How do i protect Web API

Question

How do i protect Web API

Keith Viking 20

Hi

I'm taking some training courses on Azure and Web API.

I need to protect my Web Api which has been built on Visual Studio 2022 with all the latest versions, updates installed and selected (except i didnt select .Net 7).

I saw these samples

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2

but i dont know which one i need to select and use for my basis.

I need to have the Api protected so a user does not need to login but rather the application takes care of that utilising oauth2.

I have read, it maybe Identity Server i need to use or Azure and register an app however the courses and books i have display completely different options and layouts.

Please could someone guide me, what to do in order to have Identity, Azure setup for this requirement (token based i presume) and which project i should select from the above repository to get started protecting my Web API.

Answer 1

Bruce (SqlWork.com) 48,481

the samples you link to all have different features.

sample 4 is the one you want. it has both a client web site that uses oauth login and a sample web api site that uses jwt bearer tokens. the variants are for if the client is in your ad, a business to business ad, or a multi-tenant ad.

all the sample uses azure ad and require you have an azure ad account.

Keith Viking 20 Reputation points

2023-05-02T16:41:59.2966667+00:00

Hi so under that project there are another 3 solutions. I would like Azure/identity server as the bearer/token. I don't want anyone to be able to login other than access for the application. Which would be the correct solution to analyse please
Bruce (SqlWork.com) 48,481 Reputation points

2023-05-02T17:35:54.4433333+00:00

you don't specify your requirements. are clients required to use your login server to get a token? are you a business to business. do you only need the token to access graph api?

if you want them to use your azure ad to get an acess token, or only your web site (which uses your ad) will call your Web API, then you want the myorg example.

as it a s Web API, a common approach with azure ad is to define a client app with permissions and use a clientid and secret or certificate to get the access token.

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
Keith Viking 20 Reputation points

2023-05-02T19:27:10.14+00:00

Hi, yes a client ID and secret is what I want to do. I want this to be based on Azure AD (Active Directory) but I don't want them to be able to use any email. It's purely an WebApi to use to get and post data using the credentials I provide with jwt. I think from your last reply it seems the link you posted is where I need to start and create the account accordingly but using the example 4-1-MyOrg. I also noted the example is using MVC style approach but that shouldn't make any difference if I'm using .Net 6 Web API? I could still use the same code for my application? Thank you
Bruce (SqlWork.com) 48,481 Reputation points

2023-05-02T20:14:22.0633333+00:00

you register an app. then you define a secret (probably one per client). the client you uses azure oauth to get the token anyway they want. see:

https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration
Keith Viking 20 Reputation points

2023-05-02T20:25:59.5733333+00:00

Sorry a little confused. The original links I provided and the ones you confirmed all seemed to be targeting. Net6. The last link isn't. I don't want to use . Net 4 but I thought the sample apps were enough for me to look into rather than going back a version? I thought the repositories I posted above were good projects/samples for me to use once I have Azure client credentials setup and also good for jwt?

Answer 2

Tiny Wang-MSFT 1,466 Microsoft Vendor

Hi @Keith Viking , first of all, this is the tutorial for using Azure AD to protect the Web API. Here's the detailed steps of what we need to do.

Going to Azure AD to register an Azure AD app, no need to set redirect URL.
Create a client secret for authorization, copy and save the secret value here.

User's image

Exposing an API, since you don't want a user to sign in, so you have to use client credential flow to generate access token, therefore you need to create a role instead of creating a scope.

User's image

Add API permission.

