question

DaveVs-3498 avatar image
0 Votes"
DaveVs-3498 asked ajkuma-MSFT commented

How can I use an apikey or bearer token with App service authentication/"Easy Auth"

Hi
Setup as follows:
- Azure app service dotnet core web application (Razor pages)
- This app also includes an small API controller (within the same application).
- Want to migrate to use app services Authentication (easy auth) with AD instead of handling auth within the code.

I have setup easy auth to Active Directory for users to login and this works well.

For the API in my app, I need to access it using an api key or bearer token from an old application client.

Is there any way of creating a static key or token that I can use for this? For various reasons, the old client cannot do redirects for tokens etc... I just want to be able to put a key in the HTTP Header of the post request on this client to authorize it..

Is this possible without separating my API out into its own web api?
Can I generate API keys or bearer tokens in AD that I can put in http headers to authorize this old client?

Thanks a mil


azure-webapps
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DaveVs-3498, Apologies for the delay in responding from over the weekend. I'm checking on this and will get back to you shortly.

Just to highlight, the Easy Auth is implemented as a native IIS module that runs in the same sandbox as your application. When enabled, every HTTP request dispatched to the IIS worker process must first pass through this module before your application code has a chance to react.

You may use JWT access_token in an authorization bearer header to request data from the service. Or You could leverage AppServiceAuthSession cookie /or you could use Authorization:Bearer "{your-id-token}

Your app can be configured to store the required access token in the token store automatically. From within your backend code, accessing these tokens is as easy as reading an HTTP request header. The headers are named like X-MS-TOKEN-{provider}-{type}.

See these docs for more details:
Token store
App Service Auth and the Azure AD Graph API


0 Votes 0 ·

Thanks you for the reply.
I I understand how to get the access token once it hits my code... the problem is I cannot do the initial token request/Oauth flow from the old external client.

A better way to ask the question would be - Can I manually assign a static API key or basic username/password in Active Directory/App Registrations, that can be hard-coded into an old client that only supports HTTP Bearer/Basic auth? It cannot do OAuth workflows to dynamically retrieve tokens etc.

Hope that makes sense?

Thanks.

0 Votes 0 ·

1 Answer

ajkuma-MSFT avatar image
1 Vote"
ajkuma-MSFT answered ajkuma-MSFT commented

@DaveVs-3498, Thanks for sharing additional details.

Easy Auth doesn't support static key-based authentication, but it does support validating Azure AD bearer tokens. For your legacy web app, you can use one of the MSAL libraries to fetch a bearer token from Azure AD and then attach it to an HTTP request to your web API configured with Easy Auth in the Authorization header (e.g. "Authorization: Bearer <jwt>").

You can achieve this using the following guidance: https://docs.microsoft.com/azure/app-service/configure-authentication-provider-aad#daemon-client-application-service-to-service-calls

Hope this helps point you in the right direction. If you any questions, please let us know.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brilliant - this worked, thanks a mil!

I had lots of errors like below when trying to login with the token...
{"code":401,"message":"IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."}

The solution was to set "accessTokenAcceptedVersion"= 2 in the app registration manifest file of the web api (on the easy auth side) and it works now. It seems this defaults to null and uses the wrong oauth token version.

Thanks again for your help, much appreciated.

0 Votes 0 ·

@DaveVs-3498, Glad to know that the issue is resolved. Thanks for sharing the additional changes/solution that worked for you with the community.

Thanks for your great feedback. Much appreciate the follow-up.

To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.



1 Vote 1 ·