0
votes

I have an ASP.NET SPA with a adal-js based authentication, and an ASP.NET Web Api website with Azure Active Directory auth

Both websites are hosted on Azure, on different hostnames, say

https://foo.azurewebsites.com/ and https://fooapi.azurewebsites.com/

The Web Api website auth is configured as

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                TokenValidationParameters = new TokenValidationParameters() { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] },
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
    }
}

and Main SPA adal.js is initialized as:

var config = {
    instance: "https://login.microsoftonline.com/",
    tenant: "mytenant",
    clientId: "client id of foo registration",
    postLogoutRedirectUri: "https://foo.azurewebsites.com/",
    cacheLocation: "localStorage"
};
authContext = new AuthenticationContext(config);

// Check For & Handle Redirect From AAD After Login
var isCallback = authContext.isCallback(window.location.hash);
authContext.handleWindowCallback();
var errorMessage = authContext.getLoginError();

if (isCallback && !authContext.getLoginError()) {
    window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
}

// Check if View Requires Authentication
if (!authContext.getCachedUser()) {
    authContext.config.redirectUri = window.location.href;
    authContext.login();
    return;
}

The Tenant is the same for foo and fooapi, the client id is different (one for each app registration).

The authentication flow in the foo web app is performed successfully, but every http request to fooapi returns 401 unauthorized.

How can I make fooapi share the successful authentication of foo ?

Thank you for any hint

3

3 Answers

0
votes

You can use the implicit grant flow in AAD so that an ID Token is received and sent in auth header when API call is made. See below links for the details and sample code.

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-authentication-scenarios/#single-page-application-spa

https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp

0
votes

How you acquire the access token for the web API?

To make sure the request successfully, you need to acquire the token using the resource you config in web API. You can pass the token from here to check whether the aud claim is equal to the value ida:Audience.

And also make sure the token is issued from the tenant you config in web API project since you didn't ignore the tenant verification.

0
votes
Please configure your web point into endpoints and add it to initialization.



 var endpoints = {`enter code here`
        "https://yourhost/api": "b6a68585-5287-45b2-ba82-383ba1f60932",
    };
adalAuthenticationServiceProvider.init(
        {
            // Config to specify endpoints and similar for your app
            tenant: "52d4b072-9470-49fb-8721-bc3a1c9912a1", // Optional by default, it sends common
            clientId: "e9a5a8b6-8af7-4719-9821-0deef255f68e", // Required
            //localLoginUrl: "/login",  // optional
            //redirectUri : "your site", optional
            endpoints: endpoints  // If you need to send CORS api requests.
        },
        $httpProvider   // pass http provider to inject request interceptor to attach tokens
        );