I want to secure my API Proxy created in Azure API Management using OAuth 2.0.
I want to use Azure Active Directory for OAuth.
As per MS documentation, I have to manually create an Application in Azure AD and copy that CLIENT_ID and KEY into developer portal to generate OAuth Tokens. But this works only for developer portal to get JWT tokens.
Every time a new developer comes and registers a developer application on my developer portal, a pair of keys (Primary key & Secondary Key) are generated.
Can I use these keys to authenticate and generate JWT tokens.
Also I want this process to be automated, so that I do not have to do anything manually in AAD after developer sign-up and subscription.
I have also tried to visually represent the scenario I want to achieve:
The pictorial representation of my requirement
Related
What is the usage of client secret in Azure AD B2C? The Microsoft doc only said
If your application exchanges a code for a token, you need to create
an application secret..
Will the azure ad b2c encrypt the token by the client secret, or if a native app requests a token need to send the client secret to the azure ad b2c endpoint?
And, does the client secret can be used to make only my trust native app can get the jwt then to visit my server, third part untrust app can't get the token from the b2c to visit my server?
and what is the usage of application id uri?
thanks.
It has nothing to do with whether you are using Azure AD or Azure AD B2C.
client_secret is required for web apps rather than native apps because client_secrets can't be reliably stored on devices.
It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side.
The official document: Add a native client application to your Azure Active Directory B2C tenant also doesn't mention that you need to add a client secret.
What you have seen in Microsoft doc is for web apps.
and what is the usage of application id uri?
Application ID URI is the unique URI that is used to identify your API. When requesting an access token for this API, the whole URI should be added as the prefix for each scope.
If you have a web API protected and use another client app to access this API, you can enter the identifier used for your web API. See details here.
I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.
I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".
The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.
However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).
I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.
The API Management product expects a "subscription key" to identify the products the third party implementation can use.
Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?
It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?
Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?
Apologies if I have mixed any terminology up.
1) Does this mean with regards to the authentication part that every
third party system using my API would use the same oAuth "audience" id
and therefore the same Active Directory app?
They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.
2) It makes more sense to me that each third party implementation
would have a different app on Azure Ad but that would mean my Web API
would need to recognise a huge number of audience ids and redirect
uris?
Yes they should register their applications as clients to your B2C Auth server.
The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.
Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.
That should result in a token with:
aud value of the Application ID associated with https://yourwebapiAppIDURI/
scp value of Read
OK, so B2C doesnt use consent:
Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.
Right now, I have a native azure app that my iOS app uses ADAL to authenticate to with no issues. I've added a Web API in azure and it's being managed by the Azure API Management resource. I have this API using an oAuth server that uses Azure AD for authentication (all created within the Azure API Management).
The issue I'm having is the oAuth token I'm receiving from my iOS App is not being accepted by my Web API. They are both using oAuth to the same Azure Active Directory. I tried changing in my iOS app, to use the Web API app client ID instead of the native app client ID. The issue then becomes during authentication, it needs a "client_secret" in the request. Looking at the ADAL iOS library, I'm not seeing a method to get a token that passes in a client secret as a parameter.
Scroll down to the Keys section, you will see the key as the client secret. They are used for calling the web api.
These two methods of authenticating the applications are referred to as interactive (user signs in) and non-interactive (app provides its own credentials). In the non-interactive mode, you must assign the service principal to a role with the correct permission. About the AAD authentication's more information, you could refer to: https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.
I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:
If your iOS app is making calls to an Endpoint that requires
authentication, you must Add a Sign-in Dialog to your iOS client.
I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.
Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.
I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.
I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).
GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.
So until further notice I will add an API key to my application-level API requests and check it in each #ApiMethod.
How do I get my application to work with the Google APIs for both Google Apps Marketplace and non-Apps Google Account users using OpenID and Oauth? (AuthSub is no longer supported by Google Apps)
Error I have experienced:
Token invalid - Invalid token: ACL not found for domain: 358xxxxxxxxx and consumer: 736xxxxxxxxx
Solution:
I had to learn to wrap my head around Google Marketplace. I created 3 apps (dev/localhost, staging, live) and reference the necessary keys. This error was because I was using the wrong key with the domain.
Your OAUTH consumer key and secret will only work for Google Apps domains combined with 2-legged OAUTH. That is because - at installation time - the domain administrator of the GAPPS domain authorizes your consumer key and secret for all users within his GAPPS domain.
If you want to ordinary Google accounts to work, then you need to use 3-Legged OAUTH and individual users need to authorize access to their data for your application. This means you have to initiate an authorization flow and store token and token secret per individual user and use these tokens each time you want to access an individual's data.