Allow token based API access to some endpoints on Azure App Service

Question

I have a NodeJS app running on Azure's app service. It's used by real humans, and uses Active Directory Authentication:

At the moment, requests that are not authenticated are redirected to the Active Directly login page. It's working great.

But, I now have the requirement that another application, as opposed to a human, be able to access certain API endpoints - presumably via some kind of token authentication.

I think options for doing this are:

1. Use built-in Azure stuff. There's an example here of how to have a client Azure app authenticate to another, but I don't think that'll work for me as my client app is NOT an Azure app. So, I need anything - eg a curl request - to be able to authenticate to my app. Am I right here? Does azure have anything built in for "non-azure app to authenticate with Azure app"?

2. I could select the "Allow Anonymous requests (no action)" option in the screenshot above, and then handle it all myself: implement an api_tokens table, and for every request, check for an API token if it's a client_api/* endpoint, check for an Active Directory authenticated user for any other endpoint, and manually redirect them to a login page myself if they're not authenticated.

3. Ideally, I could say: if the request is to client_api/* then allow unauthenticated requests, and and I'll check the request includes a valid token, but for all other requests, do as you do now - use Active Directory auth and re-direct unauthenticated requests to the login page, automatically.

So my questions are: - Am I right that auzure has nothing to make option 1) work for me? - Is there a way to do option 3)? - If not, I guess that leaves option 2) - or is there a better way I'm not thinking of?

Answer 1

We have done something similar with your 1) option, good news is that your client (which calls the API) does not have to be hosted within Azure.

We had a custom CRM plugin which needed to invoke calls to an Azure AD protected API APP, the process is rather lengthy, but it works (we set it up a long while ago, so I think the following steps are about right):

Create your own API hosted within Azure and make sure it is registered in Azure AD as an app (within Azure AD -> App registrations in the portal)

Then create a NEW application within Azure AD, call it (say) "Client AD Application", and setup the basic properties and keys, etc.

Effectively, from now, your client APIs will act as the "Client AD Application".

You then need to grant access to your APIs from the "Client AD Application" by assigning delegate permissions to your protected API (again, just do this in the UI within Azure AD). You do this by assigning "elegate Permissions" TO the new "Client AD Application" app (which was not intuitive to me)

once you have the 2 apps setup, and permissions assigned, you then need to invoke the OAUTH API endpoint to get a token, then use that token in the subsequent calls to your API.

Most of this is documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

EDIT:--

As for an example, our call to the oauth endpoint looks like this:

Send POST request to: https://login.windows.net/[tennant]/oauth2/token with the headers:

• client_id: (application ID for the new AD App)
• client_secret: (secret for the new AD App)
• resource: (what API endpoint are you trying to access - i.e. your protected API)
• username: valid AD username
• password: valid AD password
• grant_type: password (always 'password')

This will give you a response like the below:

{
    "token_type": "Bearer",
    "scope": "user_impersonation",
    "expires_in": "3600",
    "ext_expires_in": "0",
    "expires_on": "XXX",
    "not_before": "XXX",
    "resource": "...the resource you asked for...",
    "access_token": "...",
    "refresh_token": "..."
}

Hope that helps mate.