Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1099890%22%20slang%3D%22en-US%22%3EAzure%20App%20Service%20EasyAuth%20and%20Azure%20Active%20Directory%20Flows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099890%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20built%20in%20authentication%20feature%20of%20App%20Service%20aka%20EasyAuth%2C%20implements%20the%20following%20Azure%20Active%20Directory%20Flows%20%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EImplicit%20Flow%3C%2FLI%3E%0A%3CLI%3EHybrid%20Flow%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20EasyAuth%20module%20of%20App%20Service%20uses%20%3CSTRONG%3EImplicit%20Flow%3C%2FSTRONG%3E%26nbsp%3Bwhen%20Client%20Secret%20isn't%20set%20at%20the%20App%20Service%20Level.%20It%20is%20to%20be%20noted%20that%20the%20App%20Service%20returns%20only%20id%20token%2C%20when%20it%20uses%20this%20type%20of%20flow.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20442px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164592i7526E13BC7751741%2Fimage-dimensions%2F442x428%3Fv%3D1.0%22%20width%3D%22442%22%20height%3D%22428%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20665px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164580i0B6CAB83DE7E8521%2Fimage-dimensions%2F665x260%3Fv%3D1.0%22%20width%3D%22665%22%20height%3D%22260%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22xmsonormal%22%3EIn%20order%20to%20get%20an%20access_token%2C%20the%20client%20secret%20must%20be%20set%20and%20the%20EasyAuth%20module%20now%20uses%20%E2%80%9CHybrid%20Flow%E2%80%9D.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWhen%20EasyAuth%20is%20setup%20using%20Express%20method%2C%20the%20client%20secret%20is%20created%20automatically.%3C%2FP%3E%0A%3CP%3EThe%20following%20steps%20can%20be%20performed%20to%20generate%20a%20new%20client%20secret%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20Azure%20Active%20Directory%3C%2FLI%3E%0A%3CLI%3ESelect%20App%20Registrations%20Blade%20and%20click%20on%20your%20app%20registration.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20749px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164593iD1110DFAD2342788%2Fimage-dimensions%2F749x192%3Fv%3D1.0%22%20width%3D%22749%22%20height%3D%22192%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3ESelect%20'Certificates%20%26amp%3B%20Secrets'%20Blade%2C%20click%20on%20'New%20Client%20Secret'.%3CBR%20%2F%3E%3C%2FSPAN%3EEnter%20a%20name%20for%20the%20client%20secret%20and%20Click%20on%20Add%20button.%3CBR%20%2F%3EThe%20name%20for%20the%20client%20secret%20or%20Key%20is%20a%20place%20holder%20to%20identify%20the%20client%20secrets.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20652px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164594iD44BCC355CF140A7%2Fimage-dimensions%2F652x465%3Fv%3D1.0%22%20width%3D%22652%22%20height%3D%22465%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EOnce%20the%20client%20secret%20is%20generated%2C%20copy%20the%20value%20of%20the%20key.%3CBR%20%2F%3E(Please%20note%20that%20the%20value%20of%20the%20key%20will%20be%20displayed%20once%20i.e.%20the%20value%20will%20become%20hidden%20once%20the%20page%20is%20refreshed%20)%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20745px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164595i980C3C25D795010D%2Fimage-dimensions%2F745x120%3Fv%3D1.0%22%20width%3D%22745%22%20height%3D%22120%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EPaste%20the%20value%20of%20this%20key%20in%20the%20client%20secret%20section%20of%20the%20App%20Service%20.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20508px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164585iFCA4EA669A7FB49B%2Fimage-dimensions%2F508x465%3Fv%3D1.0%22%20width%3D%22508%22%20height%3D%22465%22%20alt%3D%22clipboard_image_5.png%22%20title%3D%22clipboard_image_5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20we%20save%20the%20settings%20and%20browse%20to%20the%20.auth%2Fme%20endpoint%20of%20the%20App%20Service%2C%26nbsp%3B%20we%20get%20the%20tokens%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20710px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164586iD069ABD6B91852EC%2Fimage-dimensions%2F710x337%3Fv%3D1.0%22%20width%3D%22710%22%20height%3D%22337%22%20alt%3D%22clipboard_image_6.png%22%20title%3D%22clipboard_image_6.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E(Note%20%3A%20Changes%20will%20be%20reflected%20only%20if%20the%20user%20logs%20in%20to%20App%20Service%20again.%20We%20can%20use%20the%20%2F.auth%2Flogin%2Faad%20endpoint%20to%20reauthenticate%20the%20user%20)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ENotice%20that%20the%20access%20token%20is%20not%20in%20the%20form%20of%20a%20JWT%20token.%20This%20is%20because%20the%20Hybrid%20flow%20configuration%20did%20not%20include%20a%20resource.