0

My client side application is using Azure ad for authentication, but to authorize the user (check if the user is allowed to use my application) I need to go through my REST API. Is it ok, security wise to create an endpoint in my REST API where I can post a JWT and validate it, and then give back an access_token that is used for further calls to the API? I'm the developer of both the client application and the rest api, but only the client application is registered in Azure AD Login flow

Does this look ok? Or is there a better way of doing it?

rgullhaug
  • 1,065
  • 2
  • 10
  • 19
  • Please add this information into your question: `1.` are you an owner of both `My Application` and `REST API`? `2.` are both applications registered in AzureAD? – mtkachenko Apr 13 '20 at 17:55
  • Yes, I'm the developer of both the client application and the rest api. Only the client application is registered in Azure AD. – rgullhaug Apr 13 '20 at 18:04
  • Are these applications just parts of the same application or you want to keep them absolutely separate? – mtkachenko Apr 13 '20 at 18:38
  • I would like to keep them seperate, as there are many other users of the REST api as well (mobile applications, web shops, portals ++). – rgullhaug Apr 13 '20 at 19:24
  • How do all these applications (mobile apps, web shops) acquire tokens to consume REST API currently? Do you consider an option to register REST API in Azure AD? – mtkachenko Apr 13 '20 at 19:33
  • The rest api provides oauth 2.0 authentication, so the user can login using oauth and retrieve an access_token. The login is then checking against a username/password in our system and not Azure AD. I still need to provide that functionality. It seems like an easy solution to just accept an Azure AD JWT, validate it and generate an access_token that can be used for all later calls to the api, but maybe it is not a good idea? Can I still offer my own authentication in adittion to Azure AD if I register both the client applicaiton and rest api in AD? – rgullhaug Apr 13 '20 at 19:42
  • You want to issue a token for particular user, right? – mtkachenko Apr 14 '20 at 07:15
  • Yes, that is correct. – rgullhaug Apr 14 '20 at 07:48

2 Answers2

1

As I understand REST API is an identity provider (IDP) and authorization provider (AuthZ provider) for itself: it authenticates users, issues tokens and hosts api protected with those tokens.

I would say that you want to consume REST API using access_tokens issued by REST API AuthZ provider and by AzureAD AuthZ provider. You can achieve it like this:

mtkachenko
  • 5,389
  • 9
  • 38
  • 68
0

In your case, you could use the On-Behalf-Of flow, register the client app, middle-tier web API and downstream web API in Azure AD.

Assume that the user has been authenticated on an application using the OAuth 2.0 authorization code grant flow or another login flow. At this point, the application has an access token for API A (token A) with the user’s claims and consent to access the middle-tier web API (API A). Now, API A needs to make an authenticated request to the downstream web API (API B).

enter image description here

For more details, see - Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54