User's image

Change Web API code. For a new .net 7 web API, having code below in the Program.cs, and add configurations in appsettings.json. Don't forget to add [Authorize] attribute in Controller.

using Microsoft.Identity.Web;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddEndpointsApiExplorer();
....
....
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();


"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "azure_ad_app_client_id",
    "ClientSecret": "client_secret",
    "Domain": "tenant_id",
    "TenantId": "tenant_id", 
    "Audience": "api://client_id"
  },

Generate access token and calling the Web API. We can use code below to generate access token. We can also send http request to generate the token.

using Azure.Identity;

var scopes = new[] { "https://client_id/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "your_azuread_clientid";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
    tenantId, clientId, clientSecret);
var tokenRequestContext = new TokenRequestContext(scopes);
var token = clientSecretCredential.GetTokenAsync(tokenRequestContext).Result.Token;

//or send post request
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1 
Content-Type: application/x-www-form-urlencoded 
client_id=azure_ad_client_id
&scope=https://client_id/.default 
&client_secret=client_secret
&grant_type=client_credentials

User's image

Finally using the token we got to call the web API:

User's image

=============================================

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards,

TinyWang

Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-03T07:24:23.66+00:00

We need to register an Azure AD app and expose at least one scope/app role. In your requirement it should be a role but not a scope, and now assuming we have a role named myrole. Then in our WEB API we integrate this AAD app, so that only when we use an access token which containing claim roles:[ myrole ] in the API request then we can call the API, or we will get 401 error. The method including how to register an AAD app, how to expose a role API, how to integrate AAD into WEB API project, how to generate an access token containing correct roles claim are all in my post above. You can also read the official documents for more details.
Keith Viking 20 Reputation points

2023-05-03T17:13:39.59+00:00

Hi so no need to create a scope? Only an appRole through the manifest file?
Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-04T01:38:07.77+00:00

Yes, we don't need to create a scope in your scenario, because you want to use client credential flow. With client credential flow, we can generate an access token which only has roles claim and doesn't have scp cliam. So even you created a scope, it makes no sense for client credential flow. Whenever you want to have a user sign in first and generate access token, then a scope is required. From another side to see this question, when we want to generate an access token without let user sign in, we must use client credential flow which scope used in the request should be xxxx/.default, while using other flows which requiring user to sign in, the scope we use in the request should be xxxx/scope_name.
Keith Viking 20 Reputation points

2023-05-05T15:37:40.0433333+00:00

Hi i got to the stage where you wrote

therefore you need to create a role instead of creating a scope.

But i dont have App Roles like you have? Where can i find this option
Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-08T01:33:08.5066667+00:00

Hi @Keith Viking roles can be added in Azure AD instance -> App roles blade, you can see this view in my sreenshoot above.
Keith Viking 20 Reputation points

2023-05-08T07:27:19.5+00:00

Hi yes i saw that in your screenshot but i dont have access to that option. Even when i search Azure the option App Roles doesnt show.

I tried adding it through the Manifest file but i can only add user and not Application. I created a new thread on this https://learn.microsoft.com/en-us/answers/questions/1277116/how-to-add-app-role-for-api
Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-08T07:34:15.7866667+00:00

Hi @Keith Viking , does your account have the admin permission? I'm afraid you don't have admin permission so that you can't manage the role. You may switch to an admin account to do this operation. (I mean Application Administrator or global Administrator)
Keith Viking 20 Reputation points

2023-05-08T07:37:33.26+00:00

Hi thats a good point.... I am logged in as an admin, is there anyway for me to determine if the account is an Admin? I seem to have access to everything else?

I create a New App Registration and then on the side panel i dont see App Roles (under the registration i created)
Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-08T08:38:25.8333333+00:00

Azure AD -> Users ->choose your account ->Assigned roles. You can see screenshot of my account, I have global admin.
Keith Viking 20 Reputation points

2023-05-09T16:00:56.43+00:00

@Tiny Wang-MSFT I am listed as a Global Admin

I have posted a new question at https://learn.microsoft.com/en-us/answers/questions/1281097/why-is-app-roles-missing
Tiny Wang-MSFT 1,466 Reputation points Microsoft Vendor

2023-05-12T05:21:47.3466667+00:00

Hi，just like what Bruce said, B2C tenant doesn't support APP roles and that's why you don't have that blade.

How do i protect Web API

2 answers

Activity