Secure ASP.NET WebAPI 2 using Azure Active Directory AD with ADAL JS

 

What we will use
  • OAuth 2.0 middleware
  • ASP.NET WebAPI 2.2
  • Authentication Project Template: Organization Account
  • Azure Active Directory
  • SPA
  • Azure AD Authentication Library (ADAL) for javascript
  •  
Create a WebAPI Project with Organizational Accounts
  • Cloud – Single Organization
  • Domain/AD Tenant – yourorganization.onmicrosoft.com
  • Access Level – Single Sign On (i.e. lets the directory issue tokens for your application)
    • Other access level include “Read/ReadWrite Directory data” using the REST Graph API
Setup:

At Startup.Auth.cs

// ida:Tenant – yourorganization.onmicrosoft.com
// ida:Audience –
https://yourorganization.onmicrosoft.com/MyWebAPIProjectName
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings[“ida:Tenant”],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings[“ida:Audience”]
},
});

Publish the WebAPI app.

Register the SPA App with Azure AD
  • Go to Active Directory –> Application
  • Add Application (Web Client)
  • Add Sign-On Url
  • Add App ID Url
  • Add Redirect URI
  • Enable OAuth2 Implicit Grant – refer to sample app readme.
  • Configure the App.js tenant, clientId with web.config ‘s ida:Tenant & ida:Audience respecitively.

p.s. As of Dec. 20 2014. Looks like the sample is still not ready for hosting the client app in Azure. i.e. the client app will only work when running localhost.

Reference: https://github.com/AzureADSamples/SinglePageApp-DotNet

Secure ASP.NET WebAPI 2 using Azure Active Directory AD with ADAL .NET

image

What we will use

  • OAuth 2.0 middleware
  • ASP.NET WebAPI 2.2
  • Authentication Project Template: Organization Account
  • Azure Active Directory
  • Native Application e.g. Windows Form App
  • Azure AD Authentication Library (ADAL) for .NET 2.x

The ‘Authority’ / ‘Identity Provider’ – Azure AD

Resources often offload most of the authentication functions to an external services provider, commonly known as an authority or an identity provider.

With those functions out of the way, the only authentication task left is to verify that authentication succeeded at the authority. This typically involves examining a security token, a data fragment issued by an authority to a caller upon successful authentication.

Security tokens are usually crafted according to a specific format, digitally signed by a key that will unequivocally identify the issuing authority, and contain some data that uniquely ties the token to the target resource. When the resource receives a request, it looks for an accompanying token. If it finds one that meets the required validation attributes, the caller is authenticated.

Create a WebAPI Project with Organizational Accounts

  • Cloud – Single Organization
  • Domain/AD Tenant – yourorganization.onmicrosoft.com
  • Access Level – Single Sign On (i.e. lets the directory issue tokens for your application)
    • Other access level include “Read/ReadWrite Directory data” using the REST Graph API
Setup:

In Startup.Auth.cs

// ida:Tenant – yourorganization.onmicrosoft.com
// ida:Audience –
https://yourorganization.onmicrosoft.com/MyWebAPIProjectName
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings[“ida:Tenant”],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings[“ida:Audience”]
},
});

Publish the WebAPI App.

The app.Use* naming convention adds a middleware implementation to the OWIN pipeline. The added middleware inspects the incoming request to see if the HTTP header Authorization contains a security token. If it finds a token, it validates the issuing authority, the integrity, expiration date.

If the token looks good, the middleware projects its content in a principal. If it isn’t, sends back an error code.

If there’s no token, the middleware simply lets the call go through without creating a principal (i.e. anonymous). [Authorize] decides whether the request should be served or access denied.

The Audience value is the identifier by which the Web API is known to Windows Azure AD. Any tokens carrying a different Audience are meant for another resource and should be rejected.

The middleware uses that Tenant property value to read all the other properties (such as which key should be used to verify the token’s signatures) that determine the validity of a token.

