This article explains about the securing of RESTful web API which exposes the data between on-premise data sources and Office 365. OpenID connect can be used to build the authentication for the web API solution. Refer[1] blog posts on how to implement OpenID authentication for a custom web solution.
Steps to define and setup a Web API to use AAD:
Sign into the https://portal.azure.com with an account having permissions to make Azure Active Directory applications.
In the menu on the left, Select Azure Active Directory
Select App registrations and choose New application registration
Enter a Name – Example: I Used the name as Web.API
In Application type, select Web app / API
In Sign-on URL enter https://api.contoso.com and select Create
Select the Application which is created and Copy the Application ID value
Click on the Edit manifest
It opens the JSON file left side, change the oauth2AllowImplicitFlow to true and click save
Click Settings and then choose Keys
In the Passwords section enter a key Description (Ex: Secret)
Select a value in the Expires drop-down list and click Save
Copy the key value which will be shown for the first time and later it will be shown as Hidden
Use the Client ID and the Client Secret in your Custom Web API web config file for authentication.
Open the custom web API project in Visual Studio (or your IDE of choice)
Update the Auth.cs code file to allow bearer token
Add the headers in asax.cs to allow GET, POST, PUT, etc requests
Update app settings, headers and handlers in the config
Now with the necessary changes done, we can publish the application to IIS and try to test the site (https://api.contoso.com).
Kindly ensure the access to the application by logging in with office 365 account.
Sign into the https://portal.azure.com (Ensure the user account that has permissions to make Azure Active Directory applications).
In the menu on the left, select Azure Active Directory
Select App registrations and choose New application registration
Enter a Name – Example: I used the name as Web.API.Apps
In Application type, select Web app / API
In Sign-on URL enter
Select Create. The application will be initialized.
Click on the Application which is created in earlier steps
Copy the Application ID value
Click Settings and the select Keys
In the Passwords section fill in the Description of the key to be generated
Choose an expiration date from the Expires drop-down list and choose Save
Copy the key value which is generated.
Note: The generated key will be displayed for the first time and later it will be shown as Hidden
Click Required permissions and select Add (Fig.8)
Click Select an API
Search Custom Web API and select the desired application (Fig.9)
Note: (Ensure you choose the Azure AD app registration created earlier)
In the DELEGATED PERMISSIONS section, select the check box click Select à and then Click Done (Fig.10)
Select Grant Permissions to grant permissions (Fig.11)
Now the custom WebAPI is secured with AAD and all future requests to the API needs an access token. The access token is passed an authorization header property on the web requests to the API in the format
“Authorization”: “Bearer <Access_Token>”
We can now test the API for its security and response.
Generate Token to Authenticate the web API
To request an access token, make an HTTP GET to the tenant-specific Azure AD endpoint with the following parameters
https://login.microsoftonline.com/<tenant>/oauth2/authorize?response_type=token&client_id=<App_id>&resource=<App_ID_URI>&redirect_uri=<host_url>
|
Parameters |
Description |
| Tenant | Specifies the Id of tenant. Find the tenant id in the azure portal. Click on “Azure Active Directory” and enter “Properties” in the search box and click on it. And copy the “Directory ID”. Looks like “xxxxx-xxxx-xxxxxx-xxxxx”. |
| response_type | Must include “Token” for the authorization flow. |
| App_id | App_id will be the id of Client app
(ex: Custom.Web.Api_id). To get the app id in the azure portal, follow the below steps: · Click on “Azure Active Directory” · Click on “App registration”. · Select the client application (ex: Custom.Web.Api) and copy the “Application ID”. |
| App_ID_URL | This can be retrieved from middle tire service “App registration” (ex – Itron Web API).
To get the App_ID_URL in the azure portal, follow the below steps: · Click on “Azure Active Directory” · Click on “App registration” · Select the middle tire app registration (ex – Itron Web API). · Click on Settings · Click on Properties, copy the “App ID URL”. |
| host_url |
host_url can be retrieved from application url that was hosted in IIS |
For Example:
Request URL:
When we browse the Request URL, the Response URL will give the access token. Using the access token, now the web application is authenticated to the related Rest API call.
We can use access token and send while calling the API in ajax call. In the headers, Authorization property must be “Bearer” + Access_Token.
var settings = {
"url": "https://api.consto.com/api/GetEmployees",
"method": "GET",
"headers": {
"Authorization": "Bearer <Access_Token>",
},
}
Now, we have successfully secured the RESTful WebAPI with OpenID for Connecting On-Premise data sources to Office 365.
References:
Don’t miss out on the latest tips, tools, and tactics at the forefront of HR and Employee
We love what we do so much and we're always looking for the next big challenge, the next problem to be solved, the next idea that simply needs the breath of life to become a reality. What's your challenge?
