Azure AD OAuth Client Credentials Grant flow

1
votes

Trying to set up Azure AD OAuth client credentials grant flow for my web api. I'm following the document in https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow. I have to expose my API to a 3rd party. I've created the APP in Azure AD (this is for the client that is requesting my API), generated the secrets and was able to get a response from oauth2/token endpoint. My questions are below:

  1. What is the best way to validate the token? Is it by passing the JWT (bearer token) as a HTTP header to my API, and then using the SDK to validate the token (System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler)? I'm using C#.

  2. What is the significance of Azure AD -> App Registrations -> "My API App" -> under Manage, Expose an API? It has an option to "Authorize client applications". How could I use this feature to conditionally block and approve the client applications?

  3. I will have to share the secret, client id and the App Id Uri with the 3rd party for them to generate the token and I will validate the token when I receive it.
2
azureoauth-2.0azure-active-directory

2 Answers

1
votes

You're on the right track.

This answer, Azure AD OAuth client credentials grant flow with Web API AuthorizeAttribute Roles, will walk you through one way to do this, using the roles claim in the token to authorize the call.

You will need to:

  • define roles
  • create an App registration for each 3rd party
  • assign their application to your desired roles

You can then use the AuthorizeAttribute to map which roles can execute which controllers/actions, like so:

[Authorize(Roles = "Reader,Requester,Editor,Approver,Administrator")]
0
votes
  1. Token validation

Once you complete token obtaining flow, you receive a JWT bearer access token. From token consuming end (your service), you need to perform a JWT validation. This is done by validating JWT signature and Claims. One of the most important claim you validate is the audience (aud) claim which must be the identifier (ex:- your service's URL, an ID) unique to token receiving service. Where you register this ? That's your second question.

Please read through MS's guide on token validation which explains key points - Microsoft identity platform access tokens

  1. Service registration

This is where you register valid token receivable endpoints (ex:- your api app). If you check your token request, you provide resource parameter which must match to registered identifier. This allows Azure to validate the token request and issue an access token the mentioned resource. You find this as aud claim in the token. Hope you got the connection now.

  1. App secret

No, only the token obtaining party require the client credentials. Your API or any token consuming party does not need the secret. They only require a valid access token and token signing certificate details. certificate details are exposed at jwks_uri in openid-configuration endpoint.