How to do Authentication & Authorization Azure AD App, using C# WEBAPI (token based) .netcore

Question

I am able to Do Authentication and Authorization for my .netcore MVC app+reactjs (Billing App) this application will be hosted on IIS, and on the same server planning to host the .netcore Webapi (chart App).

By using Billing App we will call the chart WebApis. NOW WebApi should be Authenticate/Authorize user based on token sent by front-end app (token-based webapi that does Authe/Autho, no another login pop-up)

Able to Generate token using postman-see img by requesting below link

https://login.microsoftonline.com/{{tenandId}}/oauth2/token

Will sent this token with the header to Web-API, which will be having the same configuration of Azure AD app (client id, scope, etc.) as Billing App has. Api should validate the token and send the chart data.

Should try adal/msal in reactjs so and decorate WebApis with Authorize attribute so that will take care of Authentication & Authorization?

Got many link but few code aren't working and few process is no more works for Azure, and few are having huge code and not what exactly I am looking for.

Basically I'll host one App in .netcore that does Auth part, now the WebApi should also be Auth using same user cookies/token because I don't wanna give another login popup, see lot of MS sample code but no luck

Which approach is right 1 or 2, and share sample code/link any help appreciated,

score 3 · Answer 1 · answered Nov 25 '19 at 03:26

Per my understanding, you have a client app named Billing App will login users and call APIs via user based access token. If so , you should register two apps,a client app for Billing App and a service side App .For the client app , as this is a client side, you should use users' credentials to obtain taken from Azure AD instead of app Client secrets. To implement this , you should config it as a public client on Azure AD and enable access token and ID token :

As you want to get call APIs of service side App, you should grant permissions below to make sure that users can get access token via your client app(lets assume "stanapitest" here is the service side App) : Note, pls click Grant admin consent for Devchat button to finish the permission grant flow. With this process done , you can get user based access token by password flow :

or OAuth2 grant code flow or Oauth2 implicit grant flow , based on your requirement of course.

Ok, its time for service side, to demo the .net core Api , let's create a simple .net core Api project in VS :

After the project created , change the client id as your service app id :

Run the project and call an API of it , as you can see it has been protected by Azure AD :

Use the user based access token to call this API :

As you can see it works as excepted . Hope it helps . If you have any further concerns , pls feel free to let me know .

Thanks for such detailed comment, the thing is I don't want to give another login popup, so sending user Id and password to get a token is a bit difficult to get, as the user already entered credentials in the Billing App (to login using AAD credentials). any other way,?can I validate the token got from below postman screen https://i.stack.imgur.com/IfqBi.png in .netcore WebApis? — Azure-Core, Nov 25 '19 at 13:29
Hi @Azure-Core , if users already have an access token whcih resource is your service app , there is no need to get another token again , you can use that token to call your APIs directly , I just for demoing a hole process here . If you want to validate a token , this post will be helpful for you :https://stackoverflow.com/questions/39866513/how-to-validate-azure-ad-security-token — Stanley Gong, Nov 25 '19 at 14:45

score 0 · Answer 2 · answered Nov 25 '19 at 05:44

After authenticating in Billing app , when you want to acquire access token to access your another web api application , you can call using the acquireTokenSilent method(msal.js) which makes a silent request(without prompting the user with UI) to Azure AD to obtain an access token. The Azure AD service then returns an access token containing the user consented scopes to allow your app to securely call the API.

It's better to make your web api as independent resource which protected by AAD , In your front-end react app , you can use acquireTokenSilent to acquire token for accessing web api after user login :

// if the user is already logged in you can acquire a token
if (msalInstance.getAccount()) {
    var tokenRequest = {
        scopes: ["user.read", "mail.send"]
    };
    msalInstance.acquireTokenSilent(tokenRequest)
        .then(response => {
            // get access token from response
            // response.accessToken
        })
        .catch(err => {
            // could also check if err instance of InteractionRequiredAuthError if you can import the class.
            if (err.name === "InteractionRequiredAuthError") {
                return msalInstance.acquireTokenPopup(tokenRequest)
                    .then(response => {
                        // get access token from response
                        // response.accessToken
                    })
                    .catch(err => {
                        // handle error
                    });
            }
        });
} else {
    // user is not logged in, you will need to log them in to acquire a token
}

okay, so using msal I react should get and send the token in headers, SO will my WebApi authenticate / Authorize the using token? also, the token generated using this step in postman https://i.stack.imgur.com/IfqBi.png will work instead of using msal? request you to share detailed steps/blog Url — Azure-Core, Nov 25 '19 at 13:34
That depends on what is the setting of token validation in your web api , in react you can acquire token for accessing your web api and pass in header . Msal just help make authorize/token request , you can also use postman to test the request . [Code samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Samples) are for your reference . — Nan Yu, Nov 26 '19 at 01:19

How to do Authentication & Authorization Azure AD App, using C# WEBAPI (token based) .netcore

2 Answers2