1

I'm using Azure AD to authenticate access to my Web API to certain applications registered within Azure AD. The authentication process works nicely, but I'm wondering what my options might be for auditing who is accessing the API? If the only thing I see from the external API is their valid Bearer Token, is there any way I can get the Application Name, for example?

The authentication process happens on our server too, so earlier in the process we would see the Client ID. But then is there a secure way to tie the token to the client ID or obtain the Name from any of that?

edparry
  • 688
  • 1
  • 10
  • 34
  • Have a look at [this question](http://stackoverflow.com/questions/21675844/adding-extra-details-to-a-webapi-bearer-token) — you can add extra data to the bearer token. – Sergey Kolodiy Feb 03 '16 at 10:20
  • if you have the token already, why not just use the token to query for the name of the application? – Xiaomin Wu Feb 05 '16 at 01:24
  • @XiaominWu is that possible, to obtain the data just from the token? – edparry Feb 05 '16 at 13:07
  • @edparry, token is prepare by the issuer, unless the issuer put some extra "claim" into the token, otherwise answer is no. try to decrypt the token, and check all the claims to see what claim it carry. if it doesn`t carry what you want, then there is no way by just looking at the token, you will need to make request to the service to ask for what you want. – Xiaomin Wu Feb 05 '16 at 17:14
  • @edparry please also note that the token you are using (I'm assuming it is OAuth flow here) is not meant for your application to consume but it is for API. It might be even only reference to the token which is delivered from AS (it is not the case in Azure AD but OAuth spec is allowing it). Do not rely on a token content for your business logic. What is the scenario you want to achieve - you want to validate the token if it was issued for right app or you want to do something in your app based on the token content? – Tomasz Onyszko Jan 06 '17 at 18:10

0 Answers0