Azure API app with OAuth security does not accept accesToken

Question

First off, I am NOT using API Management. I just have an API dot net core app hosted in Azure. Now I want to secure the app with bearer tokens (OAuth). For some reason I can switch authentication/authorisation on and off, but when doing so, the call to the API redirects me to a login page in reflight from Chrome.

So my site is hosted at www.a.com and the API endpoint is served at www.b.com (azure hosted sites). Chrome is issueing a preflight to the api app and azure responds with a redirect.

My setup is actually quite simple and standard. I have a VueJS front end hosted as a static site, which uses azure AD for login. After successfull login, I want to call API hosted in azure as well. This API has to be secure. Somehow I cannot seem to get this fairly simple configuration to work.

I have registered the apps in azure, I have created scopes and gave the vuejs webclient admin consent for the scopes defined in the API app but I cannot seem to use the accesstoken from the webclient to call API's from the API app.

Is there someone out there for help?

Greets and thanks

John.

Answer 1

You can store the JWT authentication token in a cookie / localStorage of a intermediate domain connected to the home page using an iframe.

1.To authenticate the user in example1.com, redirect him to the authentication server in sso.example.com, issue a JWT after authenticating and store it in the localStorage of this domain. After this, redirect user to the origin domain example1.com.

2.Create an iframe in example2.com pointing to sso.example.com. The iframe in sso.example.com reads the JWT token and sends a message to the parent page

3.The parent page receives the message and gets the attached token continuing with the SSO flow.

To simplify development, we have released recently a cross domain SSO with JWT at https://github.com/Aralink/ssojwt

For more details, you could refer to this article.