0

I have an backend API in an Azure Website that I like to protect using Azure AD.

As I understand it I'll first do an App Registration, use information registration as part of the sign in to get a token back to the client.

I can then send that token to the API and validate the token in the backend API to verify it.

But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?

I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?

Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?

Or is there another way of doing this?

Riri
  • 11,501
  • 14
  • 63
  • 88

1 Answers1

1

But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?

A token only gives access to the API identified by the audience (aud) claim in the token. Nothing more. So if your client app asks for an access token to your API, that token is only valid on that API.

I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?

Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?

Yes. You can find the enterprise app (service principal) for the API, enable Require user assignment, and then assign the users/groups you want to have access to the API from Users/Groups tab of the enterprise app.

Access token acquisition will then fail for users who are not assigned.

If you are using the same app registration for both the client and API, then you have to remember that you should acquire an access token regardless to call the API. Don't use the id token. Also in that case, a user who is not assigned to the app will fail login.

Community
  • 1
  • 1
juunas
  • 54,244
  • 13
  • 113
  • 149
  • So - It's optional to use a Enterprise App to represent the API? I'll manage with just an App reg? But I guess there is no way to restrict users then? Right? Also "A token only gives access to the API identified by the audience (aud) claim in the token." - how do I identity a custom API in the App registration portal? – Riri Apr 15 '20 at 08:01
  • 1
    When you create an app registration, an enterprise app is also created for the app. The enterprise app is the service principal, the identity of the app in that AAD tenant. – juunas Apr 15 '20 at 08:02
  • OK. Get it. I thought I had to manually also create an Enterprise App. But what do I validate in the backend API? The aud? Does the aud correlate with an id from the Enterprise App? – Riri Apr 15 '20 at 08:04
  • 1
    First off, you should not do validation manually. Most application frameworks have support for JWT validation. Some of the things that must be validated: audience, issuer, expiry time, activation time, digital signature. The audience is either the client id of the app registration or the app ID URI of the app registration. Both of these properties do exist on the enterprise app/service principal too as it is a copy of the app registration partially. – juunas Apr 15 '20 at 08:27
  • Thanks! Final Q If I have multiple backend APIs that I'd like to give access to. Is the idea then that I can relate a App registration to multiple Enterprise apps (that then represents the different APIs)? Or how would you do that? – Riri Apr 15 '20 at 08:39
  • 1
    Ahh no. An enterprise app is always related only one app registration. Most likely two options: 1) assign user to each app, 2) assign group to each app and assign user to group once. Group based access management does require Premium licenses for the users though :\ – juunas Apr 15 '20 at 08:43
  • Reference: https://azure.microsoft.com/en-us/pricing/details/active-directory/ – juunas Apr 15 '20 at 08:44
  • Found this - wouldn't that work for setting up multiple APIs? https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad – Riri Apr 15 '20 at 10:54
  • Yes API Management is also an option :) – juunas Apr 15 '20 at 11:02
  • Yes. But APIM aside, wouldn't be possible to have multiple App regs. representing the different backend APIs. Expose scopes in those API App regs. Then have a client App reg. that have permission to read those? Thinking something like this https://imgur.com/a/pQ7IS3h Or do I miss something here? – Riri Apr 15 '20 at 11:19
  • Yes, a client app can require access to multiple APIs :) – juunas Apr 15 '20 at 11:26