First published on MSDN on Oct 23, 2018
Lets say you have Web APIs hosted in an Azure AppService and these Web APIs are protected using Azure AD (EasyAuth). Now you would like to consume them from another website. One approach is using Service Principal account, where you create an Azure AD Application and use ClientID and secret in your website to get an Azure AD Token. Here are the
steps
. Main disadvantage of this approach is that your application is responsible to protect the ClientID and secret. You can save them in the AppSettings instead of saving it in the web.config file. Or you can use Azure Key Vault. For Key Vault, your code needs to authenticate to access Key Vault.
Better approach is
Managed Identity
. This option allows to access protected Azure AD resources without any need for secrets or credentials in your code or in web.config. More details on Manage Identity can be found
here
Here are the quick steps to use
Managed Service Identity
Azure AppService
Create a Azure AppService Website and protect it with Azure AD (EasyAuth). This will be our Web API website
Create another Azure AppService Website and enable Managed Service Identity. This will be our client trying to consume above Web APIs
Write code to get token using
Managed Identity
and pass it to Web API call
1. WebAPI website with EasyAuth
Log into
Azure portal
Click on the “
+ Create a resource
” on top left
In the Search textbox type “
web app
”
Select “
Web App
”
Click on the “
Create
” button
Provide App name, resource group name, appservice plan
(in my sample code this is
WabacOneAD
)
Click on “
Create
” button
Once the website is created, go to the resource
Click on the “
Authentication / Authorization
” blade
Enable “
App Service Authentication
”
Select “
Log in with Azure AD
” from dropdownbox
Select
Azure AD
as provider
Select
Express
option and click OK
Now click on the
Save
button
2. Website with MSI
Log into Azure portal
Click on the
“+ Create a resource
” on top left
In the Search textbox type “
web app
”
Select “
Web App
”
Click on the “
Create
” button
Provide App name, resource group name, appservice plan
(in my sample code this is
WabacOne
)
Click on “
Create
” button
Once the website is created, go to the resource
Click on the “
Managed service identity
” blade
Click on “
On
”
Click
Save
button
3. Now for the code
Open Visual Studio
Create a new Website project (either .net core or .net framework)
Select MVC option
In the
Home
controller, add following code to
About
action
[code language=”csharp”]
public ActionResult About()
{
ViewBag.Message = “User Name is ” + User.Identity.Name;
return View();
}
[/code]
In the
Contact
action, add following code
[code language=”csharp”]
static HttpClient client = new HttpClient();
public ActionResult Contact()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessTokenTask = azureServiceTokenProvider.GetAccessTokenAsync(“https://wabaconead.azurewebsites.net/“);
accessTokenTask.Wait();
var accessToken = accessTokenTask.Result;
var url = “https://wabaconead.azurewebsites.net/home/about“;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, accessToken);
var responseTask = client.GetStringAsync(url);
responseTask.Wait();
var response = responseTask.Result;
ViewBag.Message = “Your contact page.” + accessToken + ” HTML Response ” + response;
return View();
}
[/code]
You may need to add
Microsoft.AzureServices.AppAuthentication
NuGet Package
Now deploy this website to above two websites
When you access the first website, you get promoted for Azure AD credential so we are sure that this website is protected with Azure AD
Now try to access Home/About…this should return your email address you have used to log into Azure AD
Now browse to the second website, access the Home/Contact…this should call the first website and display the content. Now check for the username (search for text “
User Name is
”)
4. Note, there is a bug in the EasyAuth / Express options.
It doesn’t add the website URL in the allowed token audiences. Follow these steps to fix this bug
Go to the first website in Azure portal
Click on the
Authentication / Authorization
blade
Click on the
Azure AD
Change it from
Express
to
Advanced
In the
Allowed Token Audiences
add your website URL as shown below
Click
OK
Click
Save