-3

I want to build a Web API with following features:

  1. Support OAuthv2 authentication
  2. Can be accessed by multiple clients
  3. Can restrict which client has access to which API method (like some XML file storing Client to API mapping)

The working scenario is like:

  1. A user logs in to a web application after authenticating by Azure AD.
  2. The Azure AD provides a token containing the UserDetails and ClientId.
  3. Call the API by passing the token (received in Step 2 above) in Header as Authentication: Bearer {{Token}}
  4. API should get the token, validate if this is from a valid client and if client has access to this API

It would be great if someone can point to a sample source code for reference/help.

Quest
  • 444
  • 1
  • 6
  • 18

1 Answers1

0

I would suggest this sample as your first step: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

For the security part, there are few ways that you can validate it. Even though this is a .NET 4.5 code, you can use this sample as a reference: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/master/Microsoft.Identity.Web/Resource/ScopesRequiredByWebAPIExtension.cs#L13

Basically, when you register your Web API on Azure Portal, you can add a scope under Expose an API menu. Then, when you create a client App you can register the Web API under API permissions menu which will make your client app access tokens to have the registered scope on the claims.

If you are dealing with client apps under a different tenant, one option would be having these client app Ids in a list, and on your Web API middleware you validate if the token issuer contains in this list. For reference: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs

Tiago B
  • 1,937
  • 14
  • 34