question

SharmaAyushNokiaINGurgaon-5163 avatar image
0 Votes"
SharmaAyushNokiaINGurgaon-5163 asked ·

Token Vlidation For Exposed API

Hi, I have exposed my registered Web API in Azure ad for organization, and in other hand that is subscribe [API permissions] as well, my question here is how to get the access token specifically for this API. And after getting that token what is the procedure to validate this type of token [Spring Boot].

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@SharmaAyushNokiaINGurgaon-5163, Thank you for reaching out. For fetching an access token for a certain API, you would need to specify in the scope section the permission for that exposed API. You can find the scopes under the Scopes section present under the Expose an API blade.


10148-scopes.png


Once you have the scopes, in your request you can specify them. Please take a look at the sample request below:


 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=5e2d438a-44d3-437f-aea6-ff41f042b80c&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A1234&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2F5e2d438a-44d3-437f-aea6-ff41f042b80c%2FRead&state=12345

You can also use the scope "api://5e2d438a-44d3-437f-aea6-ff41f042b80c/.default" and it would add all the available permissions for that Exposed API in the request that is being sent.


To validate an id_token or an access_token, your app should validate both the token's signature and the claims. To validate access tokens, your app should also validate the issuer, the audience, and the signing tokens. These need to be validated against the values in the OpenID discovery document. For example, the tenant-independent version of the document is located at https://login.microsoftonline.com/common/.well-known/openid-configuration.


The Azure AD middleware has built-in capabilities for validating access tokens, and you can browse through our samples to find one in the language of your choice. [I have included the JAVA samples in the hyperlink above called samples]


For more details you can refer to the following doc: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.



scopes.png (63.0 KiB)
· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SharmaAyushNokiaINGurgaon-5163, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·

@soumi: Thanks, I was able to generate the token, but the validation of the token is still open. I went through the sample you shared [b2c one specifically], but could not get the desired thing. Adding some line of description for better understanding of the problem:


I am having an app[android] registered on Azure AD, and registered an API[spring boot] on the Azure AD same tenet. We are getting authenticating the APP via Azure AD. now after login, app wants to hit our local API. We want to ensure that the request is coming from the trusted client so that we exposed the API and get generated the token at frontend side for that API, and trying to attach that token with the request toward our local API.


In our API, we are not authenticating any user, we just want to get the access token as Bearer Token in authorization header, and that token we want to validate at our API side. I hope you'll get understand now, I am looking for the sample validation of that token.


0 Votes 0 ·
soumi-MSFT avatar image soumi-MSFT SharmaAyushNokiaINGurgaon-5163 ·

@SharmaAyushNokiaINGurgaon-5163, Once you have the app authenticated to AAD,[as mentioned above in your reponse] the App would hold a token issued to itself. This access_token (in JWT format). Now this token is something that the App would send as bearer to the API to validate. The API would validate that token and that token wont contain who is sending that token to the api, but it would only contain the info that who has issued that token (i.e AAD), by whom this token is to be consumed (i.e the resource and in this case the API itself) and the roles and scopes (the permissions). Based on these parameter values the api authorizes the token and provide access.

.Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·