1

I'm trying to establish whether it's possible to make use of various authentication mechanisms in our web API. The two we are looking at is:

  • Auth against db using username and password (current implementation)
  • Auth against Azure AD

The thing I'm struggling to get my head around is:

  • How do I configure both. In other words, know which mechanisms to use in the API
  • Secondly, how do I make use of a different ida:ClientId (Azure AD Auth) during run-time (multi tenant site)

Many thanks in advance!

Improve this question
8
  • Did you meant the web-api provides login-page for the db and azure ad account? Or the web API can accept both the token and username/password for the authentication? Commented Jun 29, 2017 at 7:54
  • @FeiXue-MSFT no the api does not provide a login page. The front-end (angularjs) would present a login page. That login page would basically state, do you want to login in with x or y. The api should then handle the auth and dish-out the token to the calling client. But like I said, I'm trying to get my head around this - so chances are good I do not understand the process Commented Jun 29, 2017 at 8:06
  • The client id will always be same no matter which tenant is using the API. It's the identifier for the original app registration in your tenant. Commented Jun 29, 2017 at 8:11
  • @juunas many thanks for the response. Your telling me that if I register the app in my azure ad, and another subscription of azure registers the same app in their ad, the ClientId is kinda irrelevant? Did I understand correctly? Commented Jun 29, 2017 at 8:21
  • 1
    Yes, an administrator on their side must give consent to the app, and then a service principal corresponding to the app is created in their directory. But the app will always remain in the directory where it was created. So the client id is always same. What is different in multi-tenant though is the tenant id in the access token's claims. Issuer validation is also a bit different in multi-tenant scenarios. Commented Jun 29, 2017 at 8:25

1 Answer 1

Reset to default
2

We can add multiple authentication middleware directly in the web API project. To add the authentication using Azure AD, we can use Microsoft.Owin.Security.ActiveDirectory. And here is the code support both for the individual and Azure AD account for your reference:

public void ConfigureAuth(IAppBuilder app)
{
    // Configure the db context and user manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

    // Enable the application to use a cookie to store information for the signed in user
    // and to use a cookie to temporarily store information about a user logging in with a third party login provider
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    // Configure the application for OAuth based flow
    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        // In production mode set AllowInsecureHttp = false
        AllowInsecureHttp = true
    };

    // Enable the application to use bearer tokens to authenticate users
    app.UseOAuthBearerTokens(OAuthOptions);

    app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
          Audience = ConfigurationManager.AppSettings["ida:Audience"],
          Tenant = ConfigurationManager.AppSettings["ida:Tenant"],

      });    
}

To authenticate the local account, we can get the access token from the authorization server build with web API project. And for the Azure AD account, we need to get the token from Azure AD.

How do I configure both. In other words, know which mechanisms to use in the API

In the front-end application, you should also provide a button to login with Azure AD then acquire the access token from Azure AD. Then you can call the web API using this access token as the individual accounts.

Secondly, how do I make use of a different ida:ClientId (Azure AD Auth) during run-time (multi tenant site)

If you want to develop a multi tenant site, when you register the web app/API app on Azure AD, we need to enable the Multi-tenanted. And replace the tenant in the authorization/token endpoint with common. After that, the users from other tenants could login-in your app. More detail about multi-tenant development, you can refer link below:

How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.