Geek Answers Handbook

Creating a Web API with an Oauth2 / OpenID Connection

I am trying to understand conceptually and practically how to run oauth2 with an openID-connect stream in my web-api application using Azure AD.

It is important to note that when a request arrives in the API, I want to know who made the request.

My real understanding: -

  • My client will find that the user is not registered and is not redirected to the entrance.
  • The user will provide their credentials and will be redirected back to the client along with the oauth2 token.
  • This token will be passed to the web-api endpoints for any requests.

That's where it gets muddy for me.

How exactly do I use this token to allow access to a specific resource, determine who accesses the resource, and what is the mechanism that does this?

I seem to assume that I will need to reuse the token to call the Azure AD user endpoint - if the token is really valid, the AD endpoint will return user details, thereby providing some means to determine if the token is valid and provide detailed information about the identity of users. Resource access can be granted through group membership in Azure AD.

BUT...

I can only assume that this solved the problem, and noticed the use of OWIN middleware according to this example

https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet

But I'm still not sure what is going on.

The service mentions areas and applications, but I don’t understand where they were received from (I suppose from the token provided by the client, but not sure). The service must receive identification information in the call.

This leads me to two points, since it is safe -

  • The token provided during the call of the service should be protected during transmission (therefore, the use of HTTPS) - to prevent MITM.

  • It should be noted that the token must be signed in some way - I believe, using the client's secret or something else - to prevent falsification of information in the token.

Can someone help me sort out this tangled mess?

In particular -

  • How is the identifier of the calling API determined - is the identifier determined from the call on the client or server?

  • How to restrict access to some API endpoints based on user role?

  • What should I do to achieve this based on the existing middleware and libraries available to me?

+6
source share
2 answers

Disclaimer: this will not be an exhaustive answer. This is not in my head.

OpenID Connect provides an authentication layer on top of OAuth. In your case, Active Directory provides authentication and sends back the access_token . An access token represents an authenticated AD user. If you are running OpenID Connect, then AD will also send an id_token , which may contain additional identification information (for example, birthday, avatar, and everything that AD issues).

Neither OpenID Connect nor Active Directory has anything to do with the roles that your application assigns to the user; roles are all you need. You assign user roles in the same way as usual; you assign them a nameid , but instead of an email address or username. Your application no longer needs to authenticate the user, but it needs to be assigned nameid roles.

How is the identifier of the calling API determined - is the identifier determined from the call on the client or on the server?

The identity is embedded in access_token , which AD includes in its response. This token will have a nameid in which your application can be associated with a user and role. nameid is similar to the email address, username or other unique identifier that your application uses to recognize the user.

How to restrict access to some API endpoints based on user role?

You choose. When your application receives a request with a specific access_token , this token will be associated with a specific user through its nameid , and you can assign all roles and rights to that user. Basically, associate roles with nameid .

What can I do to achieve this based on existing middleware and libraries available to me?

There is an incomplete demo here , although it does not use Active Directory as a provider, instead it uses an internal provider. For demonstration, the username is shaun and the password is Testing123! . The source code is here .

Here is a link to the source of another demo , but again, it does not use Active Directory as a provider, but instead uses Twitter.

The best part about OAuth and OpenID Connect is that we can use any identity provider we want, so you can adapt the demos to use Active Directory.

+5
source

In addition to question No. 1 (identification is verified on the service side), all your questions are very open and will require a super long answer. I would recommend reading https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/ - this is a good introduction to the streams that underlie many modern authentication scenarios, including the web API, which you use to focus on. Once you read this, you will find a complete set of samples at https://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/ - in particular, I suggest exploring the web APIs and through one authorization to find a guide on 3 issues you have indicated. NTN!

+3
source

More articles:


All Articles