How authentication works in general

bdiddy 171 Reputation points
2020-08-13T02:32:41.697+00:00

Hi I'm just trying to understand how it works under the hood technically when I try to access a website that is secure with on Azure using B2C for example.

Let's say I have a SPA app written in Angular and using msal-angular library. After configuring it correctly on Azure and the msal library is also configured correctly.

When I try to access the SPA app, it knows I'm not logged in then shows a pop-up from the identity provider and ask me to sign in. I enter the credentials and sign in.

So I'm guessing it knows I'm not logged in because the id_token is stored somewhere on the browser? I also read that there is http-only session cookie when successful signed in? Is this how it knows? What is the use of the session cookie? How it is being used? Is it being passed around?

Also the SPA app written in Angular is also communicating with a Web API written in .net core and using Microsoft.Identity.Web and has also been secured on Azure.

When the SPA call the web api, I'm guessing it is sending the id_token to the web api? I believe I saw in the source code that it is sending the id_token in the authentication header. Does the browser also send the session cookie?

And what if that web api calls another web api that is also secured, is it the same mechanism? The id_token has to be sent? What about the session cookie?

Thank you,

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,866 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-08-14T12:51:07.06+00:00

    Hello @bdiddy

    After successful authentication, IDP issues id_token to the user. Along with the issuance of token, session cookies are also issued to facilitate SSO for web browser based sessions. If there are no session cookies present in the browser session or if cookies are expired, user is considered unauthenticated and he is required to authenticate, in order to get access to the protected resources. If session cookies present in the browser session, those cookies are passed in the request header to prove that the user is authenticated and has a valid session. Tokens are not stored on the browser.

    When we call an API, we need to pass the Access Token in the Authorization header. Id_token can be considered as a subset of Access Token and doesn't include the permissions/scopes which are usually required to perform the API call. Id_tokens are used to prove that the user is authenticated but to make API calls we need to prove that we have required permission to perform the Get/Post/Patch operation which is included in the Access Token.

    For scenarios where one web api calls another web api, we pass Access Tokens in the Authorization header. Session cookies are not used in that case.

    17726-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,621 Reputation points Microsoft Employee
    2020-08-31T19:07:43.3+00:00

    Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

    0 comments