Reputation: 1736
Azure WAAD WebApp to WebApp Access
I'm working on a WAAD WebApi which calls another WebApi.
I created two apps in my WAAD. I can connect from one WebApi to the other. But when I create a third app I can also get a token for the third app.
Is there a way to prevent App1 to get a token for App3 and only get a token for the App2 app.
I know there is an option to create a delegated permission for App2 and add this permission to App1 but as far as I can see this won't prevent App1 from getting a token for App3.
I know my question is a bit cryptic, but feel free to ask more details.
Upvotes: 0
Views: 95
Answers (1)
Reputation: 4004
Your question is not cryptic. The answer however is: No. Azure AD allows all services that are registered in the directory to acquire Client Credential Flow tokens for each other (service to service access tokens). In the resource service code, you need to "authorize" calls per the ObjectId or AppId of the calling service/app.
Giving the ability to gate such access at token issuance time is a capability that we are considering to include in AAD - however I recommend that you unblock by doing this simple ACL check at the resource service.
Hope that helps.
Upvotes: 1
Related Questions
- How to access web api from another web app which is in same Azure AD?
- App service to app service auth in Azure using Managed Identity
- Connect App in Azure with Azure AD in a different tenant
- Multi Tenancy with Azure AD Auth With Web App API
- Azure Web App Authentication / Authorization issue
- Grant access to login using Azure AD
- Microsoft Azure - same login for windows app and web app
- Azure Management API access from a web app
- Integrating WAAD on existing Webform asp.net
- WAAD Single Sign-on for existing application