Secure ASP.NET WebAPI with O365

Question

I am trying to find a solution for this scenario: We created a provider hosted sharepoint app which is basically a SPA Website. Of course, as every SPA Website, there is a Web API. I'd like to protect this Web API and enforce an authentication with a valid O365 token. How can i protect a Web API with O365? Is the only way to got directly through AAD?

Thank you for any hints. Best Laurin

Answer 1

Office365 uses Azure AD behind the scenes so to secure your API you have to go through Azure Active Directory.

There a few steps to configuring the authentication:

1. Register your application with ADD
2. Get an access token for you user from ADD via ADAL Javascript library
3. Call the api with the access token

There is a sample SPA using Azure Active directory located here.

The code that handles the authentication in WebAPI is located in the App_Start/Startup.Auth.cs file. Import the Microsoft.Owin.Security.ActiveDirectory name space and set up the pipepline to user Azure Active Directory authentication:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:Audience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
    }

}

To lock down an API route be sure to put an [Authorize] attribute on the controller or action.