ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,381 questions
How to authenticate my application (running as an Azure App Service) against another Azure App service using Managed Identites?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 28.000000000000004%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Lucas
0
Reputation points
We have two applications that run in two different Azure App Services:
- A ASP.NET 4.6.2 application that Hosts a website and utilizes a web job that communicates with the other App Service over gRPC (using the older Grpc.Core package because App Services are still using Windows 10)
- An ASP.NET Core 8 Grpc API that is only accessed by the other App Service.
Because the second App Service is only accessed from the other App Service within our organization and we don't want to use VNETs to control IP-base access, we would like to use Azure Managed Identities.
Not I've followed several Microsoft tutorials on how to configure Managed Identities for the applications and this is what I thought was what had to be done:
- Enable "System Assigned" Managed Identity in App Service A
- Assign this Managed Identity / principal any role in App Service B
- Modify the Code running on App Service A to include authentication / authorization when sending requests to App Service B
- Create a new instance of "DefaultAzureCredential" from the "Azure.Identity" NuGet package
- Call "GetTokenAsync" on that instance
- Including the "Authorization" header in the MetaData of the Grpc request to App Service B and assigning it the value $"Bearer {tokenResponse.Token}" (tokenResponse being the response of "GetTokenAsync")
- Possibly add the Microsoft Authentication Provider to App Service B?
Now when trying this out, I have not been able to get this running and now I have a couple of questions about what has to be done:
- Can I just assign any role to the Managed Identity of App Service A in App Service B? App Service B does not need any permission, just a valid token that says that the request comes from a Managed Identity.
- When calling "DefaultAzureCredential.GetTokenAsync" what scopes do I have to provide with "TokenRequestContext"?
- For testing purposes I have tried to specify different GUIDs and URLs. For example the application ID of App Service A which - when executed from Visual Studio - returns an error AADSTS: "AppId: 'x' can not use Managed Service Identity (MSI) as audience..."
(Since when executing from Visual Studio "DefaultAzureCredential" should use my signed in account, I also made sure that my account has been assigned a role to)
- For testing purposes I have tried to specify different GUIDs and URLs. For example the application ID of App Service A which - when executed from Visual Studio - returns an error AADSTS: "AppId: 'x' can not use Managed Service Identity (MSI) as audience..."
- When calling App Service B using Grpc, does it automatically detect the Authorization Header? If not, is this why I have to add the Microsoft Authentication Provider to App Service B? And if so, how would I configure it?
- I have already tried to configure the Microsoft Authentication Provider but I don't know how to configure it. For example can I use "Allow requests from any application" in combination with "Allow requests from specific identities"? The latter makes a new field appear "Allowed identities" in which I can put any string. What would I need to put in there? The object ID of the Managed Identity?
Any help would be greatly appreciated.