Never thought it would be so easy to secure Azure App Service API Apps with Azure AD Authentication…
I created a Web API and published to Azure App Service as an API App. I decided to utilize Azure App Services’ own Azure AD Authentication to protect the API.
So what does it mean? As an API publisher, you don’t have to worry about securing your API in your code. You just develop the APIs and publish it to Azure App Services which will make your API available to the world. Then you enable Azure AD Authentication to authorize the requests so your API is protected without you taking any burden for it in the code.
Though the process is fairly straightforward, I couldn’t find an end-to-end documentation right from enabling the authentication and consuming it by creating the token so thought of detailing the steps via this blog.
My API is a very simple one. All it does is that it accepts two numbers as query parameters and upon calling it adds the two numbers and gives the result.
I built the API on Visual Studio 2017 and published it to Azure App Service.
Now the API has been ready to be accessed publicly. Let’s see how to enable the Azure Active Directory authentication to protect it.
Go to Azure Portal –> Access your API from the Azure App Services blade –> Click on Authentication / Authorization –> Switch on the App Service Authentication –> Click on Azure Active Directory under Authentication Providers.
Click on the Express button and click on OK to register the new app in Azure Active Directory.
Now an Active Directory app has been created to register the App Services API. But still users can continue to access the API unauthenticated. Let’s go ahead and restrict the access for only AD authenticated users. Go back to Authentication / Authorization blade and select Log in with Azure Active Directory from the Action to take when request is not authenticated drop down.
So now the API is protected with no code changes whatsoever. No one can access it without being properly authenticated using Azure AD. We have got to create Client Secret for the application that’s going to call the API for the authentication process.
Go to Azure Portal –> Azure Active Directory –> App Registrations –> View All Applications on the App Registrations blade (This if you don’t see any apps already) –> Select the App you just created. On the app blade, click on Setting and generate a key (Client Secret) for your client app. Please note the client secret will be shown on Save. Please note down securely as you cannot see it again after you move out of the blade. You have to create a new one if the secret is lost.
Let’s see how to create a token to access it from a client application using the client secret. I am using Postman to create the token and use it in the request header to access the API.
Click on the Authorization tab –> Select OAuth 2.0 from the TYPE drop down and click the Get New Access Token button
You need Token Name, Grant Type, Callback URL, Auth URL, Access Token URL, Client ID (App ID). Client Secret (Key) to request a new token. Here is how to get them.
Token Name: Can be any name
Grant Type: Authorization Code
Callback URL: https://<Your App Service API URL>/.auth/login/aad/callback. E.x.: https://######api.azurewebsites.net/.auth/login/aad/callback
Auth URL: https://login.microsoftonline.com/<Directory ID>/oauth2/authorize?resource=<Application ID>
(You can get the Directory ID from the Azure Portal. Azure Portal –> Azure Active Directory –> Properties –> Directory ID)
(You can get the Application ID from the Azure Portal. Azure Portal –> Azure Active Directory –> App Registrations –> Your App –> Application ID)
Access Token URL: https://login.microsoftonline.com/<Directory ID>/oauth2/token?resource=<Application ID>
Client ID: <Application ID>
Client Secret: Your just created key. If you had missed to save it, create a new key.
Upon clicking the Request Token button, a new generated access token would be shown that you can use in the request header for authentication. Let’s go ahead and send the request with number 1 and 2 as the url parameters.
Voila! I got my request successfully authenticated and the response (number 3) has been sent back by the API.
With Azure App Services, we can have the security layer managed at the App Service level with a few click of buttons and absolutely no code changes whatsoever. Azure App Services also support OAuth providers like Facebook, Google, Twitter and Microsoft and not just Azure AD. I hope this documentation would be of help to you if you are playing with API Apps and Azure AD.