Register the Native Client App with Azure AD

  • Go to Active Directory –> Application
  • Add Application (Web Client / Native Client)
  • Add Redirect URI

More AD configuration for the client app

  • Click the Configure tab
  • Copy the Client ID
  • Add/Select  the target WebAPI server application and then hit save

Create Native Client App

  • Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory

// Get token
AuthenticationContext ac = new AuthenticationContext(
// Azure -> AD -> Domain -> 
https://login.windows.net/ + AD tenant/domain name
https://login.windows.net/yourorganization.onmicrosoft.com“);
AuthenticationResult ar =
ac.AcquireToken(
// WebAPIApp web.config ‘s ida:Audience
https://yourorganization.onmicrosoft.com/MyWebAPI”,
// Azure -> AD -> Application -> clientapp’s CLIENT ID
“8a39841b-7dcc-4b92-b546-a0799bae312c”,
// Azure -> AD -> Application -> clientapp’s REDIRECT URIS
new Uri(“
https://mynativeclient”));

// Call Web API
string authHeader = ar.CreateAuthorizationHeader();
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(
HttpMethod.Get, “
https://mywebapi.azurewebsites.net/Api/Values”);
request.Headers.TryAddWithoutValidation(“Authorization”, authHeader);
HttpResponseMessage response = await client.SendAsync(request);
string responseString = await response.Content.ReadAsStringAsync();
MessageBox.Show(responseString);

When I provide the credentials of any valid user from my directory tenant, I get a token back. The subsequent code presents the token to the Web API in the request headers. The security middleware validates it. Because all validation parameters are a match, it sends back HTTP status code 200 with the results.

If click the button again. You’ll get a token back right away, without being prompted. That’s because ADAL has a built-in token cache that keeps track of the tokens. It even takes care of silently refreshing expired tokens whenever possible.

Reference: http://msdn.microsoft.com/en-us/magazine/dn463788.aspx

http://vincenthomedev.wordpress.com/2014/11/30/azure-active-directory-for-mvc-webapi/

Manage Azure using Windows PowerShell with publishsettings file

 

Use the certificate method

The Azure module includes cmdlets that help you download and import the certificate.

  • The Get-AzurePublishSettingsFile cmdlet opens a web page on the Azure Management Portal, from which you can download the subscription information. The information is contained in a .publishsettings file.

  • The Import-AzurePublishSettingsFile imports the .publishsettings file for use by the module. This file includes a management certificate that has security credentials.

e.g.

Import-AzurePublishSettingsFile “c:\mydownloaded.publishsettings”

Get-AzureAccount

Get-AzureSubscription

Stop-AzureVM -ServiceName “myServiceName” -Name “myName” -StayProvisioned

Azure Active Directory for MVC & WebAPI

image

Azure Friday

Update:

Connect() – This video provides a quick overview of Azure Active Directory from a developer’s standpoint and gives a glimpse of the new identity features in Visual Studio 2015 that make it easy to secure applications with Azure AD.

Secure a MVC application using Azure Active Directory AD Authentication with Visual Studio 2015

Here is the instruction on using Visual Studio 2015 preview to add Azure Active Directory SSO to an existing MVC Application.

1. Create an Azure Active Directory

2. Add user(s) to directory

3. Right-click the project and click “Configure Azure AD Authentication”

image

4. Enter your Active Directory Domain Name e.g. yourid.onmicrosoft.com  This will integrate an Application to the Active Directory

image

5. Click the Application Link and click the Configure Tab and change the “Reply Url” to your webiste’s Url so Azure AD know where to send the SAML authentication tokens after successfully authenticated the Users.

e.g. https://mywebapp.azurewebsites.net/

6. optional update the [Authorize] attribute in the controllers

7. optional add the login/logout/username html to the view. e.g. add @Html.Partial(“_LoginPartial”) to _layout.cshtml

8. Finally publish the WebApp to Azure. Right click on project and click “Publish…”

Azure Scheduler–run jobs on simple or complex recurring schedules

image

Scheduler

Run your jobs on simple or complex recurring schedules
  • Call services inside or outside of Azure
  • Run jobs on any schedule—now, later, or recurring
  • Use Azure Storage queues for long-running or offline jobs
  • Management REST API

Get Started using Scheduler MSDN

Videos:

Azure Mobile Service

 

image

Windows Azure Mobile Services:

  • A turnkey backend solutions to power your mobile apps on any platforms – iOS, Andrioid, Windows(Store/Phone) or Mac and tools like C#, Java, JavaScript, Xamarin, PhoneGap.
  • Accelerate your mobile app development. Incorporate structured storage in the cloud, user authentication(Facebook, Google, Microsoft, Twitter, Active Directory account)/authorization and push notifications to millions (Notification Hubs) in minutes. Add your custom backend logic in C# or Node.js
  • Introduction to Azure Mobile Service – Scott Guthrie

Below are some tutorials that walkthrough common authentication/authorization/push scenarios you can do with Windows Azure Mobile Services: