Hi I'm creating a cordova app that uses Azure AD to authenticate my users. I have a webservice/api outside Azure - this is where the app gets it's content to display.
I would like to check my users Azure AD login before giving access to my webservice.
So far I'm authenticating my users with Azure AD in my app, and if the user is authenticated, my app sends a request to my webservice for data. But I want to make sure that only users who have an active login in my Azure AD can retrieve data from my webservice.
So right now, anyone can access my webservice if they know the right url. How do i secure my webservice?
Are there any endpoints in azure where I can check if a user access-token is valid?
Azure AD does not have an endpoint for token validation (aka a token introspection endpoint).
In general, you are talking about the textbook scenario of having a Web API validate an Azure AD issued access token.
The approach to follow with Azure AD for this scenario is is to have your web API validate the token itself which can be achieved by:
Both ASP.Net and Node.js have libraries that facilitate the first approach even further.
For ASP.Net, obtained from the official sample:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = clientID,
Tenant = tenant
});
For Node.js, also obtained from the official sample:
var passport = require('passport');
var BearerStrategy = require('passport-azure-ad').BearerStrategy;
var options = {
// The URL of the metadata document for your app. We will put the keys for token validation from the URL found in the jwks_uri tag of the in the metadata.
identityMetadata: config.creds.identityMetadata,
clientID: config.creds.clientID,
audience: config.creds.audience
};
var bearerStrategy = new BearerStrategy(options,
function(token, done) {
// Post-validation code
}
);
passport.use(bearerStrategy);