active-directory-angularjs-singlepageapp | AngularJS based single page app | Azure library

I am working on integrating Azure Active Directory for my Angular SPA (or any Javascript) application. Application has a front-end (built with JavaScript) and a Web API (built with any c# or any server side languages).

For reference, https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp

I know that I configured OAuth 2.0 Implicit Grant in SPA AAD Registration. OAuth 2.0 Implicit Grant is slightly relaxed to let SPA gaining access to web resources tied to SPA AAD Registration by redeeming 'id_token'.

OAuth 2.0 Implicit Grant Protocol:

1. Reach Azure Auth Endpoint with client_id, resource,.. for id_token
2. Challenge it with credentials
3. Get id_token as it is posted back to SPA URI.
4. Use id_token as bearer token to access the restricted web resources.

SPA works very well with id_token and OAuth 2.0 Implicit Grant Protocol for Internal Web API alone.

Reason why we could not acquire access_token from SPA or JS:

SPA could not send XHR to Azure Token Endpoint as SPA is blocked by CORS Policy of Azure Token Endpoint. So, SPA XHR could not acquire access_token.

But, iFrames implementation of Adal.js can fetch access_token by calling cross-domain web resources.

It looks like this is a special case for SPA alone.

QUESTIONS:

1. How does AAD determine which web resources that 'id_token' holder can access? By looking up the web resources tied to SPA AAD Registration?

   [OP] Adal.js is responsible for intercepting our post-backs to receive and store tokens like id_token & access_token

2. Cannot AAD implement the following approach?

   • Redirect to Azure Auth Endpoint with client_id, resource,.. for Auth Code.
   • Acquire Authorization_Code from Azure Auth Endpoint by posting it back to SPA URI.
   • Instead for XHR to Azure Token Endpoint, can't we redirect to Azure Token Endpoint with Auth_Code, client_id, resource,.. to let Azure Token Endpoint post back the access_token back to redirect_uri?

   [OP] Adal.js had other plans to use iFrames to call Cross-domain API (Az Auth Endpoint, in this case) and acquire Access Tokens.

P.S. I need real answers for above questions. This case is now solved :)!

I have followed this guide:

https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp

and I connect successfully. I would like to send the bearer token to my C# server and use it to call my workbench(another AD app) functions.

I am trying to use the bearer token I get from angular in a postman call and it is unauthorized. It is important to mention that I gave my angular client on AD permission to access my workbench instance and it's still not working, that leads me to some questions:

I have tried using a .NET client from this guide:

http://blog.pomiager.com/post/using-rest-api-in-azure-workbench-blockchain

and it works. I notice here that in the AuthenticationContext object it receives credentials that is using the Client ID and the Client Secret. I notice that in the angular AD example we never use the secret. But the thing is that, when looking at the guide to create your own workbench UI, in the authService.js, it never takes the secret as a parameter as well. As can be seen here:

https://github.com/Azure-Samples/blockchain/blob/master/blockchain-development-kit/connect/web/workbench/custom-ux-sample/src/services/authService.js

I understand that that credentials should be set on the server. In the angular example that I provided there is also a ASP.NET server

How can I create a valid bearer token for the workbench from the angularJS AD example? Should I replace the OWIN lib with something else?

Thanks

We have a SPA which authenticates using ADAL (similar to examples provided https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp). Now we want to host our application inside a secure environment where all communication outside is blocked by default. So we want to whitelist IP addresses which are/can be associated with AAD login process.

Using DNS lookup to find IP addresses for login.microsoftonline.com doesn't give me all the IPs since I did nslookup from different location and found different set. So, wondering do you guys know a set of such IPs.

PS: I found a list of IPs here - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites but this list is huge. Do I need to whitelist all?

I've got a self-hosted web api application with an angular front end, and I need to now start authenticating users via Azure Active Directory.

I've downloaded the SinglePageApp example and I've set this up and have it running successfully. https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi

When applying the necessary changes to my own app, I can successfully redirect the user to the Azure login screen and get back the userProfile using adal.js/adal_angular.js. I'm getting 401 unauthorized errors whenever I call my API, however using Fiddler, I can see that the bearer token is added to the HTTP header in each call.

Here is my AdalAngular setup: