active-directory-dotnet-webapp-webapi-openidconnect | NET 4.5 MVC web app that signs Azure AD users | OAuth library

As shown by many samples I have two AAD application registrations, one for my javascript-based front end, and one for my JSON-only web APIs.

If I fully trust my client AAD application, why does AAD require me to create a second AAD application for my web APIs?

For example, assuming I add specific roles to my client AAD application, if client signs in with AAD and gets an id token and access token containing my roles, it only needs to send the access token to my APIs. The API only needs to crack the JWT, validate the audience, issuer, tenant, roles permissions, and signature. In this world, no client secret is needed in the web APIs, a second AAD application registration not needed, and still no call to AAD from my APIs. Unfortunately, without two AAD applications, I cannot figure out a way to have AAD include roles into my access token.

If I didn't fully trust the issuer from mucking with claims, I can see why I would need two AAD applications and a client secret. But since I do trust my AAD application and the signature of the JWT, why the extra complexity? Or maybe there is a way to do this that I haven't found?

Thanks!

Responding to Marc here because just not enough characters in the comments field -- The sample you referenced is an excellent sample, specifically the JavaScript one calling the Web API. It is what I am doing right now in fact. However, the problem is that Web API in the sample is open to anybody who has authenticated on the tenant. I need to secure the Web API down to certain individuals in the tenant, and simply checking the client/app id is not sufficient as anybody who can create an AAD app can fake it.

So what I need to do is have roles added to the the access token so I know that my application authenticated the user, and that user has been granted the required roles. For example, here is a Microsoft sample. And even here a Microsoft video walking through the process.

If I don't have two AAD applications w/client secret, the roles claims is never provided in the access token. It is always provided in the id token, but not the access token.

I feel like I am missing something obvious here. If AAD would just put the roles I requested into the JWT when I authenticated against it, and I validated its signature, audience, issuer, and roles, I wouldn't need any of this extra complexity?

OpenIdConnect (Azure) Settings

I have hosted one web api ProductInfo on azure and register that application into Azure AD.

I have another web app UIProduct and this web app want to access the web api ProductInfo both are in same Domain and same Azure AD.

How can I access web api ProductInfo from web app UIProduct ? is there any token I need to generate again ?

any sample code will be helpful. code sample taken from this link

After successfully login i'm at Home page then i click on about page where i write this

I'm currently confused about how to realize the authentication / authorization flow.

I'm developing two applications, the one is the frontend/Webapplication and the other the backend/API, both with ASP.NET Core. The goal is to use the AzureAD and use the users/groups from the domain. The authentication I already implemented on both applications and I'm able to login and restrict content based on the login state.

As reference I took this example from a microsoft developer. There should be exactly this what I want to do. There is a WebApp and API. The used authentication flow is the authorization code flow. First the user needs to login and after that when some data needs to be requested from the API, an access token will be requested.

Question 1: Is this the right authentication flow? For me this seems like a doubled authentication, because first I authenticate myself at the frontend and when the Webapp needs some data I need to authenticate myself again at the backend. The same Azure AD tenant is used, so what do you think here?

The next point what seems very "ugly" is the procedure getting some data. In the example when some data is requested first the token will be requested and after this the data. But in my opinion with a lot of boilerplate. The example code below is needed for just one request of all ToDo items.

My MVC WebApp is deployed to Azure Paas and secured using Azure AD. The authentication setup uses the sample code below as its base and it is working in localhost with either IISExpress or IIS.

https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect

But it is not working after deployment to Azure. Even though the user will authenticate properly, the AuthorizationCodeReceived delegate is never invoked.

This is start up code that setup the authentication:

EDIT 10/24 I think this was all likely user error - see my answer below for remedy before getting too deep into this question

TL;DR: For my OAuth 2.0 code flow...

Why does my TokenCredentials not work with my AutoRest client? I'm getting NO bearer token applied to the request / no Authorization header set

I know my pipeline works already..

Using code from this azure sample, which is NOT an AutoRest client, I can successfully get my access_token and can get JSON from my protected Web API project.. so I've ruled out all the prerequisite stuff.. I know my pipeline works

My AutoRest setup..

1.) Downloaded from GitHub this AutoRest repo v1.1.0

2.) Downloaded my swagger JSON to disk, saved as swagger.json

3.) Ran this command-line to generate C# files:

autorest --input-file=swagger.json --csharp --output-folder=MyCorp_ApiClient_Tsl --namespace='MyCorp.ApiClient' --add-credentials

4.) Copied generated classes into my .NET 4.6.2 web site

5.) These are my NuGets:

I am testing a webproject using OWIN and OpenID Connect against Azure AD. I am using much of the code from this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect

I have an issue where i get a null exception on line 27 of this file: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/Utils/NaiveSessionCache.cs

I get the exception because HttpContext.Current is null.

I can see that Load() is called from BeforeAccessNotification().

My framework version is 4.5.2 and i have in my web.config.

Why is HttpContext.Current null in this context?

Updated:

The only difference i have from the sample is that my ActionResult on my controller is not async. I call AcquireTokenSilentAsync in a async Task that is called with a .Wait() from a standard ActionResult. I am working within a CMS that does not allow me to use async ActionResults.

This is OnAuthorizationCodeReceived:

I'm able to authenticate with live.com with my account on outlook.com at url

Question: What could be causing HttpContext.Current to be null only sometimes?

Question: Is HttpContext.Current initialized after PrincipalService.OnAzureAuthenticationSuccess is called? If so, why only sometiems?

Description

What happens is quite often a user will click sign-in and HttpContext.Current will be null causing the cookie to be never set. Which redirects them back to the home-page and since the cookie wasn't set they click sign-in again and again and again. Sometimes it'll decide to let the cookie be set after 2 or 3 clicks other times it won't do it without clearing cookies or logging out of another Azure AD account (e.g. Our sharepoint server uses Azure AD).

These things seem so odd to me and I haven't been able to pin down what the cause is despite hours of research into it.

Azure Config