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20value%20of%20the%20access%20token%20is%20actually%20an%20%22authentication%20code%22%20and%20when%20the%20resource%20is%20set%2C%20the%20EasyAuth%20module%20exchanges%20this%20%E2%80%9Cauthentication%20code%E2%80%9D%20at%20the%20%2Ftoken%20endpoint%20of%20the%20Azure%20Active%20Directory%2C%20to%20get%20an%20access%20token.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EIn%20order%20to%20directly%20get%20an%20access%20token%2C%20we%20need%20to%20set%20the%20resource%20using%20the%20Azure%20Resource%20Explorer.%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20the%20Resource%20Explorer%20from%20the%20App%20Service.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20593px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164596i86576240DC457E81%2Fimage-dimensions%2F593x214%3Fv%3D1.0%22%20width%3D%22593%22%20height%3D%22214%22%20alt%3D%22clipboard_image_4.png%22%20title%3D%22clipboard_image_4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3ENavigate%20config%20%26gt%3B%20authsettings%20and%20click%20on%20Edit.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20582px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164588i2D6357C76BAD8189%2Fimage-dimensions%2F582x415%3Fv%3D1.0%22%20width%3D%22582%22%20height%3D%22415%22%20alt%3D%22clipboard_image_8.png%22%20title%3D%22clipboard_image_8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EUpdate%20the%20additionalLoginParams%20to%20%5B%22resource%3D%3CNAME%3E%22%5D%20and%20click%20on%20PUT%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20582px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164597i2F6F9B727D6F43FE%2Fimage-dimensions%2F582x451%3Fv%3D1.0%22%20width%3D%22582%22%20height%3D%22451%22%20alt%3D%22clipboard_image_5.png%22%20title%3D%22clipboard_image_5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FNAME%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EUpon%20browsing%20to%20the%20App%20Service%2C%20after%20making%20the%20above%20change%2C%20we%20see%20that%20the%20value%20for%20the%20access%20token%20is%20in%20the%20form%20of%20a%20JWT%20token.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20615px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164590i45EDFD70B4058D94%2Fimage-dimensions%2F615x302%3Fv%3D1.0%22%20width%3D%22615%22%20height%3D%22302%22%20alt%3D%22clipboard_image_10.png%22%20title%3D%22clipboard_image_10.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWe%20could%20use%20%3CA%20href%3D%22https%3A%2F%2Fjwt.ms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjwt.ms%3C%2FA%3E%20to%20decode%20the%20access%20token%20and%20view%20the%20claims.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20429px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164598i4482F0151749F898%2Fimage-dimensions%2F429x180%3Fv%3D1.0%22%20width%3D%22429%22%20height%3D%22180%22%20alt%3D%22clipboard_image_6.png%22%20title%3D%22clipboard_image_6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EFAQ%20%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSTRONG%3EI%20set%20up%20EasyAuth%20using%20'Express'%20method.%20The%20Azure%20AD%20app%20registration%20got%20created%20automatically.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3EWhen%20I%20try%20to%20access%20the%20resource%20using%20the%20access%20token%20%2C%20I%20get%20HTTP%20403%20error.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3EAlso%2C%20from%20%2F.auth%2Fme%20endpoint%2C%20I%20see%20that%20the%20value%20of%26nbsp%3B%20access%20token%20is%20not%20in%20the%20form%20of%20a%20JWT%20token.%3CBR%20%2F%3E%3C%2FSTRONG%3EWhen%20EasyAuth%20is%20set%20up%20using%20Express%20method%2C%20the%20default%20flow%20used%20is%20%E2%80%98Hybrid'%20Flow%20and%20the%20client%20secret%20is%20created%20automatically.%3CBR%20%2F%3ESince%20the%20Hybrid%20flow%20configuration%20did%20not%20include%20a%20resource%2C%20post%20authentication%2C%20an%20authentication%20code%20is%20returned.%20This%20needs%20to%20be%20exchanged%20at%20%2Ftoken%20endpoint%20of%20Azure%20Active%20Directory%20to%20get%20an%20access%20token.%3CBR%20%2F%3EThe%20EasyAuth%20module%20does%20this%20automatically%20when%20the%20set%20the%20resource%20from%20Azure%20Resource%20Explorer%20and%20provides%20an%20Access%20token%20directly.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3E%3CSTRONG%3ECan%20ID%20tokens%20be%20used%20as%20Bearer%20tokens%20to%20login%20to%20the%20App%20Service%3F%3CBR%20%2F%3E%3C%2FSTRONG%3EID%20tokens%20contain%20information%20which%20tells%20whether%20a%20user%20is%20authenticated.%20Hence%20it%20can%20be%20used%20as%20Bearer%20tokens%20to%20login%20to%20the%20App%20Service.%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E
Microsoft

