0

Securing an API app with an Application Identity–Part 1

Azure Active Directory

Deploying an API within Azure is a very simple tasks. But how about security? The API itself is exposed to the outside world. When for example have a API app that is connected to on-premise systems with an Hybrid Connection the API will have to be secured in a certain way.

An option is to use Azure Active Directory. Within Azure Active Directory you can register an Application Identity for the API App. The connecting application will also have to be registered within Active Directory in order to connect to the API Application (This part will be discussed in part 2).

Part 1 will contain the setup of the API application in Part 2 the configuration and code changes for the client application will be discussed.

First off all the API app needs to be registered within Azure Active Directory. In order to manage Azure Active Directory the old Azure portal : https://manage.windowsazure.com needs to be used.

Azure Active Directory

Open up the Active Directory and click on the “Applications” tab.

image_thumb[14]

In the bar at the bottom of the screen you can add a new application by selecting new. Selecting “New” will open a wizard for adding an application.

image_thumb[20]

Select the option “Add an application my organization is developing”.

image_thumb[28]

Enter the name of the application and since our application is an API app select “Web Application and/or Web API” and click next.

image

Fill-in a Sign-On URL if you do not have a specific sign-in URL fill in your default URL for example “https://example.com” (Note: The URL needs to be secured with SSL).

The APP ID URI is a URL specific for your tenant, this URL will need to contain the tenant name. It needs to be constructed in the following way: https://[tenant-name]/[app-name]

Save the options, the configuration screen of the application will be opened.

Code Changes

When the steps within Azure Active Directory are completed the API also needs some small code changes. To secure the application it self a couple of configuration need to be saved and we will save these in the web.config file.

<add key="auth:Tenant" value="[Tenant name, example.onmicrosoft.com]" />
<add key="auth:APPIDURI" value="[App ID URI of your API Application]" />
<add key="auth:TrustedCallerClientIds" value="[Trusted Callers ClientIds seperated by ';']" />

 

  • APPIDURI: APP ID URI of your application.
  • Tenant:The name of the Azure AD tenant in which you registered the application ([tenant].onmicrosoft.com)
  • TrustedCallerIds:The Client Id’s of the clients that are authorized to access the application seperated by ‘;’.

In the “Startup” class register the Windows Azure Authentication mechanism.

public void ConfigureAuth(IAppBuilder app) {
    app.UseWindowsAzureActiveDirectoryBearerAuthentication(
        new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() {
                ValidAudience = ConfigurationManager.AppSettings["auth:APPIDURI"]
            },
            Tenant = ConfigurationManager.AppSettings["auth:Tenant"]
        });
}

Here you register your application and tenant for authentication. By these settings it will know on which tenant it is registered.

Next up it the API method itself. The methods within the API can be secured with a attribute called “Authorize”.

[Authorize]
public string Get(string id) {
    if (string.IsNullOrEmpty(id))
        throw new ArgumentNullException("id", "Argument 'id' cannot be 'null' or 'string.empty'");

    //Get API
}

All of this together will make sure the application is secured. With a few additional steps you can also secure the application for specific caller applications. That is were the “TrustedCallersIds” configuration comes is.

From the ClaimsPrincipal of the caller application the client id can be retrieved. With the client id you check the values against the values saved within the web.config.

[Authorize]
public string Get(string id) {

    Collection<string> trustedCallerClientId = AuthConfiguration.TrustedCallerClientIds;
    string currentCallerClientId = ClaimsPrincipal.Current.FindFirst("appid").Value;

    if (trustedCallerClientId.Contains(currentCallerClientId)) {
        //Get API
    }else{
        throw new AuthenticationException("Client is not Authorized");
    }
}

The “AuthConfiguration” class is a object that retrieves the Authentication settings from the web.config. The “TrustedClientIds” property retrieves the TrustedClientIds from the web.config.

public static Collection<string> TrustedCallerClientIds {
    get {
        List<string> retVal =new List<string>();
        string ids = ConfigurationManager.AppSettings["auth:TrustedCallerClientIds"];
        string[] itemIds = ids.Split(new string[]{";"}, StringSplitOptions.RemoveEmptyEntries);
        retVal.AddRange(itemIds);
        return retVal.ToCollection();
    }
}

All of this together will secure you’re API APP. In the next post will be explained how to configure the client application.

Related Posts

Azure DevOps Automation A couple of weeks ago the rename / rebranding of Visual Studio Team Services to Azure DevOps was announced. The rebranding is a great step forward int...
AKS (Kubernetes) and no connection could be made because the target machine acti... A client of my had an error while connecting to different resources within their Kubernetes cluster in Azure (AKS). Kubectl error On the kubectl com...
Kubernetes (AKS) attached to Azure Storage (Files) Kubernetes (AKS) can be used for many situations. For a client we needed to make files available trough a Kubernetes Pod. The files needed to be share...
Resource Group deployment via ARM templates When deploying an Azure Resource Manager (ARM) template you have to create a resource group within Azure. To deploy a template via script your script ...
Azure Managed Service Identity and Local Development Instead of storing user credentials of an external system in a configuration file, you should store them in the Azure Key Vault. Before MSI (Managed S...
The securitydata Azure resource group Most of the times companies have rules in place for managing their Azure environment. The main rules that should be in place are “Azure Policies” and ...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.