active-directory-javascript-singlepageapp-dotnet-webapi | javascript based single page app with a .NET | Azure library
kandi X-RAY | active-directory-javascript-singlepageapp-dotnet-webapi Summary
kandi X-RAY | active-directory-javascript-singlepageapp-dotnet-webapi Summary
Azure AD Javascript Getting Started.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-javascript-singlepageapp-dotnet-webapi
active-directory-javascript-singlepageapp-dotnet-webapi Key Features
active-directory-javascript-singlepageapp-dotnet-webapi Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-javascript-singlepageapp-dotnet-webapi
QUESTION
As shown by many samples I have two AAD application registrations, one for my javascript-based front end, and one for my JSON-only web APIs.
If I fully trust my client AAD application, why does AAD require me to create a second AAD application for my web APIs?
For example, assuming I add specific roles to my client AAD application, if client signs in with AAD and gets an id token and access token containing my roles, it only needs to send the access token to my APIs. The API only needs to crack the JWT, validate the audience, issuer, tenant, roles permissions, and signature. In this world, no client secret is needed in the web APIs, a second AAD application registration not needed, and still no call to AAD from my APIs. Unfortunately, without two AAD applications, I cannot figure out a way to have AAD include roles into my access token.
If I didn't fully trust the issuer from mucking with claims, I can see why I would need two AAD applications and a client secret. But since I do trust my AAD application and the signature of the JWT, why the extra complexity? Or maybe there is a way to do this that I haven't found?
Thanks!
Responding to Marc here because just not enough characters in the comments field -- The sample you referenced is an excellent sample, specifically the JavaScript one calling the Web API. It is what I am doing right now in fact. However, the problem is that Web API in the sample is open to anybody who has authenticated on the tenant. I need to secure the Web API down to certain individuals in the tenant, and simply checking the client/app id is not sufficient as anybody who can create an AAD app can fake it.
So what I need to do is have roles added to the the access token so I know that my application authenticated the user, and that user has been granted the required roles. For example, here is a Microsoft sample. And even here a Microsoft video walking through the process.
If I don't have two AAD applications w/client secret, the roles claims is never provided in the access token. It is always provided in the id token, but not the access token.
I feel like I am missing something obvious here. If AAD would just put the roles I requested into the JWT when I authenticated against it, and I validated its signature, audience, issuer, and roles, I wouldn't need any of this extra complexity?
...ANSWER
Answered 2019-Oct-25 at 20:14Can you provide a link showing that two apps are needed? That should only be the case if the API you want to call is not provided by the web app which served the JS to the browser. None of the 'official' samples require you to register two apps (Graph API, used in some of these samples is a separate API and it is already registered). A problem with tokens passed from the browser is that they were acquired by a public client, not using any secrets apart from user creds. Therefore, they are easier to steal and re-use. Your own back-end app may want to use a secret to get its own token (extension grant) to call yet another API using a token that does not reside in a public client.
QUESTION
I just stumbled across this example for SPA and I am wondering if someone has already done something similar in an Angular app with TypeScript service/component.
...ANSWER
Answered 2017-May-23 at 18:25Found something on Github as reference: https://github.com/sunilbandla/msal-angular-sample
QUESTION
The graphic pretty much tells the story. This is all single tenant, fwiw.
I have my Web API, which is being accessed by a "swagger" UI (which is really a kind of spa) served up from the same location, as well as an MVC app, which has some traditional MVC controllers interacting with the Web API, as well as some SPA experiences that interact directly with the web api.
From what I've read, in addition to my Web API having an app registration in my AD tenant (which has the roles declared in it's manifest in order to support RBAC), I also need to have a separate app registration for the swagger UI, which is granted permissions to access the Web API.
I'm unsure if my MVC app needs 1 AD Tenant registration, or 2 registrations (1 for MVC, 1 for the SPA served up from MVC)
Main questions..
Should my MVC/SPA share the same AD registration, or, they should be separated?
Does my Web API registration's manifest need to have
"oauth2AllowImplicitFlow": true, or only the swagger and SPA app registrations' manifest need that?My MVC, based on this github sample for SPAs, currently uses this middleware:
app.UseWindowsAzureActiveDirectoryBearerAuthentication.. but if my MVC is going to do selective things in it's razor or with it's contoller logic, should I also be using these add'l middlewaresUseCookieAuthenticationandUseOpenIdConnectAuthenticationas shown in this non-SPA web app sample
ANSWER
Answered 2017-Jun-21 at 19:32- You can probably make it work with the same application (getting the access token server-side and supplying it with the rendered page), but you might run into a few things where you can't use that token to get a token to go to the next app (the WebAPI one). It does mean a potential extra trip to Azure AD, but I'd have the SPA be it's own app.
- Only the Swagger and SPA registrations need
"oauth2AllowImplicitFlow": true. - Your MVC app should not use the bearer auth middleware - it should use the normal OpenIdConnect one. The only app in this setup that should be using bearer auth is your WebAPI one.
A couple of additional notes re: the SPA served from the MVC app. When you're making a call to the WebAPI app, you'll need to make sure a bearer auth token is included on the call, which you get using something like ADAL-JS. If/when you're making a call to the MVC app, no bearer token will be used, you'll be usually the cookie+openid authentication.
QUESTION
I tried using the code provided here: https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2
It works for both MSA and Azure AD authentication. I need to know whether the email address entered was MSA or Azure AD. Is there a way to find that out from the response?
...ANSWER
Answered 2017-Jun-08 at 13:06In the id_token you get back, there's a iss (issuer) claim.
This claim contains the user's tenant.
If the user used a Microsoft Account (MSA), their issuer claims will contain the following GUID for the MSA tenant: 9188040d-6c67-4c5b-b112-36a304b66dad
The full value of the issuer will be:
QUESTION
I have a simple ADAL.js 'spa' app based on this sample. It is calling an API that is part of the same solution (so, I don't think this is a CORS issue, we're all in the same domain here.. same app)
I set up some custom roles in my AD tenant's app's manifest file. I associated those roles with some test user accounts. When I run my sample and login, it reflects back to me user token values that show that the correct role has been applied to whatever test user I decided to login with...
When I make calls to the API where we've just simply used the [Authorize] attribute, everything is fine.
For example, this decorated controller, works fine:
...ANSWER
Answered 2017-Jun-02 at 17:37You need to define which claim contains the roles. Here is an example:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-javascript-singlepageapp-dotnet-webapi
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
