Oauth2 with Microsoft Azure

Question

Oauth2 with Microsoft Azure

Mr Edge 221

Following on from my other question I've become more confused than I originally was.

My goal is to implement oauth2 using the standard given at OWASP into my WebApi core project.

I've understood oauth2 is an authorization protocol. I don't understand what Microsoft Identity or App Registration found under Microsoft Azure has to do with this? I decided to go ahead and add a new App Registration but eventually led me to add a role which doesnt exist anymore https://learn.microsoft.com/en-us/answers/questions/816637/app-role-section-missing-for-the-registered-applic

I don't want anyone with a Microsoft or Google etc public account to access this service. Only for the service to get authorization once the username and password are valid that I provide which I assume is the client username and client password that I pass into my service which then returns a token for access? Is this correct?

Does anyone have any code I could look at to secure my WebApi core in this way or how this app should be setup on Azure? Appreciating any clarity on this

RevelinoB 1,955 Reputation points

2023-04-28T10:37:49.84+00:00

Hi Mr Edge,

Yes, that's correct! If you only want to allow access to your service for users with specific credentials (username and password provided by you), you can implement a custom authentication mechanism using OAuth 2.0's "Resource Owner Password Credentials" grant type.

To secure your WebAPI Core using OAuth 2.0 and set up the app in Azure, here are some steps you can follow:

Start by referring to the official Microsoft documentation for OAuth 2.0 and Azure AD integration with ASP.NET Core. This documentation provides detailed explanations, step-by-step instructions, and code examples.

Check out the Microsoft Identity platform documentation, which covers authentication and authorization scenarios using Azure AD. You'll find code examples and guidance for different programming languages and frameworks, including ASP.NET Core.

Check out the Azure Samples GitHub repository (https://github.com/Azure-Samples) to access various sample applications and code repositories related to authentication and authorization in Azure. Look for samples specifically targeting ASP.NET Core and OAuth 2.0 to find relevant code examples which you can use in your project.

Consider checking out the Microsoft.Identity.Web library, which simplifies integrating Azure AD and securing ASP.NET Core applications. It provides ready-to-use authentication and authorization middleware that you can incorporate into your project.

I hope this helps?
Mr Edge 221 Reputation points

2023-04-28T13:49:12.87+00:00

Hi and thanks. I'm still not any further forward. What are the correct steps to configure App Registration for this purpose?

RevelinoB 1,955 Reputation points

2023-04-28T10:37:49.84+00:00

Hi Mr Edge,

Yes, that's correct! If you only want to allow access to your service for users with specific credentials (username and password provided by you), you can implement a custom authentication mechanism using OAuth 2.0's "Resource Owner Password Credentials" grant type.

To secure your WebAPI Core using OAuth 2.0 and set up the app in Azure, here are some steps you can follow:

Start by referring to the official Microsoft documentation for OAuth 2.0 and Azure AD integration with ASP.NET Core. This documentation provides detailed explanations, step-by-step instructions, and code examples.

Check out the Microsoft Identity platform documentation, which covers authentication and authorization scenarios using Azure AD. You'll find code examples and guidance for different programming languages and frameworks, including ASP.NET Core.

Check out the Azure Samples GitHub repository (https://github.com/Azure-Samples) to access various sample applications and code repositories related to authentication and authorization in Azure. Look for samples specifically targeting ASP.NET Core and OAuth 2.0 to find relevant code examples which you can use in your project.

Consider checking out the Microsoft.Identity.Web library, which simplifies integrating Azure AD and securing ASP.NET Core applications. It provides ready-to-use authentication and authorization middleware that you can incorporate into your project.

I hope this helps?
Mr Edge 221 Reputation points

2023-04-28T13:49:12.87+00:00

Hi and thanks. I'm still not any further forward. What are the correct steps to configure App Registration for this purpose?

Answer 1

RevelinoB 1,955

Hi Mr Edge,

I apologize if I caused any confusion. But the steps to configure an App Registration in Azure for the purpose of OAuth2 authentication are the following:

Sign in to the Azure portal (https://portal.azure.com).

Navigate to the Azure Active Directory (AAD) service by clicking on "Azure Active Directory" in the left-hand menu.

Click on "App registrations" to view the list of registered applications.

Click on the "New registration" button to create a new App Registration.

Provide a name for your application and choose the appropriate account type (single tenant or multi-tenant) based on your requirements.

For the "Redirect URI" field, specify the URI where the authorization server will send the user back to your application after authentication. This should be the URL of your WebAPI Core application.

Click on "Register" to create the App Registration.

Once the registration is complete, you'll be redirected to the App Registration overview page. Here, note down the "Application (client) ID" value, as this will be your client ID.

In the left-hand menu, click on "Certificates & secrets".

Under the "Client secrets" section, click on the "New client secret" button.

Enter a description for the client secret and choose an expiration option. Click on "Add" to generate the client secret.

After the client secret is generated, make sure to note it down, as this will be your client secret.

When you reached this point, you have successfully created an App Registration and obtained the client ID and client secret, which are required for your OAuth2 authentication flow. These credentials will be used to authenticate your WebAPI Core application with Azure AD.

Be aware that the above steps provide a basic setup for OAuth2 authentication using an App Registration. Depending on your specific requirements, you may need to configure additional settings, such as API permissions, user consent, and access control, to align with your application's functionality and security needs.

I hope these steps will help you with your issue?

Mr Edge 221 Reputation points

2023-04-28T15:19:22.1966667+00:00

Thats much better :-)

I selected Single tenant.

For the "Redirect URI" field, specify the URI where the authorization server will send the user back to your application after authentication. This should be the URL of your WebAPI Core application.

I didnt get this option but then clicking through the menus, i clicked Web and entered a localhost address for testing. I also ended up setting Application ID Uri which is set as

ourdomain.onmicrosoft.com/{someGUID}

Just thought to mention the above in case i have done something incorrect.

As far as i can tell i have the basics setup so 2 more questions off that

Be aware that the above steps provide a basic setup for OAuth2 authentication using an App Registration. Depending on your specific requirements, you may need to configure additional settings, such as API permissions, user consent, and access control, to align with your application's functionality and security needs.

From the documents i read i was looking for a Role Setup menu which no longer is available. Where are these settings now found?

Finally, Im using C# and Web Core API targeting .Net 6

I was looking at the link you provided for the code to tie this up with. Is this the correct project for me to reference (sorry there were too many and i just didnt want to make a mistake looking at the wrong solution)?

https://github.com/Azure-Samples/ms-identity-docs-code-dotnet

Thanks
RevelinoB 1,955 Reputation points

2023-04-28T15:32:21.9533333+00:00
Hi Mr Edge,

I cross checked and apologize for the confusion caused by outdated information. The App Roles configuration has indeed changed in the Azure portal interface. As of the latest updates, the App Roles configuration is no longer available directly in the Azure portal for App Registrations. Instead, it is managed through the application's manifest file or the Azure AD Graph API.

To configure App Roles for your App Registration, you can follow these steps:

Navigate to the Azure portal (https://portal.azure.com) and open the Azure Active Directory service.

Click on "App registrations" to view the list of registered applications.

Select the specific App Registration you want to configure the roles for.

In the left-hand menu, click on "Manifest" to open the application's manifest file.

In the manifest file, locate the "appRoles" section. If it doesn't exist, you can add it as an array within the "appRoles" field, like this:

"appRoles": [ { "allowedMemberTypes": ["User"], "displayName": "Role 1", "id": "role1", "isEnabled": true, "description": "Role 1 description" }, { "allowedMemberTypes": ["User"], "displayName": "Role 2", "id": "role2", "isEnabled": true, "description": "Role 2 description" } ]

After configuring the App Roles in the manifest file, you can assign these roles to users or groups through Azure AD. The roles can be used for authorization within your WebAPI Core application.

Please be aware that editing the manifest file directly should be done with caution, as incorrect modifications can cause issues. So make sure to validate the JSON syntax and double-check the changes made.

Alternatively, you can use the Azure AD Graph API or Microsoft Graph API to manage App Roles programmatically if you prefer an automated approach.

Again, I apologize for the outdated information, and I hope this clarifies the current process for configuring App Roles in the Azure portal.

Regarding you second question. Yes, the GitHub repository you mentioned, "Azure-Samples/ms-identity-docs-code-dotnet," is an excellent resource to refer to when implementing OAuth2 authentication using Microsoft Identity in .NET applications. It contains a collection of sample projects and code snippets that demonstrate various authentication scenarios and features provided by Microsoft Identity.

This repository covers a wide range of topics related to authentication and authorization. It includes integration with Azure AD, implementation of OAuth2 flows, enabling single sign-on, token validation, and more. You can explore the different projects and code samples to find the ones that align with your specific requirements and use them as a reference for implementing OAuth2 authentication in your WebAPI Core project.

