Securing RESTful Web API with OpenID for connecting On-Premise data sources to Office 365

This article explains about the securing of RESTful web API which exposes the data between on-premise data sources and Office 365. OpenID connect can be used to build the authentication for the web API solution. Refer[1] blog posts on how to implement OpenID authentication for a custom web solution.

Steps to define and setup a Web API to use AAD:

Register an Azure application for Custom Web API:

Sign into the https://portal.azure.com with an account having permissions to make Azure Active Directory applications.

In the menu on the left, Select Azure Active Directory

Select App registrations and choose New application registration

Enter a Name – Example: I Used the name as Web.API

In Application type, select Web app / API

In Sign-on URL enter https://api.contoso.com and select Create

Select the Application which is created and Copy the Application ID value

Click on the Edit manifest

It opens the JSON file left side, change the oauth2AllowImplicitFlow to true and click save

Figure 1: Manifest of an Azure AD Application registration

Click Settings and then choose Keys

In the Passwords section enter a key Description (Ex: Secret)

Select a value in the Expires drop-down list and click Save

Copy the key value which will be shown for the first time and later it will be shown as Hidden

Use the Client ID and the Client Secret in your Custom Web API web config file for authentication.

Configure the changes to custom Web API Solution:

Open the custom web API project in Visual Studio (or your IDE of choice)

Update the Auth.cs code file to allow bearer token

Figure 2: Updating the Startup.Auth.cs code file

Add the headers in asax.cs to allow GET, POST, PUT, etc requests

Figure 3: Adding headers in Global.asax.cs

Update app settings, headers and handlers in the config

Figure 4: Updating the app settings

Now with the necessary changes done, we can publish the application to IIS and try to test the site (https://api.contoso.com).

Kindly ensure the access to the application by logging in with office 365 account.

Register another Azure application and specify permissions:

Sign into the https://portal.azure.com (Ensure the user account that has permissions to make Azure Active Directory applications).

In the menu on the left, select Azure Active Directory

Select App registrations and choose New application registration

Enter a Name – Example: I used the name as Web.API.Apps

Figure 5: Registering a new application

In Application type, select Web app / API

In Sign-on URL enter

  1. For on-prem API app https://api.contoso.com
  2. For Power apps https://msmanaged-na.consent.azure-apim.net/redirect

Select Create. The application will be initialized.

Click on the Application which is created in earlier steps

Copy the Application ID value

Figure 6: Steps for Key to generate

Click Settings and the select Keys

Figure 7:  Generate Secret key

In the Passwords section fill in the Description of the key to be generated

Choose an expiration date from the Expires drop-down list and choose Save

Copy the key value which is generated.

Note: The generated key will be displayed for the first time and later it will be shown as Hidden

Click Required permissions and select Add (Fig.8)

Click Select an API

Figure 8:  Adding required permissions

Search Custom Web API and select the desired application (Fig.9)

Note: (Ensure you choose the Azure AD app registration created earlier)

Figure 9: Select the custom web API as API access 

In the DELEGATED PERMISSIONS section, select the check box click Select à and then Click Done (Fig.10)

Figure 10: Assign Permissions (scopes & roles) to app registration

Select Grant Permissions to grant permissions (Fig.11)

Figure 11: Granting permissions for custom web API

Now the custom WebAPI is secured with AAD and all future requests to the API needs an access token. The access token is passed an authorization header property on the web requests to the API in the format

“Authorization”: “Bearer <Access_Token>”

We can now test the API for its security and response.

Generate Token to Authenticate the web API

To request an access token, make an HTTP GET to the tenant-specific Azure AD endpoint with the following parameters

https://login.microsoftonline.com/<tenant>/oauth2/authorize?response_type=token&client_id=<App_id>&resource=<App_ID_URI>&redirect_uri=<host_url>

 

Parameters Description
Tenant Specifies the Id of tenant. Find the tenant id in the azure portal. Click on “Azure Active Directory” and enter “Properties” in the search box and click on it. And copy the “Directory ID”. Looks like “xxxxx-xxxx-xxxxxx-xxxxx”.

 

response_type Must include “Token” for the authorization flow.
App_id App_id will be the id of Client app

(ex: Custom.Web.Api_id).

To get the app id in the azure portal, follow the below steps:

·         Click on “Azure Active Directory”

·         Click on “App registration”.

·         Select the client application

(ex: Custom.Web.Api) and copy the “Application ID”.

App_ID_URL This can be retrieved from middle tire service “App registration” (ex – Itron Web API).

To get the App_ID_URL in the azure portal, follow the below steps:

·         Click on “Azure Active Directory

·         Click on “App registration

·         Select the middle tire app registration (ex – Itron Web API).

·         Click on Settings

·         Click on Properties, copy the “App ID URL”.

host_url host_url can be retrieved from application url that was hosted in IIS

For Example:

Request URL:

https://login.microsoftonline.com/xxxxx-xxxx-xxxx-xxxx-xxxxxxxx/oauth2/authorize?response_type=token&client_id=xxxxxxx-xxxx-xxx-xxx-xxxxxx&resource=https://contoso.onmicrosoft.com/xxxxx-xxxx-xxxxxxx-xxxxxxxxx&redirect_uri=https://api.contoso.com/

Response URL: https://api.contoso.com/#access_token=eyJ0eXAiOiJ…..&token_type=Bearer&expires_in=3600&session_state=c4daf3e1-0c4c-48xx-xxxx-xxxxxxx

When we browse the Request URL, the Response URL will give the access token. Using the access token, now the web application is authenticated to the related Rest API call.

We can use access token and send while calling the API in ajax call. In the headers, Authorization property must be “Bearer” + Access_Token.

var settings = {
  "url": "https://api.consto.com/api/GetEmployees",
  "method": "GET",
  "headers": {
    "Authorization": "Bearer  <Access_Token>",
  },
}

Now, we have successfully secured the RESTful WebAPI with OpenID for Connecting On-Premise data sources to Office 365.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

 

Related posts