0

I am working on an ASP.NET Core 2.0 API. Currently this API supports a Service to Service workflow where the client console application obtains an access token from Azure AD using their console application's Azure AD app registration AppId/AppKey values.

To support this, my API uses...

        // Add Azure AD OAUTH2.0 Authentication Services
        services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));

in Startup.cs ConfigureServices method and...

        app.UseAuthentication();

in the Startup.cs Configure method. And finally the ...

[Authorize]

attribute along with the...

using Microsoft.AspNetCore.Authorization;

using statement in my controllers.

This is all working fine right now.

However, I now have a need to allow an admin web app to access my API. This admin web app will use Azure AD to authenticate the user login and obtain an Identity Token. I want my API to also be able to accept this Identity Token to;

  1. Allow access to the API, and
  2. Allow my API to identify the user and make decisions in the API based upon the user identity's claims.

Can ASP.NET Core 2.0 support both access token and identity token without breaking what I currently have working with the service to service workflow?

Improve this question

1 Answer 1

Reset to default
1

That should work fine - your above breakdown needs some minor tweaks though:

THE CONSOLE APP Gets a simple access token based on an API key - the access token is NOT user specific and represents the application identity.

THE ADMIN WEB APP Users login and get an id_token AND an access_token. The id_token is just used by the web app as proof of authentication and never sent anywhere. The access_token is user specific and can be used to call the API and get personalized data.

THE API The job of the API is to receive access tokens and authorize based on claims from the token. For the console app the claims will only contain the application identity via a 'client id' claim. For the web app you will also be able to identify the user - most commonly via a 'sub' claim (there may be other user claims such as email).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.