Reputation: 487
how do azure ad provider validate token and user access permission to the applications?
when using AZURE AD for authentication we get a token for a successful login which we pass to the resource server or api controller.
In my case I have 4 applications in my directory WebApp1, WebApp2 ,ApiApp1, ApiApp2 & 2 users - user1 & user2
All the users are assigned to all applications.
But only WebApp1 has permission to ApiApp1 & ApiApp2 , WebApp2 has permission to ApiApp2 only.
My question here is how do the AAD provider at applcation end validate the user token and permissions?
When I observe using fiddler I dont see any calls being made to the authority (AAD) for validating the token and app permissions?
How does the AAD provider at application end make sure it is issued by a valid AAD and the user has permission to the application ?
In case it is a API app how does the AAD provider make sure that the app to which the token is issued has permission to the web app?
Upvotes: 3
Views: 1189
Answers (2)
Reputation: 27588
In my case I have 4 applications in my directory WebApp1, WebApp2 ,ApiApp1, ApiApp2 & 2 users - user1 & user2
All the users are assigned to all applications.
But only WebApp1 has permission to ApiApp1 & ApiApp2 , WebApp2 has permission to ApiApp2 only.
If that is your scenario , you could follow below steps :
- In Azure AD portal , create WebApp1, WebApp2 ,ApiApp1, ApiApp2 .
- In configure page in WebApp1 , in section “permissions to other applications” , click add application :
- select “All Apps” ,find the ApiApp1, ApiApp2 (here I only select one app for example):
- add access permission to the selected api app:
You need to add access permission to ApiApp1 & ApiApp2 in WebApp1 and add access permission to ApiApp2 in WebApp2 . To assign user , you could click User and groups tab in WebApp1 and WebApp2, assign the users(user1&&user2) or group you want:
some additional notes for great answer from @juunas :
My question here is how do the AAD provider at applcation end validate the user token and permissions?
Usually a client app would validate a token for its crypto algorithm ,token signature and token claims, for example : issuer — does the token originate from the expected IdP. audience — is the token intended for me? timestamps — is the token within its validity window . You could use JwtSecurityTokenHandler to validate the token .In Azure AD V1.0 endpoint , the issuer will be "https://sts.windows.net/Yourtenant/" and as @juunas said , it will query Azure Ad public keys during validating token signature .You could refer to code sample here for how to validate JWT token in c# .
Using OWIN middleware will help you perform such validation easier , you could refer to this code sample for mvc app sign Azure AD users in with OpenID Connect and calls a web api using OAuth 2.0 access tokens. In your scenario , you want an app to call another API APP , you could add below code to get access token for API:
string resource = "http://testbasic1.onmicrosoft.com/testrole"; //Your API APP
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
var result = await authContext.AcquireTokenSilentAsync(resource, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
Upvotes: 0
Reputation: 58873
So there are multiple questions here so I'll try to answer all of them as best I can.
The applications only check the tokens are signed with the correct keys by verifying their digital signature. Typically there would be one call to the authority to get the signing public keys when the app starts. If you can't see one, it's either because Fiddler can't see it or because the library in question is not validating the token(!). In case of an app I have that uses the OWIN OpenId Connect middleware, I can see a call to https://login.microsoftonline.com/tenant-id/.well-known/openid-configuration, and then https://login.microsoftonline.com/common/discovery/keys, which is where the signing public keys are.
The user's permission to the app are in their claims. When you add a delegated/app permission to an app, you always define a value. These values are sent in the token. App permissions are in a claim called roles (IIRC), and delegated are in scp. Azure AD will only put the claims there for the permissions given to each app/user. Your app trusts AAD to do the correct thing (and verifies with the signature it was indeed AAD).
That goes for both Web and API apps actually. If you try to sign in to the front-end app through Authorization Code Grant Flow for example, the user will get an error message that they are not allowed to access the app. AAD will not send an authorization code/id token back for this user. If you got one, they are fine.
Your WebApp1 cannot call ApiApp2 because AAD will not give it an access token to it.
Upvotes: 1
Related Questions
- Validating Authorization token in incoming requests with Azure API management and third party Authorization Server
- Is there a way to validate azure app credentials?
- What exact token validation is done by Microsoft.Identity.Web’s aspnet core middleware?
- How does application validate the authenticated token from Azure Active Directory?
- How does Azure AD validates against the windows credentials[ login.microsoftonline.com/ <tenant_id>/oauth2/authorize ]
- Azure Active Directory Token Validation
- Access token validation in Azure AD authentication
- How is it possible to authenticate an application using Azure AD
- Azure AD Multi-tenant Applications - How to implement Token Validation?
- azure-ad-jwt how does it validate the token