Search code examples
azure-web-app-serviceazure-active-directoryazure-api-apps

How many app registrations do I need in my Azure AD tenant

enter image description here

The graphic pretty much tells the story. This is all single tenant, fwiw.

I have my Web API, which is being accessed by a "swagger" UI (which is really a kind of spa) served up from the same location, as well as an MVC app, which has some traditional MVC controllers interacting with the Web API, as well as some SPA experiences that interact directly with the web api.

From what I've read, in addition to my Web API having an app registration in my AD tenant (which has the roles declared in it's manifest in order to support RBAC), I also need to have a separate app registration for the swagger UI, which is granted permissions to access the Web API.

I'm unsure if my MVC app needs 1 AD Tenant registration, or 2 registrations (1 for MVC, 1 for the SPA served up from MVC)

Main questions..

  1. Should my MVC/SPA share the same AD registration, or, they should be separated?

  2. Does my Web API registration's manifest need to have "oauth2AllowImplicitFlow": true, or only the swagger and SPA app registrations' manifest need that?

  3. My MVC, based on this github sample for SPAs, currently uses this middleware: app.UseWindowsAzureActiveDirectoryBearerAuthentication .. but if my MVC is going to do selective things in it's razor or with it's contoller logic, should I also be using these add'l middlewares UseCookieAuthentication and UseOpenIdConnectAuthentication as shown in this non-SPA web app sample

Solution
    1. You can probably make it work with the same application (getting the access token server-side and supplying it with the rendered page), but you might run into a few things where you can't use that token to get a token to go to the next app (the WebAPI one). It does mean a potential extra trip to Azure AD, but I'd have the SPA be it's own app.
    2. Only the Swagger and SPA registrations need "oauth2AllowImplicitFlow": true.
    3. Your MVC app should not use the bearer auth middleware - it should use the normal OpenIdConnect one. The only app in this setup that should be using bearer auth is your WebAPI one.

    A couple of additional notes re: the SPA served from the MVC app. When you're making a call to the WebAPI app, you'll need to make sure a bearer auth token is included on the call, which you get using something like ADAL-JS. If/when you're making a call to the MVC app, no bearer token will be used, you'll be usually the cookie+openid authentication.