Is the only way to allow access to an Azure app service hosted ASP.Net web api by configuring the middleware to accept open id authentication tokens from Azure?

Anthony Phillips 0 Reputation points
2023-07-21T14:12:13.9266667+00:00

I have an ASP.NET MVC application hosted in Azure App Service. The communication between the UI and API works by default I'm assuming because of 'Easy Auth'. The UI is deployed to the wwwroot and the api is deployed to a virtual directory 'api'. I need to be able to send requests to my API from IOT devices and even Postman for that matter but I'm receiving a 401 Unauthorized message. Is configuring my middleware to accept azure ad tokens the only path forward here? I'd hate to have to do that because that would mean I would have to refactor the UI to be able to use MSAL to authenticate in order to pass tokens to the API as well.

The other option I'm aware of is API Management, but wanted to see if there was something I could possibly configure in the Portal to make this work before going that route.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,296 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,312 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ben Gimblett 4,545 Reputation points Microsoft Employee
    2023-07-27T13:40:57.48+00:00

    Hi
    Its not clear to me from the question if you've configured and are using easy auth explicitly

    Doing so would apply to the web app itself REF https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

    If you have more than one web app per hosting plan (to manage costs) then you can configure easyauth and a corresponding app registration for each

    Equally, you can use microsoft.identity if you want more control - or to test auth outside of the app service hosting (personally speaking this is my prefer method)

    What I would really try and avoid, unless you have a very good reason for doing so, is use virtual directories. Yes, it is technically possible to do so with App service , but in my experience working with customers it can also add unwanted complexity. It isn't exactly an anti-pattern (in my opinion) but at least in the customer facing team I work for, we don't recommend it either.

    Remember that each web app you create on a hosting plan has its own configuration (including easy auth if you choose to use it) can leverage it's own slots and settings and has process isolation.

    Each web app on a plan share compute resources and scale out together

    From the detail you've provided I think it would make more sense to have API and UI each on their own web app. These apps could be under the same plan, OR a different plan depending on whether you want it to scale the same or differently to the main MVC app and depending on cost - an extra hosting plan would incur extra costs.

    Hope that helps

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.