Generate Personal Access Token to call an Azure Web Api (OAuth)

1
votes

I have an ASP.NET Web API and I registered a new Application under Azure Active Directory.

This is how the ConfigureAuth is in the source code of the Web API.

public void ConfigureAuth(IAppBuilder app)
        {
            // Configure the db context and user manager to use a single instance per request
            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Configure the application for OAuth based flow
            OAuthOptions = new OAuthAuthorizationServerOptions
            {
                AllowInsecureHttp = false,
                TokenEndpointPath = new PathString("/Token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
                Provider = new ApplicationOAuthProvider("self"),
                AuthenticationType = "LocalBearer"
            };

            // Enable the application to use bearer tokens to authenticate users
            app.UseOAuthBearerTokens(OAuthOptions);
        }

On the other hand, I have a command line application that access to the Web API and ask some data to it.

From the command line I can't login using users credentials (this is a requirement) so I would like to generate a Personal Access Token that expires maybe in a year or two and construct my API call with that Personal Access Token. If that's possible then I can avoid to sign in with a username/password to generate a Token.

Is there any documentation on this scenario? How can I generate Personal Access Tokens for my Console Application to connect to a Web API hosted in Azure?

2
asp.netazureoauthoauth-2.0azure-active-directory

2 Answers

2
votes

so I would like to generate a Personal Access Token that expires maybe in a year or two and construct my API call with that Personal Access Token

AFAIK, default lifetime of access token issued from Azure AD is 1h ,Maximum is 1 day after you config the token lifetime in Azure AD.

If that's possible then I can avoid to sign in with a username/password to generate a Token.

You could get a token from Azure AD using the OAuth 2.0 client credential flow to access the protected API resource ,then your console app will run as an application identity, instead of as a user's identity. Please click here for more details about Daemon or Server Application to Web API authentication scenario , and click here for code samples. If the access token expires,ADAL helps you renew .

1
votes

If I understand well, you don't want to use any users credentials, but rather credentials related to your application. If that's the case, I believe that you are interested in the Client Credential flow, which is explained in details in the following examples:

  • Active-directory-daemon-certificate-credential, which is about using a certificate as a secret for your application. The interest of this example is that it's fully automated with PowerShell scripts, in case you want to try it quickly

  • active-directory-dotnet-daemon, which is very similar to the previous one but uses a password instead of a certificate. This might be closer to your need

In both cases you can express when these secrets will expire (when you create the certificate, for instance you provide an expiration date)