When using this repository, make sure to review the documentation, readme files, and code comments. They provide valuable information on how to configure the necessary settings and dependencies. The code samples are generally well-documented and provide instructions to guide you through the implementation process.

Remember to adapt the code and configuration to fit your application's specific needs and security requirements. It's important to have a solid understanding of the code and the underlying security principles to ensure a secure implementation.

If you encounter any specific questions or need further assistance while working with the code samples from the repository, please feel free to ask. I'll be happy to help!

Mr Edge 221

Thank you and i think im almost there.

I reviewed the code at https://github.com/Azure-Samples/ms-identity-docs-code-dotnet/tree/main/web-api

With my code being

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddAuthorization(config =>
{
    config.AddPolicy("AuthZPolicy", policyBuilder =>
        policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" }));
});
var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

My appSettings is

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "123",
    "TenantId": "123344"
  }
}

But no matter what i do, it displays the data. I changed the ClientID and TenantID to something incorrect but again it just returns the data.

Ive also decorated the WeatherForecast controller

    [Authorize(Policy = "AuthZPolicy")]
    [ApiController]
    [Route("[controller]")]

As per the sample app.

Have i missed something small?

RevelinoB 1,955 Reputation points

2023-04-28T16:53:44.41+00:00
Hi Mr Edge, Good to hear that your almost there. But based on the provided code and configuration in the chat, it seems you have set up the authentication and authorization middleware correctly. However, there could be a couple of potential reasons why the authorization is not working as expected.

Scope configuration: In your appSettings.json file, you have not specified the required scopes for authorization. Ensure that the "AzureAd:Scopes" configuration key in your appSettings.json file is set to the appropriate scope(s) that you want to require for authorization. For example, if your API requires the "api://your-api-app-id/scope-name" scope, you should have a corresponding entry in your appSettings.json file like this:

"AzureAd": { "Instance": "https://login.microsoftonline.com/", "ClientId": "123", "TenantId": "123344", "Scopes": "api://your-api-app-id/scope-name" }

Permissions and consent: Make sure that the client application (the one calling your WebAPI) has been granted the necessary permissions (scopes) to access the API in Azure AD. If the permissions have not been granted or consented to, the authorization may not be enforced properly.

To troubleshoot further, you try the following

Double-check that the correct ClientId and TenantId values are used in your appSettings.json file.

Verify that the required scopes are properly configured in the appSettings.json file.

Ensure that the client application has been granted the necessary permissions and consent for the API in Azure AD.

Check if any custom authorization policies or requirements are affecting the authorization process.

Furthermore, be aware that you can enable logging and examine the logs to see if there are any relevant authentication or authorization-related messages that might provide additional insights into the issue.

By reviewing these aspects, you should be able to identify any potential configuration or setup issues that might be causing the authorization to not work as expected.

I hope this will help you?
Mr Edge 221 Reputation points

2023-04-28T17:01:23.95+00:00

I did remove scopes as i didnt have any setup at this stage.

I have now replaced this with

ourdomain.onmicrosoft.com/{someGUID}

(this was from my previous message i posted above) but that just gives me a 401 no matter what i do.

How could i enable logging to see what the underlying error maybe as stepping through doesnt reveal a lot?

Many thanks for your help :-)
RevelinoB 1,955 Reputation points

2023-04-28T17:11:25.4433333+00:00
Hi Mr Edge, To enable logging for authentication and authorization in your ASP.NET Core application, you can configure the logging settings in your appSettings.json file or directly in your code.

See below an example of how you can enable logging and set the minimum log level to Debug for authentication and authorization:

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore.Authentication.JwtBearer": "Debug", "Microsoft.AspNetCore.Authorization": "Debug" } }, "AllowedHosts": "*", "AzureAd": { "Instance": "https://login.microsoftonline.com/", "ClientId": "123", "TenantId": "123344", "Scopes": "api://your-api-app-id/scope-name" } }

Make sure you have the "Microsoft.AspNetCore.Authentication.JwtBearer" and "Microsoft.AspNetCore.Authorization" categories set to Debug or a lower log level to capture detailed log messages related to authentication and authorization.

Alternatively, you can configure logging programmatically in your code using the ConfigureLogging method when building the WebHost or Host:

using Microsoft.Extensions.Logging; // ... var builder = WebApplication.CreateBuilder(args); // ... builder.ConfigureLogging(logging => { logging.AddDebug(); logging.AddConsole(); logging.SetMinimumLevel(LogLevel.Debug); }); // ...

