able to follow through
When user get authenticated and get the codeIdToken. How I can save it and retrieve the codeIDToken?
Then later I want to get the codeIdToken to get the access token to use as a bearer token to call an api register in Azure. Where I can store, retrieve and refresh the access token?
Our application is an Angular SPA with ASP.Net Core Web API. The identity is provided by Microsoft Identity Platform (Azure AD) and authentication is provided by the same. The authorization is done in Web API basis "Application Roles". These "Application Roles" are held in the Azure AD directory (defined in the Application's manifest and assigned on the tenant domain to users).
The Angular SPA receives the tokens from Azure, as per these instructions. The relevant tokens that are issued are: an AccessToken for my Web API (following these instructions), an AccessToken for calling Graph API (following the same instructions) and an IdToken that includes the "Application Roles" as roles claim (this id token seems to be included automatically once roles have been assigned).
The problem I face is that I need to pass concurrent tokens to my Web API, but with the HTTP interceptor I can only include 1 token in the header request. For example, I need the first AccessToken to proof authentication to the Web API and I need to include the IdToken such that the Web API can perform authorization.
Q: How can I call my Web API with multiple tokens, when these tokens are all issued to the SPA and need to be included in the HTTP call to my Web API?
No matter whether you want to get Microsoft Graph data, the way you used to get Application role is incorrect.
An id token cannot be used to perform authorization for your Web API application. You have to use access token. See this answer to learn about the usage of id token and access token.
So you have to use an access token rather than id token.
In this case, you configure the app roles in the Azure AD app which represents Angular SPA (the front).
In fact, you should configure the app roles in the Azure AD app which represents ASP.Net Core Web API (the backend). Then you can get the "Application Roles" as roles claim in the AccessToken for your Web API.
I have set up an Azure Active Directory tenant with direct federation to Google. Next to that I have a .NET core web application using the OIDC code flow for getting both id_tokens and access and refresh tokens. The access token is used to call my API which is working fine.
Now the problem is whenever I use my refresh_token to get a new access_token I receive a new access_token, but no refresh_token. So I can only refresh once.
I only have this issue when authenticating with my Google account using direct federation. When I authenticate using a tenant native account I can refresh unlimited.
We have two multitenant Azure AD app registrations as described here. One for our single page application and one for our API. In our single page application backend we use the OpenIdConnect middleware to authenticate against Azure AD. Note that we are not using the common endpoint, but the tenant specific endpoint because otherwise direct federation does not work. We can reproduce this issue by intercepting the refresh token in the OnTokenResponseReceived event of the OIDC middleware and initiating the refresh flow as stated here (by using Postman for instance). The response is successful, but does only contain an access token, no refresh token.
Is this behavior by design?
I have JavaScript website which access Azure AD protected WebAPI with IDToken.
Is there any way to call Graph API (to get groups) from WebAPI which is already authenticated with IDToken.
I use msal in my JS to get access to the WebAPI. I pass scope to the WebAPI, I tried to add another scope to Graph but then I had an error.
I tried to call Graph with Authorization key in the header and Bearer as the value from my WebAPI but this didn't work.
You are using an ID token wrong.
The ID token should not be used for authorization in a back-end.
Your front-end needs to acquire an access token for your back-end. Your back-end can then exchange that access token for an access token for Graph API.
Or your front-end can call Graph API.
You cannot specify both scopes when acquiring a token because a token is only valid for one API.
You can however make two separate calls to acquire the tokens.
I am using React as my Single Page application and also generating the token using Microsoft AD Authentication OAuth using the below code.
I am using my SPA for authentication but for authorization and access controls I wanted to fine grain the access controls in my web api using attributes in controller actions like [Authorize(Roles="Admin")].
Can anyone help me here how to implement the authorization by calling the action methods from my React app by passing the Bearer token in headers of each request. I want to control my web api logic using the claims in the token by using roles.
your inputs are really appreciated!
Thanks