Programming with Azure Active Directory
2 likes468 views
The document provides a comprehensive overview of Azure Active Directory (Azure AD), covering its functionalities such as app registration, authentication flows, and managing permissions. It highlights the differences between single-tenant and multi-tenant applications, detailed authentication scenarios, and the use of tokens in application interactions with secured APIs. Additionally, it introduces the new Azure AD v2 endpoint and its features, along with valuable resources for further learning and troubleshooting.
![INSPECTING TOKENS
• JSON Web Tokens are base 64-encoded (use e.g. https://jwt.ms)
• Contain a set of claims
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/",
"iat": 1519065056,
"nbf": 1519065056,
"exp": 1519068956,
"acr": "1",
"aio": "Y2NgYGC+ti31U9grU6mW",
"amr": [
"pwd"
],
"app_displayname": "AspNetCoreAadDemo",
"appid": "6f934905-6567-44c4-a599-b780a555a98f",
"appidacr": "1",
"e_exp": 262800,
"family_name": "Westlin",
"given_name": "Joonas",
"ipaddr": "XXX.XXX.XXX.XXX",
"name": "Joonas Westlin",
"oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19",
"platf": "3",
"puid": "1003000098",
"scp": "User.Read",
"sub": "xLaF0g0DPYcmtpPN1bt9xQ7NdBjNuF",
"tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751",
"unique_name": "joonas@joonasw.net",
"upn": "joonas@joonasw.net",
"uti": "w6-48cSPn0imual9sNkxAA",
"ver": "1.0"
}
{
"aud": "6f934905-6567-44c4-a599-b780a555a98f",
"iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/",
"iat": 1519065056,
"nbf": 1519065056,
"exp": 1519068956,
"aio": "Y2NgYHjk9XOd1TGlgF1ZlZsVGc",
"amr": [
"pwd"
],
"family_name": "Westlin",
"given_name": "Joonas",
"ipaddr": "XXX.XXX.XXX.XXX",
"name": "Joonas Westlin",
"nonce": "636546621256195592.OWV",
"oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19",
"sub": "mHgciVvkOrE6YD-LgHul4oGZuWV5owJ4",
"tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751",
"unique_name": "joonas@joonasw.net",
"upn": "joonas@joonasw.net",
"uti": "w6-48cSPn0imual9sNkxAA",
"ver": "1.0"
}](https://image.slidesharecdn.com/faug8programmingaad-180315185554/85/Programming-with-Azure-Active-Directory-17-320.jpg)
Programming with Azure Active Directory
- 1. PROGRAMMING WITH AZURE AD JOONAS WESTLIN
- 2. STANDARD SPEAKER INTRO • Joonas Westlin • Azure Developer at Kompozure • Azure MVP, MCSD, MCSE • Active on Stack Overflow o Currently #4 All-time for Azure AD @JoonasWestlin joonasw.net
- 3. STANDARD AGENDA SLIDE • Intro to Azure Active Directory o How we can manage a directory • Registering apps o Important settings • Authentication flows o Different ways to authenticate users and get tokens to call secured APIs • Demo, back-end Web app calling MS Graph API
- 4. AZURE ACTIVE DIRECTORY • “Azure Active Directory (Azure AD) is a cloud identity service that allows developers to securely sign in users with a Microsoft work or school account.” • The login system underneath Office 365 and Azure • Global, multi-tenant, identity and access management service • Single Sign-On for cloud services • If you have ever signed in to O365 or Azure, you have used Azure AD • Quite different from on-premises Windows Server AD https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide
- 5. MANAGING AAD • Can use portal.azure.com • Find Azure Active Directory from the left or from under All services • Pro-tip: Use https://aad.portal.azure.com • PowerShell: https://docs.microsoft.com/en- us/powershell/azure/active- directory/install-adv2?view=azureadps- 2.0 • AAD Graph Explorer: https://graphexplorer.azurewebsites.net/
- 6. AZURE AD “TENANTS” • Tenant = One Azure AD “instance” • Container for users, their passwords, groups etc. • An organization typically has one tenant • You already have one if you use Azure or Office 365 • You can create more tenants from the Azure Portal https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant
- 7. REGISTERING APPS • Registering an app you are developing can be done from App registrations • Name: display name for the app • Sign-on URL: the URL given to users in https://myapps.microsoft.com • Name and Sign-on URL can be changed later • Application type: next slide https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-integrating-applications
- 8. APPLICATION TYPES • The Portal options are a bit confusing • Web app / API = App which can keep a secret o Runs on device you control o APIs, back-end Web apps, Azure Web Jobs • Native = App which cannot keep a secret o Runs on user’s device o SPA, Mobile, any app installed on user’s device • Correspond to publicClient property on Application o Public client = Native https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory- authentication-scenarios#application-types-and-scenarios
