Azure App Proxy Bearer Token

Question

My use case is to authenticate to azure proxy app from client api.
I am able to get token for "app registration" (pic1), but my proxy app does not recognize that token (pic2).
On azure site I created app and gave permission to my azure proxy app for scope user impersonation
What I missed or if I should take different approach to achieve that?

Answer 1

Hello @Darius Basznianin ,

Thanks for reaching out.

Here are detailed guidance on accessing published proxy application through Native application programmatically.

To give your native app access to interact with published backend web API: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-secure-api-access

To give your native app access to interact with published backend web applications: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-native-client-application

In addition to that, I could see you are using "Resource Owner Password Credentials (ROPC)" flow (grant_type=password) which is not recommends because in this flow user password sent in HTTP header which carries risks so try using more secure alternatives flows.

This ROPC flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

When I took that example from ms page and adjusted configuration to my app it works.
https://github.com/jeevanbisht/API-NativeApp-ADAL-SampleApp

Great and thanks.

Answer 3

I have different question. An example native app uses below method to get token:

var result = await authContext.AcquireTokenAsync(proxyId, appId, redirectUri, new PlatformParameters(PromptBehavior.Auto)); 

Method acquires AccessToken, but who exactly is authenticated? Is there a way to authenticate specific user? I tried and do not see a way to do it.

I tried also do it for client credentials and was able acquire token but it does not work for application proxy

var result = await authContext.AcquireTokenAsync(appId, clientCredential); 

How to acquite a token for native app but with client secret kwy or user and password?

Answer 4

I figured out how to authenticate as an user to client app. To do it during register client app you need to select account in this organizational directory and next in Authentication select "Enable public client flows".

Next you need to adjust code to this version:

        var tenant = "xxx";  
        var appId = "xxx"; // app proxy  
        var clientId = "xxx"; // app  
        var proxyUrl = "https://xxx.msappproxy.net/";  
        var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenant}");  
        var securePassword = new SecureString();  
        foreach (var c in "xxx")  
            securePassword.AppendChar(c);  
        var result = await authContext.AcquireTokenAsync(appId, clientId, new UserPasswordCredential("******@xxx.com", securePassword));