First published on MSDN on Oct 23, 2018
Lets say you have Web APIs hosted in an Azure AppService and these Web APIs are protected using Azure AD (EasyAuth). Now you would like to consume them from another website. One approach is using Service Principal account, where you create an Azure AD Application and use ClientID and secret in your website to get an Azure AD Token. Here are the
steps
. Main disadvantage of this approach is that your application is responsible to protect the ClientID and secret. You can save them in the AppSettings instead of saving it in the web.config file. Or you can use Azure Key Vault. For Key Vault, your code needs to authenticate to access Key Vault.
Better approach is
Managed Identity
. This option allows to access protected Azure AD resources without any need for secrets or credentials in your code or in web.config. More details on Manage Identity can be found
here
Here are the quick steps to use
Managed Service Identity
Azure AppService
-
Create a Azure AppService Website and protect it with Azure AD (EasyAuth). This will be our Web API website
-
Create another Azure AppService Website and enable Managed Service Identity. This will be our client trying to consume above Web APIs
-
Write code to get token using
Managed Identity
and pass it to Web API call
1. WebAPI website with EasyAuth
-
Log into
Azure portal
-
Click on the “
+ Create a resource
” on top left
-
In the Search textbox type “
web app
”
-
Select “
Web App
”
-
Click on the “
Create
” button
-
Provide App name, resource group name, appservice plan
-
(in my sample code this is
WabacOneAD
)
-
Click on “
Create
” button
-
Once the website is created, go to the resource
-
Click on the “
Authentication / Authorization
” blade
-
Enable “
App Service Authentication
”
-
Select “
Log in with Azure AD
” from dropdownbox
-
Select
Azure AD
as provider
-
Select
Express
option and click OK
-
Now click on the
Save
button
2. Website with MSI
-
Log into Azure portal
-
Click on the
“+ Create a resource
” on top left
-
In the Search textbox type “
web app
”
-
Select “
Web App
”
-
Click on the “
Create
” button
-
Provide App name, resource group name, appservice plan
-
(in my sample code this is
WabacOne
)
-
Click on “
Create
” button
-
Once the website is created, go to the resource
-
Click on the “
Managed service identity
” blade
-
Click on “
On
”
-
Click
Save
button
3. Now for the code
-
Open Visual Studio
-
Create a new Website project (either .net core or .net framework)
-
Select MVC option
-
In the
Home
controller, add following code to
About
action
[code language="csharp"]
public ActionResult About()
{
ViewBag.Message = "User Name is " + User.Identity.Name;
return View();
}
[/code]
-
In the
Contact
action, add following code
[code language="csharp"]
static HttpClient client = new HttpClient();
public ActionResult Contact()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessTokenTask = azureServiceTokenProvider.GetAccessTokenAsync("https://wabaconead.azurewebsites.net/");
accessTokenTask.Wait();
var accessToken = accessTokenTask.Result;
var url = "https://wabaconead.azurewebsites.net/home/about";
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var responseTask = client.GetStringAsync(url);
responseTask.Wait();
var response = responseTask.Result;
ViewBag.Message = "Your contact page." + accessToken + " HTML Response " + response;
return View();
}
[/code]
-
You may need to add
Microsoft.AzureServices.AppAuthentication
NuGet Package
-
Now deploy this website to above two websites
-
When you access the first website, you get promoted for Azure AD credential so we are sure that this website is protected with Azure AD
-
Now try to access Home/About…this should return your email address you have used to log into Azure AD
-
Now browse to the second website, access the Home/Contact…this should call the first website and display the content. Now check for the username (search for text “
User Name is
”)
4. Note, there is a bug in the EasyAuth / Express options.
It doesn't add the website URL in the allowed token audiences. Follow these steps to fix this bug
-
Go to the first website in Azure portal
-
Click on the
Authentication / Authorization
blade
-
Click on the
Azure AD
-
Change it from
Express
to
Advanced
-
In the
Allowed Token Audiences
add your website URL as shown below
-
Click
OK
-
Click
Save