Never thought it would be so easy to secure Azure App Service API Apps with Azure AD Authentication…

I created a Web API and published to Azure App Service as an API App. I decided to utilize Azure App Services’ own Azure AD Authentication to protect the API.

So what does it mean? As an API publisher, you don’t have to worry about securing your API in your code. You just develop the APIs and publish it to Azure App Services which will make your API available to the world. Then you enable Azure AD Authentication to authorize the requests so your API is protected without you taking any burden for it in the code.

Though the process is fairly straightforward, I couldn’t find an end-to-end documentation right from enabling the authentication and consuming it by creating the token so thought of detailing the steps via this blog.

My API is a very simple one. All it does is that it accepts two numbers as query parameters and upon calling it adds the two numbers and gives the result.

001-WebAPI

I built the API on Visual Studio 2017 and published it to Azure App Service.

002-APIPublished

 

Now the API has been ready to be accessed publicly. Let’s see how to enable the Azure Active Directory authentication to protect it.

Go to Azure Portal –> Access your API from the Azure App Services blade –> Click on Authentication / Authorization –> Switch on the App Service Authentication –> Click on Azure Active Directory under Authentication Providers.

003-SetupAzureADAuth

 

Click on the Express button and click on OK to register the new app in Azure Active Directory. 004-AzureADExpressApp

 

Now an Active Directory app has been created to register the App Services API. But still users can continue to access the API unauthenticated. Let’s go ahead and restrict the access for only AD authenticated users. Go back to Authentication / Authorization blade and select Log in with Azure Active Directory from the Action to take when request is not authenticated drop down.

005-AllowADAuth

So now the API is protected with no code changes whatsoever. No one can access it without being properly authenticated using Azure AD. We have got to create Client Secret for the application that’s going to call the API for the authentication process.

Go to Azure Portal –> Azure Active Directory –> App Registrations –> View All Applications on the App Registrations blade (This if you don’t see any apps already) –> Select the App you just created. On the app blade, click on Setting and generate a key (Client Secret) for your client app. Please note the client secret will be shown on Save. Please note down securely as you cannot see it again after you move out of the blade. You have to create a new one if the secret is lost.

006-ClientSecretGen01007-ClientSecretGen02008-ClientSecretGen03

 

Let’s see how to create a token to access it from a client application using the client secret. I am using Postman to create the token and use it in the request header to access the API.

Click on the Authorization tab –> Select OAuth 2.0 from the TYPE drop down and click the Get New Access Token button

006-Postman-AccessToken

You need Token Name, Grant Type, Callback URL, Auth URL, Access Token URL, Client ID (App ID). Client Secret (Key) to request a new token. Here is how to get them.

Token Name: Can be any name

Grant Type: Authorization Code

Callback URL: https://<Your App Service API URL>/.auth/login/aad/callback. E.x.: https://######api.azurewebsites.net/.auth/login/aad/callback

Auth URL: https://login.microsoftonline.com/<Directory ID>/oauth2/authorize?resource=<Application ID>

(You can get the Directory ID from the Azure Portal. Azure Portal –> Azure Active Directory –> Properties –> Directory ID)

(You can get the Application ID from the Azure Portal. Azure Portal –> Azure Active Directory –> App Registrations –> Your App –> Application ID)

Access Token URL: https://login.microsoftonline.com/<Directory ID>/oauth2/token?resource=<Application ID>

Client ID: <Application ID>

Client Secret: Your just created key. If you had missed to save it, create a new key.

010-Postman-RequestToken.png

Upon clicking the Request Token button, a new generated access token would be shown that you can use in the request header for authentication. Let’s go ahead and send the request with number 1 and 2 as the url parameters.

011-Postman-SendAccessToken

Voila! I got my request successfully authenticated and the response (number 3) has been sent back by the API.

With Azure App Services, we can have the security layer managed at the App Service level with a few click of buttons and absolutely no code changes whatsoever. Azure App Services also support OAuth providers like Facebook, Google, Twitter and Microsoft and not just Azure AD. I hope this documentation would be of help to you if you are playing with API Apps and Azure AD.

Thank you!

Shri

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s