I have a client application that accesses my WebAPI (1) using Integrated Windows Authentication and the Authorization code [Authentication flow].
Now I need to have a second WebAPI (2) access the original WebAPI (1) as well using the Client Credentials Authorization code Authentication flow.
My question is whether you can configure WebAPI (1) to permit EITHER flow and where to do it or whether I would have to build a whole separate API to handle the Authorization code flow? I believe it would be in the ConfigureServices method of Startup.cs but I'm not certain how adding a a Client Credentials filter policy would be handled by the controller's filters.
services.AddControllers(options => {
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
//Add Authorization code filter here as well??
});
In the StartUp of WebAPI (1), RequireAuthenticationUser adds DenyAnonymousAuthorizationRequirement to the current instance which enforces that the current user is authenticated. This is, obviously, not going to work for the service-to-service authorization I am looking to implement so needed to be removed to permit both the Authentication flow AND ACL-based, Client Credentials Authentication flow.
Also, to get WebAPI (1) to permit the ACL-based authenticated token of WebAPI (2), I needed to add the following to the configuration of WebAPI (1):
{
"AzureAD"
{
// other properties
"AllowWebApiToBeAuthorizedByACL" : true,
// other properties
}
}
The resulting configuration policy ended up looking like:
var policy = new AuthorizationPolicyBuilder()
.RequireClaim("appid")
.Build();
Hoping someone stumbling on this finds this and it saves them time.