.net core token based Authentication and Authorization in WebApi

Praveen AZ 1 Reputation point

We need to build web API, which should be Authenticated and Authorize based on token sent in headers in .net core 2.1.

I am able to do Authentication using Azure AD app (client ID, Client secret, tenant id, etc.) but I want to do Authorization, I have created 3 groups in Azure AD and assign groups to the users as well.

1) How should I achieve this, as it is an urgent requirement, the consumer will be another website, that will be sent a request with a token to web API.

2) As per my understanding token should be generated using user credentials instead Azure AD app. I am able to do to Authorization in the MVC app, but not in WebApi.

3) For Authorization should I or can I maintain role mapping in SQL table?

Any help is much appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,486 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee

    @Praveen AZ , If I understand the ask correct, that part that works for you is where you are doing the Client Credentials Flow of OAuth2.0, where the application goes ahead to AAD and gets an Access Token and then submits that token to the API as bearer.

    In case you would want to an User inplace of the user, you need to go ahead and use the "Authorization Code Grant Flow of OAuth2.0"

    You can read more about this flow here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

    I would also suggest you to got through the following link which is about OpenIDConnect: link text
    OpenIDConnect is an implementation of the Authorization Code Grant Flow

    You can also check the following Github sample for Dot Net Core using Authorization Code Grant Flow: link text

    Hope this helps. Do let me know if there are any more queries around this so that we can help you further.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    0 comments No comments

  2. Praveen AZ 1 Reputation point

    Lot of information, I'll refer these one by one,
    As, I am new to all these stuff, will ask queries in a day or two,

    1) meanwhile, if you have any link that tells how to generate a token that tells about user also not client id and client secret (I mean ADAL/v1 link)

    2) Another is how to validate token for Authorization that will be greate,

    I am also confused the consumer and Api can user the same AAD App? with 2 redirect URLs?

  3. Praveen AZ 1 Reputation point

    Thanks, I got a way to Authorize the user, thanks for the prompt response,
    its's ADAL and .netCore with bit another approach,
    your inputs helped me to go in the right direction.