Should the GUI and API be registered as separate applications in Azure Active Directory?

Question

Should the GUI and API be registered as separate applications in Azure Active Directory?

Keiichi Hikita 41

I am developing an API to authenticate with Azure Active Directory and a GUI to draw from it.
The GUI will be implemented as a Single Page Application (SPA) and the API will be executed from this SPA.
Both the API and GUI will be authenticated with Azure Active Directory.

I would like to know what is a good practice in this kind of pattern. When registering an application with this kind of configuration on Azure Active Directory, should the GUI and API be registered as different applications?

It seems to me that registering them as the same application (same client ID for API and GUI) would not cause any problems if we only look at the behavior.

We would like to determine whether we should separate the GUI and API as applications based on practices (e.g., from a security perspective, etc.).

Thanks,
Keiichi Hikita

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-04-22T21:50:14.887+00:00

Hi @Keiichi Hikita , what do you mean when you say "API to authenticate with Azure Active Directory?" Is it an API for something you've made, and you want users to access the API through Azure authentication? How will the GUI draw from it? Please let me know and I can help you further.

Best,
James
Keiichi Hikita 41 Reputation points

2022-04-25T00:39:29.743+00:00
Hi @James Hamil

Thanks for your reply.

What I would like to do are as follow.

Implement both API and GUI as my own application (node.js)

The GUI will be implemented as a SIngle Page Application and this GUI will run the API

The GUI will authenticate with OpenID Connect in Azure AD. In this case, I will use code-flow. In other words, GUI-based authentication.

The GUI executes the API using the idToken retrieved in step 3 above.

In addition to the GUI, there are two other external systems that use this API for automatic integration (like a cron job). So we would like to authenticate these using only client_secret so that these two systems can authenticate without GUI.

Please have a look at attached diagram.

In such a case, I am wondering whether I should use different client_id(s) for the GUI and the API or use same one.(Both can work in principle)

Accepted answer

0 additional answers

Your answer

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-04-22T21:50:14.887+00:00

Hi @Keiichi Hikita , what do you mean when you say "API to authenticate with Azure Active Directory?" Is it an API for something you've made, and you want users to access the API through Azure authentication? How will the GUI draw from it? Please let me know and I can help you further.

Best,
James
Keiichi Hikita 41 Reputation points

2022-04-25T00:39:29.743+00:00

Hi @James Hamil

Thanks for your reply.

What I would like to do are as follow.

Implement both API and GUI as my own application (node.js)

The GUI will be implemented as a SIngle Page Application and this GUI will run the API

The GUI will authenticate with OpenID Connect in Azure AD. In this case, I will use code-flow. In other words, GUI-based authentication.

The GUI executes the API using the idToken retrieved in step 3 above.

In addition to the GUI, there are two other external systems that use this API for automatic integration (like a cron job). So we would like to authenticate these using only client_secret so that these two systems can authenticate without GUI.

Please have a look at attached diagram.

In such a case, I am wondering whether I should use different client_id(s) for the GUI and the API or use same one.(Both can work in principle)

Answer 1

James Hamil 27,221 Microsoft Employee Moderator

Hi @Keiichi Hikita , thank you so much for your detailed response. Everything you suggested would work well for your cause. However, I think having 2 apps would serve you better!

A lot of customers only use 1 app because it's usually simpler. But in the long term for both security and maintenance reasons having 2 apps can make this a lot easier and safer.

As far as security goes, I usually recommend this document on best practices. Not all of the info there is pertinent to your case, but it is good to know generally.

Please let me know if you have any more questions, or you need help setting anything up!

If this answer helped you please mark it as "Verified" so other users can reference it.

Thank you,
James

Keiichi Hikita 41 Reputation points

2022-04-25T23:00:43.603+00:00

Hi @James Hamil

Thank you for the very helpful information!
I will first try to separate the two applications and operate them separately.

Thank you very much for your help.

Thank you,
Keiichi Hikita

Share via

Should the GUI and API be registered as separate applications in Azure Active Directory?

0 additional answers

Your answer