So, we have a frontend application in Angular in which a user can login to Azure Ad using MSAL. The login retrieves an accessToken for the backend api with the groups in which the user is employed in it. Because their are only three groups available, the token size is not exceeded. We want to call the api which is written in ASP.NET Core and we configured that the access token is provided in the header of the request. Now we first want to create an AuthenticationScheme and three different policies based on the groups. How can we achieve that? We are not that experienced in ASP.NET Core and don't know how to retrieve the group information from the header.
Our first approach was like this: options.AddPolicy("Administrator", builder => builder.RequireAuthenticatedUser().RequireClaim("groups", "AzureAdGroups:AdminId")); but it didn't succeed.
Follow these steps:
Configure groups optional claims so they appear in your tokens.
Configure your WebAPI for JwtBearer authentication and authorization.
Apply your policies to your controllers.
Related
I have a web site that calls an API. To call the API from the web site I'm getting first a jwt token using GetAccessTokenForUserAsync(scope).
My problem is that this method doesn't retrieve user's roles inside the jwt token.
My user.identity.claims has a few roles but they are not include in the jwt token.
What I'm missing?
I'm to trying to including the roles in the jwt token because I need to secure my api methods. For example, a method can be called only by AdminMember, other method only can be called by SpecialMember.
Is there another way to secure my api without sending my user's roles?
Thanks
Since the roles are defined in your client app's registration, they will only be available in its tokens.
So, there are fundamentally two options:
Define the same roles in the API app registration as well. You will need to assign the roles on that app as well to the users. This could be made easier by using groups for the role assignments.
Change the API to use the same app registration. Now you will get the roles in the access token. Using one app registration can mean violating least privilege since then any permission you want to give to either the API or client app will be given to the other as well.
Depending on your case, you can choose either option :)
I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft
I am currently working with a client and have been tasked to create a second app for the same client. The app will be web based (asp.net core) and since I have already completed one app for them using asp.net MVC with Identity framework (Boiler plate with some extensions) I would like for this new app in core to also use that identity instance, as some of the users will be accessing both apps. I know this is out there, but I have not found any answers or tutorials on how to accomplish this? Any help is greatly appreciated. Thank you!
You can use the same Identity database for handling authentication and authorization.
Add an ApplicationId field to AspNetUsers table, derive from UserStore and re-implement the Find based methods so the queries take into account the ApplicationId
Every new application will have new applicationId in this case.
Also, you can separate the Identity database, so you decouple the authorization process which allows you segregate your application dependencies, add new applications easily in the future and scale as needed.
You can then use bearer token and web APIs. Once the user logins, you will pass the username & ApplicationId for the application that the user is requesting access, then your security service would return a bearer token if authorized and 401 error if not.
I'm trying to authenticate my app users with their credentials used at the website
I managed to authenticate users via Xamarin.Auth to login via Google, Twitter... etc but could not figure out how to authenticate them via ASP.Net Identity provider.
any ideas or examples ?
Your problem is not a new one, and is one that will be easily fixed in the near future (see note below).
When you're authenticating with a provider like Google or Facebook, you're receiving a token that you can then use to send to the API. Unfortunately Asp.Net Identity does not do this out of the box. You can either configure your API to use JwtBearer tokens, or check out the Identity4 project along with their samples. Note that if you're using Asp.Net Identity you'll probably want a cross between Quickstart 6 and Quickstart 8 so that all of the necessary persistent stores are in your database.
NOTE: You might also want to follow the Templating Team's PR #700 which is adding token based auth in the new templates which will soon allow you to rapidly create new Api's with Token Based Authentication for your mobile apps.
I am going to be using Web API for an upcoming project and was asked to integrate an existing STS provider into the equation as my authentication mechanism. Therefore my Web API would be the RP (relying party). I don't need any support to provide the actual token (like creation of STS Provider), just need to incorporate claims based authentication to the configured STS provider and use it in my Web API REST based service.
Does anyone know if this is possible, and some examples on how to implement this? I see full examples with creating a STS provider, but like I said it already exists. I just need to trust it and use for authentication purposes.
Depends which protocols your existing STS supports. You need to find that out.
Basically you need to do this:
request a token from your STS (from within your client app)
send the token to the Web API
validate the token inside Web API
The thing you need to find out is if 1. works with your custom STS - then we can talk about 2 and 3 ;)