-1

I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.

Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?

For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.

Any idea how to do this?

Ronald
  • 11
  • 3
  • 2
    I have answered similar questions before for your reference. https://stackoverflow.com/questions/65934246/what-is-the-authentication-authorization-scenario-for-web-app-that-calls-api-wit/65955256#65955256 – Carl Zhao Feb 03 '21 at 08:50
  • Hi @CarlZhao, thanks for the reference. I've added the app ID of the front-end app to the "Authorized client applications" in the backend. I've also added an App Role to the backend app and added that role via API permissions in my front-end app. Do I need to update my C# code as well? When I navigate to the front-end URL, I still get a login screen when the front-end is trying to access the API of the backend app. – Ronald Feb 03 '21 at 09:54
  • This is weird, it not should longer prompt you to log in. I found a suitable sample, and you can see if it helps you. https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2 – Carl Zhao Feb 04 '21 at 02:44
  • If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.).This can be beneficial to other community members. Thank you. – Carl Zhao Feb 05 '21 at 01:45

1 Answers1

0

This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.

I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Hi Carl, thanks for the reference. I've followed it and it is working for 50%. When I execute the request in Postman to get an access token and use that in the call to the API, it works. On the Azure Web App the authorization/authentication is enabled with express settings. However, when I add the authorize attribute and the `HttpContext.ValidateAppRole("access_as_application");` code, I get a 401 when calling the API via Postman, no additional information is given in the response. My client application has the correct role in it's token when I check it at jwt.io. Any idea what is wrong? – Ronald Feb 08 '21 at 15:37
  • @Ronald The 401 error means that the `audience` of your token does not match your api . How did you set the `scope`? Can you use jwt.io to parse your access token and provide screenshots? – Carl Zhao Feb 10 '21 at 06:36