0

We have two azure web apis, app 1 and app 2.

We get request to app1 after doing some business logic we need to call app2 and get back the request to app1 and send the request to client of app1.

  • Is there a way to communicate with app2 from app1 using IAM or using AAD?
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
Dheeraj
  • 59
  • 9
  • Is it possible using the portal no code. I know that we can use the ADAL libraries but is there a way in portal using IAM or any settings to give access to apps to inter communicate – Dheeraj Jul 23 '19 at 04:50
  • Is this an [Azure Logic App](https://learn.microsoft.com/en-us/azure/logic-apps/quickstart-create-first-logic-app-workflow) or say an [ASP.NET Web API](https://learn.microsoft.com/en-us/azure/app-service/app-service-web-get-started-dotnet-framework) or something else? –  Jul 23 '19 at 05:05
  • It’s an web api – Dheeraj Jul 23 '19 at 05:52
  • The approach which you specified needs code in all the services. – Dheeraj Jul 24 '19 at 01:26
  • Otherwise what do you want? Just a setting? This is the only way using AAD, also IAM is not possible. – Joy Wang Jul 25 '19 at 01:27
  • Yeah something like IAM or managed service to communicate between apps – Dheeraj Jul 25 '19 at 01:30
  • That's not possible. Azure RBAC is used to manage azure resources, not for your case. – Joy Wang Jul 25 '19 at 01:30
  • I think we can use managed identities and communicate without using obo – Dheeraj Jul 25 '19 at 01:33
  • If you add the MSI of web app1 to app2, the MSI of app1 can do something like restart the app2, change the app settings, etc. But this is in the management tier, not used to call the api. For the two apps regisered in AAD, you could just use the OBO flow. – Joy Wang Jul 25 '19 at 01:37
  • Is there a way to use MSI like app service or azure function getting tokens for Azure Key Vault to access? – Dheeraj Jul 25 '19 at 18:22
  • I'm using the OBO https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof-ca. But we don't have access to create control access due to organization restrictions. Is there any other way? – Dheeraj Jul 25 '19 at 21:26

1 Answers1

0

You could use the Azure AD OAuth 2.0 On-Behalf-Of flow.

The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54