Call Azure AD protected website using Managed Service Identity (MSI)




First published on MSDN on Oct 23, 2018




Lets say you have Web APIs hosted in an Azure AppService and these Web APIs are protected using Azure AD (EasyAuth). Now you would like to consume them from another website. One approach is using Service Principal account, where you create an Azure AD Application and use ClientID and secret in your website to get an Azure AD Token. Here are the

steps

. Main disadvantage of this approach is that your application is responsible to protect the ClientID and secret. You can save them in the AppSettings instead of saving it in the web.config file. Or you can use Azure Key Vault. For Key Vault, your code needs to authenticate to access Key Vault.



Better approach is

Managed Identity

. This option allows to access protected Azure AD resources without any need for secrets or credentials in your code or in web.config. More details on Manage Identity can be found

here



Here are the quick steps to use

Managed Service Identity

Azure AppService




  1. Create a Azure AppService Website and protect it with Azure AD (EasyAuth). This will be our Web API website


  2. Create another Azure AppService Website and enable Managed Service Identity. This will be our client trying to consume above Web APIs


  3. Write code to get token using

    Managed Identity

    and pass it to Web API call







1. WebAPI website with EasyAuth




  • Log into

    Azure portal



  • Click on the “

    + Create a resource

    ” on top left


  • In the Search textbox type “

    web app




  • Select “

    Web App




  • Click on the “

    Create

    ” button


  • Provide App name, resource group name, appservice plan


  • (in my sample code this is

    WabacOneAD

    )


  • Click on “

    Create

    ” button


  • Once the website is created, go to the resource


  • Click on the “

    Authentication / Authorization

    ” blade


  • Enable “

    App Service Authentication




  • Select “

    Log in with Azure AD

    ” from dropdownbox


  • Select

    Azure AD

    as provider


  • Select

    Express

    option and click OK


  • Now click on the

    Save

    button



2. Website with MSI




  • Log into Azure portal


  • Click on the

    “+ Create a resource

    ” on top left


  • In the Search textbox type “

    web app




  • Select “

    Web App




  • Click on the “

    Create

    ” button


  • Provide App name, resource group name, appservice plan


  • (in my sample code this is

    WabacOne

    )


  • Click on “

    Create

    ” button


  • Once the website is created, go to the resource






  • Click on the “

    Managed service identity

    ” blade


  • Click on “

    On




  • Click

    Save

    button



3. Now for the code




  • Open Visual Studio


  • Create a new Website project (either .net core or .net framework)


  • Select MVC option


  • In the

    Home

    controller, add following code to

    About

    action




    [code language=”csharp”]


    public ActionResult About()


    {


    ViewBag.Message = “User Name is ” + User.Identity.Name;


    return View();


    }


    [/code]






  • In the

    Contact

    action, add following code




    [code language=”csharp”]


    static HttpClient client = new HttpClient();


    public ActionResult Contact()


    {


    var azureServiceTokenProvider = new AzureServiceTokenProvider();


    var accessTokenTask = azureServiceTokenProvider.GetAccessTokenAsync(“https://wabaconead.azurewebsites.net/“);




    accessTokenTask.Wait();


    var accessToken = accessTokenTask.Result;




    var url = “https://wabaconead.azurewebsites.net/home/about“;


    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, accessToken);




    var responseTask = client.GetStringAsync(url);


    responseTask.Wait();


    var response = responseTask.Result;




    ViewBag.Message = “Your contact page.” + accessToken + ” HTML Response ” + response;




    return View();


    }




    [/code]




  • You may need to add

    Microsoft.AzureServices.AppAuthentication

    NuGet Package


  • Now deploy this website to above two websites


  • When you access the first website, you get promoted for Azure AD credential so we are sure that this website is protected with Azure AD


  • Now try to access Home/About…this should return your email address you have used to log into Azure AD


  • Now browse to the second website, access the Home/Contact…this should call the first website and display the content. Now check for the username (search for text “

    User Name is

    ”)







4. Note, there is a bug in the EasyAuth / Express options.



It doesn’t add the website URL in the allowed token audiences. Follow these steps to fix this bug




  • Go to the first website in Azure portal


  • Click on the

    Authentication / Authorization

    blade


  • Click on the

    Azure AD



  • Change it from

    Express

    to

    Advanced



  • In the

    Allowed Token Audiences

    add your website URL as shown below


  • Click

    OK



  • Click

    Save







Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.