1
votes

Currently our ASP.NET MVC system is secured using OpenIdConnect and cookie authentication. We've enabled an oauth authentication flow using azure active directory.

    public void ConfigureAuthOpenIdConnect(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        var cookieAuthenticationOptions = new CookieAuthenticationOptions()
        {
           //...
        };

        app.UseCookieAuthentication(cookieAuthenticationOptions);

        var notifications = new OAOpenIdConnectAuthenticationNotifications();
        var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions()
        {
            //...
            Notifications = notifications
        };

        app.UseOpenIdConnectAuthentication(openIdConnectAuthenticationOptions);

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
           new WindowsAzureActiveDirectoryBearerAuthenticationOptions
           {
               Tenant = ConfigHelper.ClientSettings.TenantName,
               TokenValidationParameters = new TokenValidationParameters
               {
                   ValidAudience = ConfigHelper.ClientSettings.ClientId
               }
           });
    }

Now when we authenticate via OpenIdConnect, we retrieve the authorization code using a custom Notifications on the OpenIdConnectAuthenticationOptions options, this enables us to request and cache resource tokens using ADAL.

The problem occurs when one tries to access our system using an azure AD bearer token, this workflow of getting and caching resource tokens is not present.

So my question is, how can I enable this using the bearer token? How can I request additional resource tokens like we are doing using OpenIdConnect? Is it possible to get an authorization code from a bearer token using ADAL?

1

1 Answers

3
votes

As you mentioned, you are using OpenID Connect ASP.NET middleware and ADAL .NET to use Azure AD for sign-in, then calls a web API under the signed-in user's identity in OnAuthorizationCodeReceived OpenID Connect notification.

In this scenario, you could use authorization code to exchange it for an access token for a specific resource.

On the other hand, when a client application accesses your system using an azure AD bearer token, there is no authorization code. In this scenario, if you want to use that access token to exchange it to another resource's access token, such as Microsoft Graph, you could use OAuth 2.0 On-Behalf-Of flow. The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API.

For more information about how the protocols work in this scenario, see Authentication Scenarios for Azure AD and On-Behalf-Of flow tutorial. And of course you can use ADAL.NET to perform the On-Behalf-Of flow, see this code sample.