Azure App Proxy and OAuth 2.0 ROPC

Thomas Teslo 1 Reputation point
2021-01-20T12:53:59.997+00:00

Our customer has an on-premise application that has a web api. They have exposed this api through Azure Application Proxy, and given us credentials to use. Furthermore, the api has its own credentials using basic authentication.

The Azure credentials works fine when using a browser and accessing the on-premise application, even the web api in combination with the basic auth.

But we need to access this api with a scheduled job, and without user interaction. I thought an OAuth 2.0 Resource Owner Password Credentials (ROPC) would work in this case. I have written a console application, that tries to log on to Azure using the ROPC:

var client = new HttpClient();

var payload = new StringContent(
    "client_id={...}" +
    "&scope={...}" +
    "&username={...}" +
    "&password={...}" +
    "&client_secret={...} +
    "&grant_type=password",
    Encoding.UTF8,
    "application/x-www-form-urlencoded"
    );

var uri = new Uri("https://login.microsoftonline.com/{...}/oauth2/v2.0/token");

var response = client.PostAsync(uri, payload).Result;

if (response.IsSuccessStatusCode)
{
    var result = response.Content.ReadAsStringAsync().Result;
    var token = JObject.Parse(result).ToObject<Token>();

    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.access_token);

    response = client.GetAsync("https://{...}.msappproxy.net/{...}").Result;

    if (response.IsSuccessStatusCode)
        Console.WriteLine("OK");
    else
        Console.WriteLine(response.ReasonPhrase);
}
else
    Console.WriteLine(response.ReasonPhrase);

The request to microsoftonline returns a token. If I change the credentials it returns 400 Bad Request, which means that the correct credentials are working fine.

The problem occurs when I try to access the on-premise application via msappproxy.net. As a test I’m trying to access a resource that is outside the api and does not need any authorization. But I only getting a Microsoft login page in return.

Is there something I have misunderstood here? Is it possible to use ROPC to log on to Azure App Proxy? And if so, how is it possible to access the api with a basic auth? Can’t find a way to combine both Bearer (Azure) and Basic (on-premise api) in the same request?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,776 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,476 Reputation points Microsoft Employee
    2021-01-23T00:11:42.41+00:00

    @Thomas Teslo
    Thank you for the detailed post!

    Based off our documentation, the Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint i.e. https://login.microsoftonline.com/{TenantId_or_Name} or the organizations endpoint.

    If you're using a hybrid identity federation, this isn't supported with ROPC. If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

    I hope this helps! If this isn't your scenario and you require additional assistance, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments