Understanding how to secure an API using Azure (App registration) and oauth
I'm trying to wrap my head around the concept of securing an API using Azure services and oauth.
I'm learning, so this is my fictional scenario:
Scenario
- An API, .Net stack, developed my me.
- A client server app, developed by my (business) client.
- An oauth provider, that I need to create and setup, to secure my API and enable machine-to-machine communication (client credentials flow), so that the client server can request data to my API.
My first attempts
For a first try, I quickly ran, setup and tested a local keycloak instance. I'd like to reproduce the same mechanisms using Azure, since I already use their services.
Inspired by my readings, I created an App registration, added a client secret, and tested in postman, using:
- Grant type = Client credentials
- Client Id
- Client Secret
- Scope = /.default
I successfully received a token, but it specifies no roles, no scope. I did add a specific scope on the Expose an API page, but I learned later on that client credentials use roles rather than scopes (right??) So:
- Inside App Roles, I added a role.
- Inside API Permissions, I added the new role.
Problems
Problem 1: It says, Admin consent required, and there I'm lost. I'm not sure what it means, and I'm not sure I'm doing things the right way for my situation.
Problem 2: From what I see here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview I need a B2C account? I saw no mention of this in other tutorials (eg: https://juliocasal.com/blog/Securing-Aspnet-Core-Applications-With-OIDC-And-Microsoft-Entra-ID)
Questions
- Is my scenario logical and correct? (A client server app outside of my Azure directory, and which probably doesn't use Microsoft accounts at all, connecting to my API through an Azure App registration, using clientId and client secret?)
- Did I understand correctly what can be done using Azure App Registrations?
- Am I right to think that I can create one to act as the oauth provider, like with keycloak or absolutely not?
- Do I need a B2C account?
Edit: Adding screenshots
Here is a screenshot of my API permissions blade:
The Microsoft Graph delegated permission was by default and I leaved it there. I added the application permission which forces admin consent.
The permission comes from a new role I added:
Is my scenario logical and correct? -> Yes
Did I understand correctly what can be done using Azure App Registrations? ->Yes
Am I right to think that I can create one to act as the oauth provider, like with keycloak or absolutely not? -> Not sure, I'm not familar with keycloak.
Do I need a B2C account? -> No, you can ask AI to get differenes between B2B and B2C
You are trying to use Azure AD as auth provider to secure your API and enable machine-to-machine communication. Using client credential flow is correct.
Azure AD API protection is also based on OAuth2.0 so that we need to help the client to obtain an access token which contains the correct API permission to call a secured API endpoint, and the API endpoint should validate whether there's a valid access token in the request header of the incoming request.
Problem 1: It says, Admin consent required, and there I'm lost. I'm not sure what it means, and I'm not sure I'm doing things the right way for my situation.
-> Application permission requires Admin consent, you can see the grey button beside Add a permission button in your screenshot. Just like you see, when we use client credential flow, we have to use /.default as the scope, we can't define several individual API permissions for token generation which is not so secure than what we can do with delegated API permission. So that admin grant is necessary.
About how to generate access token you can codes below.
using Azure.Identity;
var scopes = new[] { "api://exposed_apis_app_id/.default" };
var tenantId = "tenantId";
var clientId = "clientId";
var clientSecret = "clientSecret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var res = await clientSecretCredential.GetTokenAsync(tokenRequestContext);
var token = res.Token;
About how to secure a web api with AAD, you can follow this serise of tutorial, you need [Authorize(Roles = "access_as_application")] to verify specific API permission/role.