Web apps call web api on-behalf-of signed in user: Missing solution for pure web front-ends

asked 2020-01-02T13:04:59.763+00:00
Thanh Binh Nguyen 1 Reputation point

Hi,
I have a razor web page that calls a web api and display the result on the page. The razor page signs the user in and calls the web api on-behalf-of the user. The authentication is done via Azure AD. I have read the section on "web apps call web api" by Microsoft, but this does not apply to my case, because my razor page is a pure web front-end and thus there are no controllers. This is not clear how to adapt the solution presented in this section to my case. I would appreciate any help very urgently as I got stuck on this issue for months now.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,574 questions
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-01-02T17:56:15.497+00:00
    Joffrey NURIT 196 Reputation points

    Hi @Thanh Binh Nguyen ,

    If i understand your need correctly, you want to use AzureAD authentication in pure javascript and don't use .Net code.

    If possible, I'd like to change your mind about that. Use javascript to launch front call to external API can be dangerous for your security. You need to protect call to external website explicitly, and a lot of information are available to public.
    If you use a controller, it will be more simple to you, because .Net code for connect to Azure AD are easy to find. And you improve your application security.

    I hope it will help.

    No comments

  2. answered 2020-01-03T08:24:52.093+00:00
    Thanh Binh Nguyen 1 Reputation point

    Hi @Joffrey NURIT ,
    There is no javascript in my app. The api calls are done in the razor page using C# code. My razor app follows MVVM, not MVC and thus there are no controllers. For more details, you can find the differences between these two approaches here: https://stackify.com/asp-net-razor-pages-vs-mvc/

    As we do not have controllers, we cannot use the solution in the mentioned section above. And it is not easy to adapt to our case.