question

ThanhBinhNguyen-1065 avatar image
ThanhBinhNguyen-1065 asked ·

Web apps call web api on-behalf-of signed in user: Missing solution for pure web front-ends

Hi,
I have a razor web page that calls a web api and display the result on the page. The razor page signs the user in and calls the web api on-behalf-of the user. The authentication is done via Azure AD. I have read the section on "web apps call web api" by Microsoft, but this does not apply to my case, because my razor page is a pure web front-end and thus there are no controllers. This is not clear how to adapt the solution presented in this section to my case. I would appreciate any help very urgently as I got stuck on this issue for months now.

azure-active-directoryazure-ad-connectazure-ad-multi-factor-authentication
3 comments
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ThanhBinhNguyen-1065, Which document/article are you referring to? It would be great if you can share the same and also let us know which OAuth2.0 flow are you trying to use.

0 Votes 0 · ·

and I am using OAuth 2.0 authorization code flow

0 Votes 0 · ·
JoffreyNURIT-4769 avatar image
JoffreyNURIT-4769 answered ·

Hi @ThanhBinhNguyen-1065,

If i understand your need correctly, you want to use AzureAD authentication in pure javascript and don't use .Net code.

If possible, I'd like to change your mind about that. Use javascript to launch front call to external API can be dangerous for your security. You need to protect call to external website explicitly, and a lot of information are available to public.
If you use a controller, it will be more simple to you, because .Net code for connect to Azure AD are easy to find. And you improve your application security.

I hope it will help.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThanhBinhNguyen-1065 avatar image
ThanhBinhNguyen-1065 answered ·

Hi @JoffreyNURIT-4769 ,
There is no javascript in my app. The api calls are done in the razor page using C# code. My razor app follows MVVM, not MVC and thus there are no controllers. For more details, you can find the differences between these two approaches here: https://stackify.com/asp-net-razor-pages-vs-mvc/

As we do not have controllers, we cannot use the solution in the mentioned section above. And it is not easy to adapt to our case.

3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Sorry for the wrong answer.
Can you set a small repro on a git? i'll take fex minutes and try to find a solution with you if you want.

0 Votes 0 · ·

Hi @JoffreyNURIT-4769 ,

I have created a project sample that mimics my situation. In this sample, I have a razor page that calls a weatherforecast api to display the weather information. The Azure Ad information of the web apps and the web api needs to be filled with your own settings. Please let me know if you need further information.

0 Votes 0 · ·
0 Votes 0 · ·