Accessing on-premises Azure Web App from outside Application Proxy using Client Credentials Flow

mrtwopointoh 1 Reputation point
2022-10-19T20:21:20.017+00:00

Hello,

I'm currently working with another organization that is using Azure to host and secure their web applications, and we would like to integrate my web application (self-hosted, not in Azure) with their web API (hosted with Azure, behind Application Proxy). The other organization has registered an application on my behalf in their tenancy, and provided me with the client ID and client secret. We require for my server to access their server (machine to machine) with no human intervention or use of a user account (no SSO logins, no MFA, etc.). My server runs Node.JS, but so far our tests have been using Bash and cURL.

The current flow I am attempting is as follows (with identifiable details changed):

1. Request an OAuth access token using the Client Credentials Grant:

   TOKEN=$(curl https://login.microsoftonline.com/${TENANT_ID}/oauth2/token \  
   \--header "Content-Type: application/x-www-form-urlencoded" \  
   \--data "grant_type=client_credentials" \  
   \--data "client_id=${CLIENT_ID}" \  
   \--data "client_secret=${CLIENT_SECRET}" \  
   \--data "scope=openid profile email" | jq -r .access_token)  

2. Attempt to access the Azure Web App, including the access token under the Authorization header as a Bearer token:

   curl https://${AZURE_APP_URL}/api/add-user \  
   \--header "Content-Type: application/json" \  
   \--header "Accept: application/json" \  
   \--header "Authorization: Bearer ${TOKEN}" \  
   \--data '{"user": "mary.sue", "email": "mary.sue@example.com"}' \  
   \--verbose  

Step 1 is successful, however Step 2 responds with 302 Found and a redirect to the Microsoft single sign-on webpage (https://login.microsoftonline.com/${TENANT_ID}/oauth2/authorize). We haven't found a way to get past the Application Proxy. Is it possible to pass the Application Proxy using an access token? If so, what's the proper way to do it?

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,764 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,866 Reputation points Microsoft Employee
    2022-10-28T12:07:30.787+00:00

    Hello @mrtwopointoh ,

    In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication but not behind application proxy.

    255112-image.png

    However, the response which you are getting is not taking you to the /consent endpoint, rather it is taking you to the "/authorize" endpoint, due to application proxy involved in between.

    I would rather suggest configuring an application instead of application proxy to access the api :

    Please do let me know if you have any further queries on this in comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.