0

I have web app written in react which is Single Page Application. Then I have back end API written in .NET core 3.1.

As I mentioned earlier I have web app written in react so this react web app has to call one more API to read some configs. This third application is also a API application written in .NET core 3.1. As soon as web app spins up, it will call this third APP and read configs like API URL of second application and other azure related details. Now this third API app should be protected. Only web app should access this app and not any other users.

So I am trying to find what are the best scenarios available in azure AD. Can someone help me to understand the possible scenarios to handle this?

Niranjan Godbole Hosmar
  • 125
  • 2
  • 11

2 Answers2

2

What you seem to want to accomplish at the moment is for the web application to access the third API application. If this is the case, it is simple. The steps are as follows:

First, you need to expose the api of the third API application protected by Azure, which can be configured according to the following process

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

enter image description here

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions). This is the process of defining the manifest.

enter image description here

This is to grant permissions for the client application (You can find your expose api permissions in My APIs.):

enter image description here

Finally, you need to obtain an access token using the client credential flow where no user is logged in:

enter image description here

Parse the token:

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks a lot for Carl Zhao for your answer. When editing manifest what values should I pass it to id, origin and value? is that id is nothing but my webapp/front end app id? – Niranjan Godbole Hosmar Feb 01 '21 at 10:08
  • @NiranjanGodboleHosmar No, this is automatically generated. You can customize the app role in `App roles | Preview`. After create, it will be displayed in the **Manifest**. https://i.stack.imgur.com/cFFgB.png – Carl Zhao Feb 01 '21 at 10:40
  • Hi Carl zhao. In the above answer, for which app we need to update manifest? Web App or Api app or 3rd api app? – Niranjan Godbole Hosmar Feb 02 '21 at 10:31
  • @NiranjanGodboleHosmar You need to update the manifest for the third api app. – Carl Zhao Feb 03 '21 at 01:45
0

so as per you description It seems you want to permit only API application to access your third application.

One thing you can do you can create a user group and give acess to your API only and put application restricted to this group only.

See this hope it will help

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

Learner
  • 19
  • 3
  • Thanks Learner. Only my web app should have access to my third API app. This third app should not be accessed by any user. Only web app should access this – Niranjan Godbole Hosmar Jan 28 '21 at 09:31
  • I would say now web app should authenticate third api app without signed in user. Why because Sign in process will start only after calling third app api. this third app api will give data such as clientid/secrete etc to initiate authentication. So without signed in user my web app should authenticate third api app. I am thinking is there any way for this – Niranjan Godbole Hosmar Jan 28 '21 at 09:43