How Do I Access my Azure API from my Azure App

0
votes

I have a .net core api and a angular node js application that I have deployed to azure add as app services. I have registered both. I was able to successfully setup both with authentication permissions with permissions only to users within my azure domain. When anyone attempts to access either the api or the application they must login and authenticate through microsoft.

What I need now is for my app, to be able to call endpoints on my api. I want my app to have full permission so that I don't have to specify permissions on specific endpoints. I also want this to all be handled through azure, not through specific token requests in my angular code when calling the api. How can I accomplish this?

I have searched a lot of the documentation, but cannot find out how to accopmlish this. I also walked through the option of setting up explicit permissions, but I can't get that to not work either. https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

1
azureazure-active-directory
“ I want my app to have full permission so that I don't have to specify permissions on specific endpoints” - please clarify what you mean by this. If this is an Angular (client-side) application then you absolutely cannot trust it or give it any kind of “full permissions” because client-side web-applications cannot hold secrets (at least until browsers can expose the TPM)Dai
From my research, it would seem that if my app and api are both on the same azure domain, then I can setup my azure app to communicate with my azure api using the authenticated user on the app. That is what I would like to get working. The link points to what I want to accomplish.mo_maat
When you say app, what do you mean exactly? is it a mobile client side app or single page app running on a browser? In both cases I do not think you should allow access to your APIs from apps without auth. It is just not a recommended safe practice. In Azure a concept exists for using Managed Identities so please read on and see if it might help you. docs.microsoft.com/en-us/azure/active-directory/…Hassan Raza
The way you do this usually is that you use MSAL.js to acquire access tokens that you attach to the requests that you make to the API. You can define a scope on the API and assign that scope to your Angular app. Then when it acquires an access token, it will contain that scope. Then your API can authorize the request by checking for that scope + the user's access based on the user id that you get in the access token as well.juunas
@juunas Indeed that is my understanding. That is what I am trying to implement based on the article. I'm just missing something though. Do I have to make any changes within my application in order to implement this? This is just an app for learning sake and nothing that needs top notch security.mo_maat

1 Answers

0
votes

The suggestions in the comments already cover the information you need.

I summarize it simply as below so that this post is easier to find, which can help more people.

To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app and the other is for API app.

In the API app, you need to exposed API. By doing step 7 and step 8, you can expose the scope.

Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.

You can use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.