All geek questions in one place

How to use the Azure REST API application with Active Directory authorization in Azure On

I have deployed API App for Azure, but I am having problems creating the API client if authentication (with AAD) is set to ON.

When I try to create a service client (when authentication is turned off), then the client code is generated (it is executed using Autorest) and the code works, but when I turn ON authentication (and the action that needs to be performed when the request is not authenticated, set Login with Azure Active Directory ), then

1) 401 Unauthorized callback returned (without redirecting to the AAD login page)

2) Then I tried to create the service client again (from the context menu of Project → Add → REST API Client →, then in the dialog box I selected “Select Azure Asset” and clicked OK and received the message "Failed to download metadata file for Microsoft Azure API App: ...app name..." (and" no further information ")

I implemented AAD in accordance with this Azure guide (using express settings):

https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

Worked on this video too, and everything that was shown in this video worked, except that AAD was not shown ... and for me it does not work ...

https://azure.microsoft.com/en-us/documentation/videos/connect-2015-what-s-new-in-app-service-api-apps/

Any suggestions?

EDIT

1) If I enter the request URL (which uses the REST API client) in the web browser - then it returns real results 2) I found out that I use the REST API without credentials (I thought that should be presented in this case Azure AD login screen ... but it’s not)

EDIT 2

I have some progress - I got to the login screen in AAD, but after entering the credentials I got a bearer token , but when I try to execute a service request, I get an error message:

AADSTS65005: The client application has requested access to resource 'https....azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list. Trace ID: 4176e... Correlation ID: 1d612d... Timestamp: 2016-11-13 18:28:34Z

These are the steps I took to go this far:

0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget package for client project

1) registered my client application in Azure Active Directory

2) when calling the REST API from the client application, I add ServiceClientCredentials

3) when creating ServiceClientCredentials, I provide 4 elements -authority = this is from AAD application registrations → Endpoints => Federation metadata document vērtība (without the initial part http://login.windows.net/ )

-resource => this is the REST API uri (=> The identifier of the target resource that is the recipient of the requested token)

-clientId => is the application identifier that I get after I register the client application in AAD -redirect Uri =>, since my client application is a native application, this is just any valid URL

How can I specify this resource in my client application?

client has not specified this resource in its requiredResourceAccess list

0
source share
1 answer

I managed to find a solution on how to enable AAD authorization in the Azure REST API App. Just in case, someone will have the same challenge, I hope it will be useful.

These are the steps I took:

1) In App Services → Authentication / Authorization

  • Application Service Authentication => On
  • Actions to be taken when the request is not authenticated => Login with AAD
  • Configured AAD settings with express settings (there you need to create an Azure AD application for your API application - for example, "Register applications" for your service).

2) In Azure Active Directory -> Application Registration

  • Add registration for your client application
  • Change the manifest of your client application - in the requiredResourceAccess section, you must add information about the REST API application:
    • resourceAppId add REST API application identifier here
    • resourceAccess {id} > OauthPermission REST API resourceAccess {id} value (you can get it in the REST API manifest!)

3) In your client application

  • generate your REST client using Autorest (from explorer: Add\REST API client ) or create it manually
  • add Microsoft.IdentityModel.Clients.ActiveDirectory nuget package

  • get and use a token to access your API with code like this:

      //request (..) var tokenCreds = getToken(); ServiceClientCredentials credentials = tokenCreds; using (var client = new YourAPI(credentials)) { ... } (..) //getting token private static TokenCredentials getToken() { //get this from Federation Metadata Document in //Azure Active Directory App registrations -> Endpoints var authority = "f1..."; //Identifier of the target resource that is the recipient of the requested token var resource = "https://yourapi.azurewebsites.net"; //client application id (see Azure Active Directory App registration //for your client app var clientId = "a71..."; //return url - not relevant for Native apps (just has to be valid url) var redirectUri = "https://just-some-valid-url.net"; AuthenticationContext authContext = new AuthenticationContext(string.Format ("https://login.windows.net/{0}", authority)); AuthenticationResult tokenAuthResult = authContext.AcquireTokenAsync(resource, clientId, new Uri(redirectUri), new PlatformParameters(PromptBehavior.Auto)).Result; return new TokenCredentials(tokenAuthResult.AccessToken); }
+1
source

Source: https://habr.com/ru/post/1498548/

More articles:


All Articles