Multi-tenant Web App calling a multi-tenant Web API using AAD

0
votes

I want to build a multi-tenant web application that calls a multi-tenant Web API using AAD.

I am following this sample but replacing the UWP app client with a ASP.NET Web Application.

It all works fine but I am concerned that the validation of the issuer is done using a custom AuthorizationFilterAttribute based on values in a bespoke database.

Rather than using a separate database is it possible to use an AAD implementation, one that uses the directory.

Seems like a possible security risk if somehow the database is compromised to include 'bad data'

1
c#asp.netasp.net-web-apiazure-active-directory
Your specific problem seems a little broad. If an actor were to insert bad data, the only thing (that I can think of) they would achieve is access to the app, but only their tenant's data. Which they could also achieve through regular sign-up process.juunas
And any kind of database compromise is a security risk..juunas
The point of the attribute is to check that the token is from a tenant which has completed the sign-up process. In some multi-tenant apps this means purchasing a subscription. This check is done since when an app is multi-tenant in AAD, any tenant can sign in to the app.juunas

1 Answers

0
votes

If you are inquiring if an option to provide a list of valid token issuers exists in the Azure AD application registration, then I'm afraid the answer is no.

The token issuer validation is the responsibility of the receiver of the bearer token as of now.