3

I have an application which is sitting behind WAF (Web Application Firewall).

Application is using Microsoft Active Directory for authentication.

Here are the steps

  1. User try to access the application using the browser.
  2. WAF layers see that REQUEST is not authenticated, hence forward it to Azure Active Directory
  3. AAD shows the login page and the user enters username/password/MFA
  4. Now token from AAD send back to the browser and it will be sent to the backend application

Now question is,

  • How backend application verify this token? Does it need an outbound connection to AAD or will it talk to AAD through WAF and browser?
  • Do I need to have NSG rules (outbound ) to talk with AAD?

enter image description here

kudlatiger
  • 3,028
  • 8
  • 48
  • 98
  • there no concept verifying AAD, all you would do share encryption key which used on token provider which will be used in token handler to verify the token (decrypt) is valid also you read any claims attached for user role based permission – coder_b Dec 11 '20 at 11:10
  • You don't need to talk with AAD in your backend. Just validate Azure AD security token by following this [answer](https://stackoverflow.com/questions/39866513/how-to-validate-azure-ad-security-token?answertab=votes#tab-top). – Allen Wu Dec 14 '20 at 06:01
  • 1
    @AllenWu Does it mean we do need an outbound connection to the internet from application? – kudlatiger Dec 14 '20 at 07:58

2 Answers2

2

It depends on which auth flow you are using.

  • For Authorization code flow, your application would need to talk to AAD to redeem auth code for access token and refresh token via back channel. So, you would need to allow connection to AAD (login.microsoftonline.com). Authorization code flow diagram

  • For Implicit grant flow, it's browser which directly gets access token from AAD via front channel. So, in that case, you won't need whitelisting in backend WAF. Implicit grant flow diagram

krishg
  • 5,935
  • 2
  • 12
  • 19
1

I have resolved the issue by using service tag feature in NSG. Backend application need to be able to reach AAD in order to validate the access token.

I have added outbound rule with Destination Service Tag Azure Active Directory as shown below.

enter image description here

Here is the link: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

kudlatiger
  • 3,028
  • 8
  • 48
  • 98