Azure App Proxy Bearer Token

Darius Basznianin 1 Reputation point
2021-10-05T15:33:47.71+00:00

My use case is to authenticate to azure proxy app from client api.
I am able to get token for "app registration" (pic1), but my proxy app does not recognize that token (pic2).
On azure site I created app and gave permission to my azure proxy app for scope user impersonation
What I missed or if I should take different approach to achieve that?

137833-image.png
137719-image.png
137851-image.png
137806-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,450 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,601 Reputation points
    2021-10-06T06:33:06.503+00:00

    Hello @Darius Basznianin ,

    Thanks for reaching out.

    Here are detailed guidance on accessing published proxy application through Native application programmatically.

    To give your native app access to interact with published backend web API: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-secure-api-access

    To give your native app access to interact with published backend web applications: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-native-client-application

    In addition to that, I could see you are using "Resource Owner Password Credentials (ROPC)" flow (grant_type=password) which is not recommends because in this flow user password sent in HTTP header which carries risks so try using more secure alternatives flows.

    This ROPC flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Darius Basznianin 1 Reputation point
    2021-10-06T14:25:52.403+00:00

    When I took that example from ms page and adjusted configuration to my app it works.
    https://github.com/jeevanbisht/API-NativeApp-ADAL-SampleApp

    Great and thanks.

    0 comments No comments

  3. Darius Basznianin 1 Reputation point
    2021-10-06T20:43:53.157+00:00

    I have different question. An example native app uses below method to get token:

    var result = await authContext.AcquireTokenAsync(proxyId, appId, redirectUri, new PlatformParameters(PromptBehavior.Auto)); 
    

    Method acquires AccessToken, but who exactly is authenticated? Is there a way to authenticate specific user? I tried and do not see a way to do it.

    I tried also do it for client credentials and was able acquire token but it does not work for application proxy

    var result = await authContext.AcquireTokenAsync(appId, clientCredential); 
    

    How to acquite a token for native app but with client secret kwy or user and password?

    0 comments No comments

  4. Darius Basznianin 1 Reputation point
    2021-10-08T16:36:54.633+00:00

    I figured out how to authenticate as an user to client app. To do it during register client app you need to select account in this organizational directory and next in Authentication select "Enable public client flows".

    Next you need to adjust code to this version:

            var tenant = "xxx";  
            var appId = "xxx"; // app proxy  
            var clientId = "xxx"; // app  
            var proxyUrl = "https://xxx.msappproxy.net/";  
            var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenant}");  
            var securePassword = new SecureString();  
            foreach (var c in "xxx")  
                securePassword.AppendChar(c);  
            var result = await authContext.AcquireTokenAsync(appId, clientId, new UserPasswordCredential("xxx@xxx.com", securePassword));  
    

    138973-image.png

    0 comments No comments