0
votes

please, is here any way how to make relationship between applicaiton in Azure AD and User with client secret.

My use case. User ask for token with client secret(as deamon) and call my web api and a verify this token. Token is valid but there is no information about user who call it or who registered app. User gets token via API (https://docs.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)

When user ask for token interactive everything is ok.

I tried to use a information about who created app, but Azure AD does not set it when user is administrator.

Is there any way how to use deamon which will be connected with some user? Is there anywhere i can save this relationship in azure AD?

My idea, every user who wanted use my web api as deamon create his application and connect to mine web api, which use his app for verification. Relationship between app creator and user can be enough. but when i delete user and he has still client secret, he can access. I dont want to use his username and password because it will be saved on different computers and it is not save enough.

If you have more questions, dont hesitate to ask! Thank you for any idea.

1
How are you validating the JWT token? Are you using the API management gateway or some other mechanism?You can set up the permission for the client app calling the deamon using the app registration and revoke the permission when the client leaves the use of the API. This is a classic case where you can leverage the Azure API Management.Mandar Dharmadhikari
In my web api i use Microsoft.Identity.Web library for validating a JWT token, it validates against a server azure ad app.skylinek

1 Answers

0
votes

For scenarios, such as this one, your application should have an App Role with the allowedMemeberTypes having Application and as mentioned in the docs, this will show up as an application permission to other apps.

So the consumers of your API will have to add this application permission to their daemon app (which requires admin consent). This will trigger a flow internally that creates a Service Principal (like a user persona of the application) and adds that as a user to your application (you should be able to see it listed under Enterprise Applications > (Your API) > Users and Groups).

When you want to deny this daemon access to your API, you will just have to revoke the admin consent provided at first.

I believe you could even automate this process by using the Microsoft Graph APIs.