active-directory-javascript-singlepageapp-dotnet-webapi-v2 | JavaScript based single page app with a .NET | Azure library
kandi X-RAY | active-directory-javascript-singlepageapp-dotnet-webapi-v2 Summary
kandi X-RAY | active-directory-javascript-singlepageapp-dotnet-webapi-v2 Summary
A JavaScript based single page app with a .NET backend that authenticates users for AzureAD, Microsoft personal and work accounts, and more, and calls the backend web api using access tokens, without using any Single Page Application framework
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-javascript-singlepageapp-dotnet-webapi-v2
active-directory-javascript-singlepageapp-dotnet-webapi-v2 Key Features
active-directory-javascript-singlepageapp-dotnet-webapi-v2 Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-javascript-singlepageapp-dotnet-webapi-v2
QUESTION
As shown by many samples I have two AAD application registrations, one for my javascript-based front end, and one for my JSON-only web APIs.
If I fully trust my client AAD application, why does AAD require me to create a second AAD application for my web APIs?
For example, assuming I add specific roles to my client AAD application, if client signs in with AAD and gets an id token and access token containing my roles, it only needs to send the access token to my APIs. The API only needs to crack the JWT, validate the audience, issuer, tenant, roles permissions, and signature. In this world, no client secret is needed in the web APIs, a second AAD application registration not needed, and still no call to AAD from my APIs. Unfortunately, without two AAD applications, I cannot figure out a way to have AAD include roles into my access token.
If I didn't fully trust the issuer from mucking with claims, I can see why I would need two AAD applications and a client secret. But since I do trust my AAD application and the signature of the JWT, why the extra complexity? Or maybe there is a way to do this that I haven't found?
Thanks!
Responding to Marc here because just not enough characters in the comments field -- The sample you referenced is an excellent sample, specifically the JavaScript one calling the Web API. It is what I am doing right now in fact. However, the problem is that Web API in the sample is open to anybody who has authenticated on the tenant. I need to secure the Web API down to certain individuals in the tenant, and simply checking the client/app id is not sufficient as anybody who can create an AAD app can fake it.
So what I need to do is have roles added to the the access token so I know that my application authenticated the user, and that user has been granted the required roles. For example, here is a Microsoft sample. And even here a Microsoft video walking through the process.
If I don't have two AAD applications w/client secret, the roles claims is never provided in the access token. It is always provided in the id token, but not the access token.
I feel like I am missing something obvious here. If AAD would just put the roles I requested into the JWT when I authenticated against it, and I validated its signature, audience, issuer, and roles, I wouldn't need any of this extra complexity?
...ANSWER
Answered 2019-Oct-25 at 20:14Can you provide a link showing that two apps are needed? That should only be the case if the API you want to call is not provided by the web app which served the JS to the browser. None of the 'official' samples require you to register two apps (Graph API, used in some of these samples is a separate API and it is already registered). A problem with tokens passed from the browser is that they were acquired by a public client, not using any secrets apart from user creds. Therefore, they are easier to steal and re-use. Your own back-end app may want to use a secret to get its own token (extension grant) to call yet another API using a token that does not reside in a public client.
QUESTION
I just stumbled across this example for SPA and I am wondering if someone has already done something similar in an Angular app with TypeScript service/component.
...ANSWER
Answered 2017-May-23 at 18:25Found something on Github as reference: https://github.com/sunilbandla/msal-angular-sample
QUESTION
I tried using the code provided here: https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2
It works for both MSA and Azure AD authentication. I need to know whether the email address entered was MSA or Azure AD. Is there a way to find that out from the response?
...ANSWER
Answered 2017-Jun-08 at 13:06In the id_token you get back, there's a iss
(issuer) claim.
This claim contains the user's tenant.
If the user used a Microsoft Account (MSA), their issuer claims will contain the following GUID for the MSA tenant: 9188040d-6c67-4c5b-b112-36a304b66dad
The full value of the issuer will be:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-javascript-singlepageapp-dotnet-webapi-v2
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page