1

I have an app service, let's call it Shiny API. It exposes functionality to my clients. Users authenticate using oAuth through a third party identity provider.

One of the data sources for this app service is in another app service within the same Azure tennant. Let's call it Legacy

I've decided to expose some of the functionality of Legacy which I'm exposing through an API I've added for this purpose: Legacy API.

So Legacy API may only be called by our development team (for testing and trouble shooting purposes) and by Shiny API. Its callers are "trusted".

In the old world, I would have configured IIS to use Windows Authentication, using a group managed account. The Azure equivalent is a System Assigned Managed Identity.

I think the client code in Shiny API needs to be a bit like this, but I cannot seem to find the correct way to configure Legacy API

// In Shiny API. 
// Used to authenticate to Legacy API
private async Task Authenticate(HttpClient httpClient)
{
    var NcoLegacyApiApplicationId = "<The Legacy API Client ID Guid>";
    var creds = new DefaultAzureCredential();
    var token = await creds.GetTokenAsync(new TokenRequestContext(new[] { NcoLegacyApiApplicationId }));
    httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
}

What do I have to do to allow only certain active directory users and Shiny API to access Legacy API?

I've tried a few things, but they led nowhere:

  • Do I need to do something in the Legacy API code, or can I do this with configuration only?
  • I configured a Microsoft Identity Provider under authentication. But there, I can only add human active directory users; the Shiny API system assigned identity was not available there. How do I authorize Shiny API?
  • I've also created an app registration for the legacy app. Is this neccessary?
  • Would using gRPC instead of REST solve anything?
realbart
  • 3,497
  • 1
  • 25
  • 37
  • 1
    yeah you need to create an app registration to configure the auth layer on the legacy app. you would then need to grant permission to the shiny app identity to call the legacy app – Thomas Aug 14 '22 at 04:52
  • @Thomas nice to know the app registration is the way to go. Where do I grant permission to the legacy app? Is the code ok? – realbart Aug 14 '22 at 06:13
  • 1
    you have these few articles you could refer: https://stackoverflow.com/questions/66662856/assign-an-app-role-to-a-managed-identity-service-principal and https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell?tabs=azurepowershell – Thomas Aug 14 '22 at 06:48
  • @Thomas both my apps have a managed identity. The legacy api has an app registration and the Microsoft Identity Provider. I can add myself as a valid user for the legacy api app. But the crux of my question is: why don't I see the shiny api identity? What am I doing wrong? – realbart Aug 16 '22 at 15:03
  • to do it from portal, you need AAD premium otherwise you need to do it from script. – Thomas Aug 16 '22 at 17:31

1 Answers1

0

I've found out how to do it:

  1. Create a managed identity for Shiny* (Write down the Object (principal) ID)

  2. Create an app registration for Legacy by adding 'Microsoft Authentication' in authentication. (Write down the App (client) ID)

  3. Go to the app registration. Choose app roles. Create an app role (e.g. Legacy.Access) (Write down the App role ID)

  4. Go to the Enterprise Application (in AAD). (Write down the Object ID)

  5. In properties, choose "Yes" for Assignment required

  6. In users and groups, add the users that have access. You want to see the ID from step 1 here too, but this cannot be done through UI.

  7. Assign the client application access by running in the cloud shell (powershell):

    $managedIdentityObjectId="(see step 1)"
$appRoleId="(see step 3)"
$serverServicePrincipalObjectId="(see step 4)"
Connect-AzureAD
New-AzureADServiceAppRoleAssignment `
     -ObjectId $managedIdentityObjectId `
     -Id $appRoleId `
     -PrincipalId $managedIdentityObjectId `
     -ResourceId $serverServicePrincipalObjectId

  8. Use the ID from step 3. to acquire a token in the Shiny application.

realbart
  • 3,497
  • 1
  • 25
  • 37