question

KeiichiHikita-0018 avatar image
0 Votes"
KeiichiHikita-0018 asked KeiichiHikita-0018 commented

Should the GUI and API be registered as separate applications in Azure Active Directory?

I am developing an API to authenticate with Azure Active Directory and a GUI to draw from it.
The GUI will be implemented as a Single Page Application (SPA) and the API will be executed from this SPA.
Both the API and GUI will be authenticated with Azure Active Directory.

I would like to know what is a good practice in this kind of pattern. When registering an application with this kind of configuration on Azure Active Directory, should the GUI and API be registered as different applications?

It seems to me that registering them as the same application (same client ID for API and GUI) would not cause any problems if we only look at the behavior.

We would like to determine whether we should separate the GUI and API as applications based on practices (e.g., from a security perspective, etc.).


Thanks,
Keiichi Hikita

azure-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KeiichiHikita-0018 , what do you mean when you say "API to authenticate with Azure Active Directory?" Is it an API for something you've made, and you want users to access the API through Azure authentication? How will the GUI draw from it? Please let me know and I can help you further.

Best,
James

1 Vote 1 ·

Hi @JamesHamil-MSFT

Thanks for your reply.

What I would like to do are as follow.

  1. Implement both API and GUI as my own application (node.js)

  2. The GUI will be implemented as a SIngle Page Application and this GUI will run the API

  3. The GUI will authenticate with OpenID Connect in Azure AD. In this case, I will use code-flow. In other words, GUI-based authentication.

  4. The GUI executes the API using the idToken retrieved in step 3 above.

  5. In addition to the GUI, there are two other external systems that use this API for automatic integration (like a cron job). So we would like to authenticate these using only client_secret so that these two systems can authenticate without GUI.

Please have a look at attached diagram.

In such a case, I am wondering whether I should use different client_id(s) for the GUI and the API or use same one.(Both can work in principle)

195942-system-structure.png


0 Votes 0 ·
system-structure.png (169.5 KiB)

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered KeiichiHikita-0018 commented

Hi @KeiichiHikita-0018 , thank you so much for your detailed response. Everything you suggested would work well for your cause. However, I think having 2 apps would serve you better!

A lot of customers only use 1 app because it's usually simpler. But in the long term for both security and maintenance reasons having 2 apps can make this a lot easier and safer.

As far as security goes, I usually recommend this document on best practices. Not all of the info there is pertinent to your case, but it is good to know generally.

Please let me know if you have any more questions, or you need help setting anything up!

If this answer helped you please mark it as "Verified" so other users can reference it.

Thank you,
James


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JamesHamil-MSFT

Thank you for the very helpful information!
I will first try to separate the two applications and operate them separately.

Thank you very much for your help.

Thank you,
Keiichi Hikita

0 Votes 0 ·