1

I currently have 2 web apps(app services) setup on azure. The first one is an angular 4 website the second one is a .net core 2.0 restful api. I have CORs setup for the ui to talk to the api perfectly. The only issue is there isn't any security around this API.

I am attempting to utilize the azure AD JWT token to be part of an authorize attribute within the API but the problem is the API can't validate the token since I don't have the secret key that azure is using to create the JWT token to begin with. Also I am getting the token from /.auth/me. Does anyone have any advice on how best to solve this problem?

Is there an api endpoint on azure that I can hit to get a valid JWT token for the current logged in user? I noticed the /.auth/me one expires after an hour and the user is forced to visit /.auth/login/aad/callback in order to refresh the tokens.

I would love to know the best strategy to solve this, if it includes adal, msal, etc. Also links to code would be very much appreciated.

Improve this question

1 Answer 1

Reset to default
2

I would recommend you use ADAL for Javascript in your angular 4 Web App to retrieve the id_token or access_token, then using the relevant token to access your .NET Core 2.0 restful API. For your angular app, you could still use the build-in authentication/authorization provided by Azure App Service without changing your code.

For your .NET Core 2.0 restful API, you could just leverage Authentication and authorization in Azure App Service (Easy Auth) provided by App Service or you could manually use Microsoft.AspNetCore.Authentication.JwtBearer package in your project for JWT authentication. Detailed code snippet, you could follow here.

Additionally, I would recommend you create each AAD app for your front-end web app and Api web app.

Improve this answer
Sign up to request clarification or add additional context in comments.

13 Comments

How do I refresh the id_token via adal?
You could not refresh the id_token just as the access_token does, your client user may need to login again, details you could follow this similar issue.
If you need to validate the lifetime of token in your Api, you could use access_token, from AuthenticationContext.prototype.getCachedToken , you could find that if the user has the active session with AAD, adal.js would automatically renew the access_token for you, and you could follow here.
do I need an azure ad policy? I am attempting to follow these examples but my organization limits our azure access so I am unable to create a policy. I still haven't been able to validate whether a JWT was given to me from azure AD since I don't have the private key and I keep receiving AuthenticationFailed: IDX10803: Unable to obtain configuration from
Are you talking about Azure AD B2C tenant? If you follow An ASP.NET Core 2.0 web API with Azure AD B2C, you need to set up your policy. Or if you use Azure AD tenant, you could follow here and configure jwtOptions.Authority to https://login.microsoftonline.com/<TenantId>.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.