How to implement On behalf of flow in Azure Ad?

0
votes

Net core application. I have three applications registered in azure ad.

  1. React SPA application
  2. Web API Gateway application
  3. Protected API application

Whenever user logs into SPA application, Redirecting to Azure AD with implicit flow to get access token. I have received access token as below and used to access apis from gateway layer

{
  "aud": "7851c317b-87e7-4cb3-95f0-37cb52b6f873",
  "family_name": "alex",
  "given_name": "fernandes",
  "hasgroups": "true",
  "roles": [
      "Admin"
  ]
}

In the above token aud is client id of the spa application and other few details I added but not all the details.

Now I want to call Protected API application from Web API Gateway application

I am trying with sample http request in postman as below.

Request - https://login.microsoftonline.com/45fgh-f30d-4596-gt67-7045b338485a/oauth2/v2.0/token

Body

{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
"client_id": "" //unknown client id of SPA or API GateWay or Protected API
"client_secret": "" //unknown client id of SPA or API GateWay or Protected API
"assertion": "Above token"
"scope":"" //unknown
"requested_token_use" : "on_behalf_of"
}

Along with above confusions, just wondering Is there any configurations required in azure ad in order to generate token for Protected API. One more thing is the token generated to access Protected API does that token have user details and role details same as above token generated by SPA?

Can someone help me in configuring On behalf of flow? I am struggling here to get this done. Any help would be appreciated. Thank you

1
azureasp.net-coreauthenticationazure-active-directoryjwt

1 Answers

2
votes

As the following diagram shows, Client App means React SPA application, Web API 1 means Web API Gateway application, and Web API 2 means Protected API application. For more details, see this blog.

enter image description here

Steps of On-Behalf-Of flow:

  1. Add API permission of Web API Gateway application to SPA application.

enter image description here

GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?scope={permission for Web API Gateway application like api://1108f6-xxxxxxx-9f622/test} openid
&redirect_uri={redirect_uri of SPA application}
&nonce=123
&client_id={client-id of SPA application}
&response_type=id_token token
  1. Add API permission of Protected API application to Web API Gateway application.

It calls Microsoft Graph API in the official document, so the scope is 'user.read' in this step.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={client_id of Web API Gateway application}
&client_secret={client_secret}
&assertion={access token from previous step}
&scope={permission for Protected API application}
&requested_token_use=on_behalf_of
  1. Call Protected API application with the access token