Register MicroServices in Azure Active Directory (AAD) for Security

3
votes

I have a service fabric application (Stateless and Statefull) deployed in Service fabric cluster. I am trying to implement security in the applications. The application uses the Active Directory Authentication Library (ADAL) to get a token from Azure AD using the OAuth 2.0 client credential flow, where the client credential is a password. I am able to implement the same scenario in ordinary web api applications by registering them in Azure portal. Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id). I receive unauthorized access while calling the corresponding service. I am not sure of what url has to be registered for a statefull or stateless application when adding the application in in azure active directory. Could you please suggest me where I'm wrong and what to do to implement.

1
azureasp.net-web-apiowinazure-active-directorymicroservices
some code on what you have done can help. - Peter
I am following the same steps mentioned here.[github.com/Azure-Samples/active-directory-dotnet-daemon] The TodoListService here is a sevice fabric statefull service with web api exposed using owin deployed in cloud cluster. i am not sure of what the reply and sign on url has to be configured. I tried both the methods of supplying the complete url and partial url as stated below, partial url : localhost:8082/SampleMa complete url : localhost:8082/SampleMa/9ac178c1-0f43-4c9e-a816-546546e50cea/… - Rijas Kb
this is the configuration used in var y = new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Tenant = "testad.onmicrosoft.com", TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters { SaveSigninToken = true, ValidAudience = "testad.onmicrosoft.com/SampleMa" } }; appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(y); i am always recieving unauthorised for the corresponding call from the daemon console app - Rijas Kb
I even tried adding wild cards to the url , but the scenario also did not work.. - Rijas Kb

1 Answers

1
votes

Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id).

The client credential flow is used for the service or daemon app. There is not need to use the redirect_url when we use the client credential flow to acquire the token. You can register any validate redirect_url. Here is an example that using the client credential:

POST https://login.microsoftonline.com/<tenantId>/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<app id uri of your web api >

And it is same that to integrate with Azure AD with web API using Azure service fabric. Here is an example for your reference:

1 . register an web app(app1) which used to protect the web API on Azure portal

2 . register an web app(app2) as the client to request the web API

3 . grant the the app1 to app2 from portal

4 . create Service Fabric application with Stateless Web API template

5 . config the app.config of Service Fabric application 

<add key="ida:Audience" value="app id Uri of app1" />
<add key="ida:Tenant" value="tenantId" />

6 . install the package Microsoft.Owin.Security.ActiveDirectory

Install-Package Microsoft.Owin.Security.ActiveDirectory

7. modify the startup code like below:( Note: the method appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication is before appBuilder.UseWebApi(config).

public static void ConfigureApp(IAppBuilder appBuilder)
        {
            // Configure Web API for self-host. 
            HttpConfiguration config = new HttpConfiguration();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

            appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
               new WindowsAzureActiveDirectoryBearerAuthenticationOptions
               {
                   Audience = ConfigurationManager.AppSettings["ida:Audience"],
                   Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                   TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                   {
                       ValidateIssuer = false
                   }
               });

            appBuilder.UseWebApi(config);
        }
  1. run the Service Fabric Application
  2. acquire the token using the client credential flow mentioned above( clientId and clientSecret is from app2)
  3. request the service public by Service Fabric Application with the access token and it works well