Reputation: 540
Token Based Authentication in Asp.Net Core API with token from Azure AD gotten through ADAL
I am developing an application using Asp.net core 1.1 and Angular 4.
In just one solution I have my API and the Angular app. So I don't need to host them separately or enable cors. To make calls from the client I just pass "/mycontroler" in the http methods from angular.
One of the requirements of this app is to use login with Azure AD, but I couldn't find anything clear and uptodate that could help me implement this flow.
What I have so far is the login from the front end using Adal, I am able to receive the user info and the token. So, how can I now use this token in my api to limit access to resources?
What I have in my API startup code is this:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.Use(async (context, next) =>
{
await next();
if (context.Response.StatusCode == 404 &&
!Path.HasExtension(context.Request.Path.Value) &&
!context.Request.Path.Value.StartsWith("/api/"))
{
context.Request.Path = "/index.html";
await next();
}
});
app.UseExceptionHandler(errorApp =>
{
errorApp.Run(async context =>
{
context.Response.StatusCode = 500; // or another Status accordingly to Exception Type
context.Response.ContentType = "application/json";
var error = context.Features.Get<IExceptionHandlerFeature>();
if (error != null)
{
var ex = error.Error;
await context.Response.WriteAsync(ex.Message, Encoding.UTF8);
}
});
});
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = $"{Configuration["Authentication:AzureAd:AADInstance"]}{Configuration["Authentication:AzureAd:TenantId"]}",
Audience = Configuration["Authentication:AzureAd:ClientId"],
TokenValidationParameters =
new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuer =
$"{Configuration["Authentication:AzureAd:AADInstance"]}{Configuration["Authentication:AzureAd:TenantId"]}/v2.0"
}
});
app.UseMvcWithDefaultRoute();
app.UseDefaultFiles();
app.UseStaticFiles();
}
} }
but I don't know exactly what to do in my controllers to check user permissions and other informations like the groups they are in.
In most scenarios I found is the token being issued inthe API itself using Identity, but my case is different, since the token is issued by AAD.
I have read many articles and posts here but couldn't find anything to help me.
Upvotes: 1
Views: 432
Answers (1)
Reputation: 27588
You can use roles based access control in cloud applications using Azure AD .In RBAC, a role is a collections of permissions. Roles can be granted to users or collection of users (groups). Please read this article for tutorial and code sample .
To get user's groups ,you can use Azure AD group claims . To configure your application to receive group claims :
- In your application page, click on "Manifest" to open the inline manifest editor.
Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
Save the manifest.
After authorization in app , you could find the groups information present for current sign-in user . Please click here and here for more details about Group Claims .
And of course, you could always call microsft graph api to get user's group information or app role information . See List memberOf operation using microsoft graph api .
Upvotes: 1
Related Questions
- Azure AD Authentication with .NET Core Web API
- Azure AD with Single Page Application and ASP.Net core web api: how to access all relevant tokens?
- Asp.net core API authenticate with AzureAD Token
- Secure .Net Core 3 Web API with AAD Token
- Azure AD Authentication of Angular app with MVC Core on Azure AppService
- ASP.NET Core Web API + Azure AD Authentication
- Problem with authenticating Azure AD tokens at Web API
- Getting a valid bearer token for an app from a an angular AD client
- Authenticate and get Azure AD token in .net core Web API with grant_type as Password
- How to get access token in azure Active directory in Angular2