Accessing Azure Subscription info using ASP.NET MVC App by authenticating user - asp.net

I want to create an ASP.NET MVC application that will authenticate to an Azure tenant and get the information about the underlying tenant info such as subscription ID etc. -
This similar thing has been done by another application here - https://overcast.sharegate.com/login
Let me know any article or related info for this requirement.

As Nick said, you could use Tenants Rest Api to get the tenants for your account.
Use Azure ad Implicit grant flow to get your access token with your username. And send the request to Tenants with access token as http header. Then you will get all the tenants for your account and the detailed message like tenantId, tenantName.

If you just want the Azure Subscription details, you can use the following:
Subscriptions - Get REST API
Microsoft.Azure.Management.ResourceManager NuGet package. The Azure SDK for .NET consists of the Microsoft.Azure.Management.ResourceManager Namespace and the ISubscriptionClient Interface that would let you get information about your subscriptions and tenants.
However, if you're looking to access information across the Microsoft Cloud services and build unified but unique user experiences, check out the following resources about Microsoft Graph:
Building ASP.NET MVC apps with Microsoft Graph
Module: Build ASP.NET MVC web applications with the Microsoft Graph .NET SDK
For implementing the sign-in experience to Microsoft through an ASP.NET MVC solution, take a look at this document.

Related

MSAL.NET acquire access token using windows credentials

We have a hybrid Active Directory scenario - an on premises Active Directory server synced with an Azure AD tenant.
We are in the process of migrating our on premise Exchange email accounts to 365.
We have a SPA (JavaScript) that displays calendar events retrieved from a dotnet core web API.
The web API only allows access to users in a specific AD group.
The SPA uses the Fetch API to call the web API with credentials.
The web API currently uses EWS to connect to our on premise Exchange server to read calendar events, using its app pool identity.
The above systems have been developed in-house and run on our internal servers.
We want to update the Web API to read calendar events using the MS Graph API, on behalf of the user. We would like to use the simplest available solution.
We have tried to use the AcquireTokenByIntegratedWindowsAuth method but receive the following error: 'Integrated Windows Auth is not supported for managed users'. My limited understanding of why this doesn't work is because we do not have an ADFS on premise.
One of the Microsoft samples shows a SPA acquiring an access token and passing the token in the header as part of the web API call. This would require us to update the SPA and web API code. We're willing to do that if it's the only solution, but I am hoping someone might offer an alternative where we only need to update the web API.

Mixed Authentication in .net core API

I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft

WSO2 IS ASP.Net - user authentication and SAML response decoding/validation

We are using WSO2 IS 5.2.0 for user authentication and SSO across our applications. We have multiple web applications built on java technology.
All the apps are registered in WSO2 service provider and we are able to successfully authenticate user and able to do SSO.
User is prompted for login when he tries to access one of the apps for the first time. Once user logs in, he is able to access any application.
We are using HTTP redirect to achieve this. On the applications side we are using WSO2 java API (org.wso2.carbon.identity.sso.* package) to get the authenticated user details and claims information.
Now we have one more application in .Net (ASP) which we want to integrate into our application suite which should also use the existing SSO infrastructure.
Can someone please let us know how to integrate WSO2 and .Net application for user authentication and SSO. If it is HTTP redirect, then how do we decrypt user information from the SAML Response in .Net application?
Is there any webservice interface available which we can directly call from .Net application which can provide function to get user information by passing samltokenId?
There is a sample written using .NET in here [1] but it seems it is still undergoing development. I have asked the question in WSO2 Architecture mailing list[2] about the state of it (You can follow for more information) but still you can use it to get some understanding (Or as a full working solution maybe).
[1] https://github.com/wso2/samples-is/tree/master/dotnet-agent-saml-sso
[2] [Architecture] [IS] SAML SSO Agent for .NET

What is the recomended method for adding Authorization/Authentication to an MVC application that uses Web API

In most cases, I have used AD to lock down applications through IIS. In this case, I need to create an MVC Application that will have some Web API controllers and authentication/and authorization (roles). I was looking to try to use a stack overflow suggestion that I have found to several other posts.
https://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html
Most of the answers that I have seen in Stack Overflow reference the above link
ex). Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture
The question that I have for the community that has experience with adding Authentication/Authorization to a combined Web Api/MVC project is if the identity server approach listed above is the best solution for this scenario and if there are other resources that I should look at also?
From your requirements (authenticate to use an MVC site and then be authorized to use a Web API) you'll need an OpenID Connect Provider such as Identity Server 3 (aka a Security Token Service (STS), an Authorization Server, etc). Basically something trusted by both the MVC site and the Web API.
The basic flow of things here is that your users will authenticate using OpenID Connect on your MVC site, after which they can get an access token to authorize access to the Web API using OAuth.
The mentioned tutorial is the best way to start. Near the end it takes you through how to access the API on behalf of the user.
ASP.NET Identity is a user/identity store. It is not add authentication or authorization to your application.

Architecture for getting data from Api

I'm making a project and here's my solution organization:
Core - Entities, Interface's etc..
Data - Repositories, Context's
Services - Bussiness logic
Api - Restful api
Web - Presentation
Now I want to make registration in my Web project. Data (email, password, etc) will be sent to my Api. Also Web project will get all data from my Api. I want to ask where I should make Api access logic? In Web project controllers, Data project or make class in my Web project to access Api? Maybe you'll guys suggest some approach?
Web project is ASP.NET MVC and Api project is ASP.NET MVC Web Api project. I'll call user will input data (username, password) i'll pass that data to Api project and it will do the work. I want to make that user could register to API using GUI. User will input email, password etc and the he'll get access token from API.

Resources