azure oauth 2.0 how to protect web api from external organization web api?

Question

I am new to Azure and trying to protect/web api hosted in azure using oauth 2.0. This web api will be called from other web api/deamon which is in control of other organization. I am aware of client credential flow, but in this scenario external api is hosted outside azure ad. We have no idea of where it is hosted and how this third external web api/deamon is hosted? How should we do authentication/authorization for our web api, so that any external service can use it?

Answer 1

You know about client credential flow, then you should know that this kind of flow doesn't need a user to sign in to generate access token, but only need an azure ad application with the client secret. This azure ad application can come from your tenant, so it doesn't require the web api/deamon which is in control of other organization to have an application, you can create the app in your tenant then provide it to the external web api. What you need to make sure is that the external is really a daemon application.

Let's assume that the external app that need to call your api which is protected by azure ad is a daemon application, then client credential flow is suitable here.

Code for external api to generate access token

//you can see it when you add api permission
var scopes = new[] { "api://exposed_apis_app_id/.default" };
var tenantId = "your_tenant_name.onmicrosoft.com";
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";
// using Azure.Identity;
var options = new TokenCredentialOptions{AuthorityHost = AzureAuthorityHosts.AzurePublicCloud};
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
var tokenRequestContext = new TokenRequestContext(scopes); 
var token = clientSecretCredential.GetTokenAsync(tokenRequestContext).Result.Token;

Code for your api to add authentication for azure ad, you still have some more configurations, you can refer to my this answer, some related document: authorize the token with role and jwt token configuration.

    [Authorize]
        public class HelloController : Controller
        {
            public IActionResult Index()
            {
                HttpContext.ValidateAppRole("User.Read");//You set it when adding app role
                Student stu = new Student();
                stu.age = 18;
                return Json(stu) ;
            }
        }

appsettings:
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "2c0xxxxxxx57",
    "Domain": "tenantname.onmicrosoft.com", // for instance contoso.onmicrosoft.com. Not used in the ASP.NET core template
    "TenantId": "common",
    "Audience": "8fxxxx78"
  }

startup.cs, don't forget "app.UseAuthentication();app.UseAuthorization();" in Configure method
public void ConfigureServices(IServiceCollection services)
{
     services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
     services.AddControllersWithViews();
}

1. create an azure ad application in your tenant and expose an api with a role.

2. you can create another azure ad application, add client secret and add the application permission created before in the API permissions blade.

3. provide the application id and client secret to those external app and let them use these to generate access token, then they can use the access token to call your api.

4. modify your api to authorize the token if has the correct role.