Azure AAD App can access Admin App without granting permission using a token

0
votes

I have two Azure Ad Apps:

1) Admin/BackendApp which guards my webapi

2) Consumer APP which will consume my webapi

When i try to access my web api using the token created using below URL passing the required ClientID, ClientSecret, Resource and grant_type=client_credentials

https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/token

i get access token from above url and pass that token as Authorization header to my webapi i get successfull response without granting any access to/from admin/backendapp.

2
azureazure-active-directory

2 Answers

3
votes

You need to check for valid scopes/roles in the token!

Define delegated/app permissions for the API in Azure AD and enforce them in your API. A global check that the token contains at least one valid permission is good to have.

An app in any tenant can acquire a token for your API as long as they know your tenant id and client id. If you do not check for permissions, your API is vulnerable!

I have an article for how to define and enforce scopes in ASP.NET Core: https://joonasw.net/view/azure-ad-authentication-aspnet-core-api-part-1

1
votes

Based on your query, the JWT token is created to call the API already have enough permission to call the resources. This looks like a normal scenario