question

AnishKumar-7058 avatar image
0 Votes"
AnishKumar-7058 asked ·

Managing Authentication for APIs deployed in multiple region and Protected By Azure AD.

Scenario:
1. Registered a Web API in Azure AD to protect it and deployed the code in US region on web app named 'usapi' and having URI as 'usapi.azurewebsites.net'. With this registration, Azure AD will provide a Client Id which will be used to get access token.
2. Provided access of the above Web API to some user called 'A' and now user 'A' can get access token defining the above client id.

Now, I need to deploy the same API in South East Asia region, I will create another web app named 'seaapi' and will deploy the same code. And I believe in order to protect the API, I need to register in Azure AD again and doing so will create a different Client Id.

Now question comes here:
Do I need to provide access of the API deployed in SEA region again to the user 'A'? And even if I will give access, won't the access token needs to be generated with new Client ID, in which case the user needs to know the Client Id of the API deployed in SEA region?

Whats the right approach to achieve the above?

Note: I will route the request of User 'A' either to US or SEA region from Traffic Manager.

@souravmishra-msft @shashishailaj


azure-active-directoryazure-webapps
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@AnishKumar7058,

This issue can be approached in two ways that I can think of.

  1. In case you are using the Traffic Manager to route the traffic to different regions, in that case only if you publish you code for API on a WebApp hosted in a separate region for eg: SEA with the same reply URLs, I believe would work. When the user sends a request from SEA region, the traffic manager would itself route the traffic to the WebApp hosted in the SEA region and if the request is made from US region then the Traffic Manager would route the traffic to the WebApp hosted in US region.

  2. Secondly since you have two WebApps (one in US region and other in SEA region), you can specify two different Reply URLs for each of the WebApps. Then under the single App Registration in AAD, that was done earlier for the US hosted WebAPP, you can add the new reply URL for the SEA hosted WebApp. So, the app registration in AAD for the WebApp would have two reply URLs. Now when the user tries to login from US region, in the request to AAD, it would add the reply URL for the WebApp hosted in US region and based on that Reply URL, AAD would post the reply on that same reply URL, provided that URL is registered in the App Object present in AAD.

Hope this helps.

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

· Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnishKumar-7058 avatar image
0 Votes"
AnishKumar-7058 answered ·

Thanks @soumi-MSFT. I will work as per your comments and will update.

· Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.