The built in authentication feature of App Service aka EasyAuth, implements the following Azure Active Directory Flows :

  • Implicit Flow
  • Hybrid Flow

The EasyAuth module of App Service uses Implicit Flow when Client Secret isn't set at the App Service Level. It is to be noted that the App Service returns only id token, when it uses this type of flow.

clipboard_image_0.png

 

clipboard_image_1.png

In order to get an access_token, the client secret must be set and the EasyAuth module now uses “Hybrid Flow”.

When EasyAuth is setup using Express method, the client secret is created automatically.

The following steps can be performed to generate a new client secret:

  1. Navigate to Azure Active Directory
  2. Select App Registrations Blade and click on your app registration.
    clipboard_image_1.png
  3. Select 'Certificates & Secrets' Blade, click on 'New Client Secret'.
    Enter a name for the client secret and Click on Add button.
    The name for the client secret or Key is a place holder to identify the client secrets.
    clipboard_image_2.png
  1. Once the client secret is generated, copy the value of the key.
    (Please note that the value of the key will be displayed once i.e. the value will become hidden once the page is refreshed )
    clipboard_image_3.png
  1. Paste the value of this key in the client secret section of the App Service .

 clipboard_image_5.png

 

Once we save the settings and browse to the .auth/me endpoint of the App Service,  we get the tokens

clipboard_image_6.png

(Note : Changes will be reflected only if the user logs in to App Service again. We can use the /.auth/login/aad endpoint to reauthenticate the user )

Notice that the access token is not in the form of a JWT token. This is because the Hybrid flow configuration did not include a resource. 

The value of the access token is actually an "authentication code" and when the resource is set, the EasyAuth module exchanges this “authentication code” at the /token endpoint of the Azure Active Directory, to get an access token.

 

In order to directly get an access token, we need to set the resource using the Azure Resource Explorer.

  1. Navigate to the Resource Explorer from the App Service.
    clipboard_image_4.png
  2. Navigate config > authsettings and click on Edit.
    clipboard_image_8.png
  1. Update the additionalLoginParams to ["resource=<Name/ID of the resource>"] and click on PUT
    clipboard_image_5.png

Upon browsing to the App Service, after making the above change, we see that the value for the access token is in the form of a JWT token.

clipboard_image_10.png

We could use https://jwt.ms to decode the access token and view the claims.

clipboard_image_6.png

 

FAQ :

  1. I set up EasyAuth using 'Express' method. The Azure AD app registration got created automatically. 
    When I try to access the resource using the access token , I get HTTP 403 error. 
    Also, from /.auth/me endpoint, I see that the value of  access token is not in the form of a JWT token.
    When EasyAuth is set up using Express method, the default flow used is ‘Hybrid' Flow and the client secret is created automatically.
    Since the Hybrid flow configuration did not include a resource, post authentication, an authentication code is returned. This needs to be exchanged at /token endpoint of Azure Active Directory to get an access token.
    The EasyAuth module does this automatically when the set the resource from Azure Resource Explorer and provides an Access token directly.
  1. Can ID tokens be used as Bearer tokens to login to the App Service?
    ID tokens contain information which tells whether a user is authenticated. Hence it can be used as Bearer tokens to login to the App Service.