We have requirement to configure Azure AD as a 3rd party key manager in WSO2 API gateway 2.1.0. Is there any reference available for the key manager client implementation with azure AD?
The scenario is that a mobile app will use Azure AD for authentication. Azure AD returns a token. Mobile app uses this token for API invocation via WSO2 API gateway. As per my understanding, this can be handled by configuring Azure AD as key manager in WSO2 API mananger.
Any help in this regard is much appreciated.
Based on my understanding, the WOS2 API Manager used Key Manager to handle all clients, security and access token-related operations.
To integrate WOS2 API Manager with Azure AD, we need to implement the Key Manager ourselves. Then we can follow this document to configure the Third-Party Key Manager.
See the WSO2 default Key Manager implementation for a sample Key Manager implementation.
And here is the helpful documents about integrating application with Azure AD:
Integrating applications with Azure Active Directory
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
Is it possible to use a generic OAuth 2.0 implementation for both Azure AD authentication and Google cloud OAuth?
msal.js is available for Microsoft Azure AD integration. Is there a common library that can be used to support both Azure AD authentication and Google authentication. Once both authentication providers are supported, user will be able to pick and choose a login. Is this possible?
I'm working on OData/webAPI service implementation. PowerBI desktop app will be used to retrieve info from the service using odata feed datasource.
Service in protected by Azure B2C auth. Accessing odata endpoints using browser works fine - after signing in access is granted. But when I'm trying to connect to the feed using powerbi desktop by performing signin attempt, it reports that token source is not trusted.
picture related: sign in error
Also, in case of single-tenant Azure AD auth (not B2C) usage, authentication in PowerBI worked though.
So, is there a possibility to make PowerBI work with Azure AD B2C (to make it trust the token source)?
No, Azure AD B2C does not issue tokens which Microsoft first party services recognize. AAD B2C is used to protect you own services which you supply to your own customers.
If you would like your customers to have self service sign up, and access Power Bi resource, then have your front end web app talk to a backend API. Protect the front end and backend with AAD B2C. That backend API should use client_credentials to authenticate via AAD endpoints to access Power Bi data on behalf of the user.
What is the usage of client secret in Azure AD B2C? The Microsoft doc only said
If your application exchanges a code for a token, you need to create
an application secret..
Will the azure ad b2c encrypt the token by the client secret, or if a native app requests a token need to send the client secret to the azure ad b2c endpoint?
And, does the client secret can be used to make only my trust native app can get the jwt then to visit my server, third part untrust app can't get the token from the b2c to visit my server?
and what is the usage of application id uri?
thanks.
It has nothing to do with whether you are using Azure AD or Azure AD B2C.
client_secret is required for web apps rather than native apps because client_secrets can't be reliably stored on devices.
It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side.
The official document: Add a native client application to your Azure Active Directory B2C tenant also doesn't mention that you need to add a client secret.
What you have seen in Microsoft doc is for web apps.
and what is the usage of application id uri?
Application ID URI is the unique URI that is used to identify your API. When requesting an access token for this API, the whole URI should be added as the prefix for each scope.
If you have a web API protected and use another client app to access this API, you can enter the identifier used for your web API. See details here.
Right now, I have a native azure app that my iOS app uses ADAL to authenticate to with no issues. I've added a Web API in azure and it's being managed by the Azure API Management resource. I have this API using an oAuth server that uses Azure AD for authentication (all created within the Azure API Management).
The issue I'm having is the oAuth token I'm receiving from my iOS App is not being accepted by my Web API. They are both using oAuth to the same Azure Active Directory. I tried changing in my iOS app, to use the Web API app client ID instead of the native app client ID. The issue then becomes during authentication, it needs a "client_secret" in the request. Looking at the ADAL iOS library, I'm not seeing a method to get a token that passes in a client secret as a parameter.
Scroll down to the Keys section, you will see the key as the client secret. They are used for calling the web api.
These two methods of authenticating the applications are referred to as interactive (user signs in) and non-interactive (app provides its own credentials). In the non-interactive mode, you must assign the service principal to a role with the correct permission. About the AAD authentication's more information, you could refer to: https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/