How to configure a WebApp & WebApi with different AAD App IDs?

2
votes

I currently have two app services

  1. Web App (Asp.net core 2 w/ front end in react)
  2. Web Api (Asp.net core 2)

Note: Both are configured with different Azure active directory app id.

  1. user signs into Web App and retrieves a token for it's own appId/ClientId/ClientSecret stored in tokencache.
  2. from the WebApp, the user wants to talk to a WebAPI but needs to get a token since it's protected with AAD as well but it's a different app id/client id/client secret.

Problem: When I try to do a AcquireTokenSilentAsync() for the web api, I get an error throwing that I the token is not in the cache?

It also seems that with depending if your using AAD v2.0 or v1.0 will determine if the web app and web api can have different app ids. So it seems like i would have to use AAD v1.0. With Asp.net core 2, it's not clear to me what OpenIdConnect is using or configured to use under the covers.

Question:

  1. It's not clear to me why the acquire token silent async didn't work and failed. Does that only look for the token in the cache; otherwise it fails?
  2. Is it possible to configure the token from web app to have permission to access web api resources. I notice that in the azure portal, you can selected resources like microsoft graph, but I don't know how you would associate a custom API. In my case, I want to get it running on my local machine before I move it all to azure.
  3. If the web app token does not have permission to access the web api, do i need to do another login authentication with the user even thou both are within the same tenant?

Any Advice appreciated, Derek

1
azure-active-directoryasp.net-core-2.0openid-connect

1 Answers

1
votes

  1. Yes, AcquireTokenSilentAsync will look into the cache, and see if it can find tokens. If it does, it will check to see if the access token is still valid and return that back. If the token is expired, it will use the refresh token to fetch a new access token and return that back. When this call fails, it's an indicator you need to perform an AcquireTokenAsync (which will likely show UI in the case silent already failed).

  2. Yes, you can associate a web app to get tokens for your own custom web API. I'd recommend using Azure AD v1.0 (register the app in the Azure portal, ADAL library). You'll need to register the two apps (web app and the api), both will be type web app/api. In the API, you can register an App ID URI which will act as the resource identifier for this API. In your web app, you'll want to go into the Required Permissions, and add the Web API you have registered as a permission. Then in your web app, you'll need to use the ADAL library (alongside an OpenID OWIN middleware) to acquire a token for the resource as specified by the App ID URI field. Here's a code sample that implements the exact scenario you're describing (Web App/API in ASP.NET Core).