Our customer has an on-premise application that has a web api. They have exposed this api through Azure Application Proxy, and given us credentials to use. Furthermore, the api has its own credentials using basic authentication.
The Azure credentials works fine when using a browser and accessing the on-premise application, even the web api in combination with the basic auth.
But we need to access this api with a scheduled job, and without user interaction. I thought an OAuth 2.0 Resource Owner Password Credentials (ROPC) would work in this case. I have written a console application, that tries to log on to Azure using the ROPC:
var client = new HttpClient();
var payload = new StringContent(
"client_id={...}" +
"&scope={...}" +
"&username={...}" +
"&password={...}" +
"&client_secret={...} +
"&grant_type=password",
Encoding.UTF8,
"application/x-www-form-urlencoded"
);
var uri = new Uri("https://login.microsoftonline.com/{...}/oauth2/v2.0/token");
var response = client.PostAsync(uri, payload).Result;
if (response.IsSuccessStatusCode)
{
var result = response.Content.ReadAsStringAsync().Result;
var token = JObject.Parse(result).ToObject<Token>();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.access_token);
response = client.GetAsync("https://{...}.msappproxy.net/{...}").Result;
if (response.IsSuccessStatusCode)
Console.WriteLine("OK");
else
Console.WriteLine(response.ReasonPhrase);
}
else
Console.WriteLine(response.ReasonPhrase);
The request to microsoftonline returns a token. If I change the credentials it returns 400 Bad Request, which means that the correct credentials are working fine.
The problem occurs when I try to access the on-premise application via msappproxy.net. As a test I’m trying to access a resource that is outside the api and does not need any authorization. But I only getting a Microsoft login page in return.
Is there something I have misunderstood here? Is it possible to use ROPC to log on to Azure App Proxy? And if so, how is it possible to access the api with a basic auth? Can’t find a way to combine both Bearer (Azure) and Basic (on-premise api) in the same request?