After logging is enabled, you should be able to see detailed log messages related to authentication and authorization in your console output or log files. This can help you identify any potential errors or issues during the authentication and authorization process.

Don't forget to remove or adjust the logging settings appropriately for production environments to avoid unnecessary verbosity.

I hope enabling logging will provide you with more insights into the underlying issue you're experiencing and will help solving the issue.
Mr Edge 221 Reputation points

2023-04-28T17:40:29.7133333+00:00

Perfect I'll get that set up. As I was searching around, I came across this thread thinking I may have missed off some code or something similar. https://stackoverflow.com/questions/73658327/how-to-implement-oauth2-0-authentication-token-in-asp-net-core-web-api What I would like to know is what is the difference between what was implemented on that thread compared to what I'm doing on this application
RevelinoB 1,955 Reputation points

2023-04-28T17:49:07.5233333+00:00

Hi Mr Edge, Excellent thanks for the update. Regarding the difference, I saw that in the Stack Overflow thread you shared, the approach mentioned is to manually validate and process the OAuth2 access token in the ASP.NET Core Web API controller. This involves extracting the access token from the incoming HTTP request headers, validating it, and performing any necessary authorization checks.

On the other hand, the approach you are currently following, based on the Microsoft Identity code samples and configuration, leverages the built-in authentication and authorization middleware provided by ASP.NET Core. This middleware handles the validation and processing of the access token, as well as the authorization checks, automatically.

By using the Microsoft Identity approach, you delegate the responsibility of authentication and authorization to the framework, which simplifies your code and ensures adherence to security best practices. It also provides additional features like token validation, automatic handling of authentication challenges, and integration with Azure AD.

Here are some key differences between the two approaches:

Middleware vs. manual processing: The Microsoft Identity approach uses middleware components (UseAuthentication and UseAuthorization) to handle authentication and authorization automatically. In the Stack Overflow thread, the token validation and authorization checks are performed manually in the controller code.

Integration with Azure AD: The Microsoft Identity approach seamlessly integrates with Azure AD, leveraging its features and capabilities for authentication and authorization. This includes support for Azure AD endpoints, token validation, and access control based on Azure AD policies.

Configuration and scalability: The Microsoft Identity approach allows you to configure authentication and authorization settings in a centralized manner, typically in the Startup.cs file, making it easier to manage and scale your application. In the manual approach, you need to handle configuration and validation logic within the controller code, which can become more cumbersome as your application grows.

Overall, In my perspective the Microsoft Identity approach provides a more standardized and streamlined way of implementing OAuth2 authentication in ASP.NET Core Web API applications. It leverages the built-in middleware and integration with Azure AD, reducing the amount of custom code you need to write and ensuring a more secure and maintainable implementation.

It's important to understand that the specific approach chosen may depend on your application's requirements and constraints. However, leveraging the built-in middleware and Microsoft Identity generally offers a more robust and efficient solution for OAuth2 authentication in ASP.NET Core.

I hope that answers your question?
Mr Edge 221 Reputation points

2023-04-28T18:05:34.4166667+00:00

Yes that's answered it perfectly. As far as I understand using the approach in using at present would mean, if in future this client needs to be disconnected, I could disable the client secret or change it. If on the otherhand I needed two different clients to access the same service then it would be a matter of creating a new client/secret for them to use in future? I will mark this as an answer as you've really explained well. I don't have the app working yet but I probably need more time as I'm pretty exhausted now 😔

Answer 2

Hi Mr Edge,

Yes, if you need two different clients to access the same service, you can create separate client registrations for each client in Azure AD. Each client will have its own unique client ID and client secret. By creating separate client registrations, you can manage and control the access and permissions of each client independently.

Here's the steps you could take:

In Azure AD, create a new App Registration for the additional client. This will generate a new client ID.

Configure the necessary settings for the new client, such as redirect URIs, API permissions, and other required settings.

Once the new client registration is created, you will obtain a new client ID and client secret for that client.

Update your application's configuration with the new client ID and client secret for the additional client.

By following these steps, you can allow multiple clients to access the same service with separate client credentials. Each client will authenticate using its own client ID and client secret, and you can manage their permissions and access independently.

Don't forget to securely store and manage the client secrets, as they are sensitive information that should be kept confidential.

I hope this helps you?

Oauth2 with Microsoft Azure

1 additional answer

Activity