- 9. APPLICATIONS & SERVICE PRINCIPALS • An Application object is created when you register an app • It then gets an identity in the directory in the form of a Service Principal • Multi-tenant apps get a Service Principal in every directory they are integrated in o Application stays in original tenant • Enterprise Applications = Service Principals in portal https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-application-objects
- 10. SINGLE-TENANT VS MULTI-TENANT • Set in application’s Properties • A single-tenant app can only be used by one organization o Line-of-business apps • A multi-tenant app can be used by any organization o SaaS apps Overview for MT: https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-devhowto-multi-tenant-overview MT sample: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet- webapp-multitenant-openidconnect/
- 11. REPLY URLS • Set of URLs to which Azure AD can redirect the user back to after logging in • The redirect can contain user’s personal info in a token, reason why this exists
- 12. APPLICATION KEYS • Non-Native apps can have keys • Either client secrets or public keys from key pairs • Used by the app to authenticate itself • NEVER PUT CLIENT SECRETS IN CODE THAT RUNS ON USER DEVICE
- 13. PERMISSIONS & GRANTING THEM • An Application can require permission on APIs • Two types o Application: Org-wide access for the app o Delegated: Access as a single user • Required permissions must also be granted o User can consent when logging in o Grant Permissions grants for whole org o One of the biggest causes for problems people have is permissions are not granted https://joonasw.net/view/the-grant-requires-admin-permission
- 14. THE APP MANIFEST • Found via the Manifest button • JSON representation of the Application object • Can edit in Portal • Advanced scenarios o Scopes for APIs and roles for users in apps https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-application- manifest https://joonasw.net/view/defining-permissions-and- roles-in-aad
- 15. AUTHENTICATION FLOWS • An app usually needs to do one or both of: o Authenticate user o Call Azure AD protected API(s) • Various flows exist for this purpose for different scenarios and application types • The examples I give here apply to OpenID Connect and OAuth o Protocols commonly used by modern apps • Libraries are available for major platforms that help with implementation o ADAL (.NET, Java, JavaScript, iOS, macOS, Android, Node.JS, Python) • Azure AD supports WS-Federation and SAML too https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
- 16. TOKENS • Tokens in OIDC and OAuth are JSON Web Tokens (JWTs) • Id token contains info about a user o Can be gotten after user signs in • Access token is used by an app to call a protected API o Can contain user info if acquired with user context • When getting access token, the resource parameter specifies which API you want to use o MS Graph API: https://graph.microsoft.com o Your APIs: Properties -> App ID URI https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and- claims
- 17. INSPECTING TOKENS • JSON Web Tokens are base 64-encoded (use e.g. https://jwt.ms) • Contain a set of claims { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/", "iat": 1519065056, "nbf": 1519065056, "exp": 1519068956, "acr": "1", "aio": "Y2NgYGC+ti31U9grU6mW", "amr": [ "pwd" ], "app_displayname": "AspNetCoreAadDemo", "appid": "6f934905-6567-44c4-a599-b780a555a98f", "appidacr": "1", "e_exp": 262800, "family_name": "Westlin", "given_name": "Joonas", "ipaddr": "XXX.XXX.XXX.XXX", "name": "Joonas Westlin", "oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19", "platf": "3", "puid": "1003000098", "scp": "User.Read", "sub": "xLaF0g0DPYcmtpPN1bt9xQ7NdBjNuF", "tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751", "unique_name": "[email protected]", "upn": "[email protected]", "uti": "w6-48cSPn0imual9sNkxAA", "ver": "1.0" } { "aud": "6f934905-6567-44c4-a599-b780a555a98f", "iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/", "iat": 1519065056, "nbf": 1519065056, "exp": 1519068956, "aio": "Y2NgYHjk9XOd1TGlgF1ZlZsVGc", "amr": [ "pwd" ], "family_name": "Westlin", "given_name": "Joonas", "ipaddr": "XXX.XXX.XXX.XXX", "name": "Joonas Westlin", "nonce": "636546621256195592.OWV", "oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19", "sub": "mHgciVvkOrE6YD-LgHul4oGZuWV5owJ4", "tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751", "unique_name": "[email protected]", "upn": "[email protected]", "uti": "w6-48cSPn0imual9sNkxAA", "ver": "1.0" }
- 18. AUTHORIZATION CODE FLOW • Used mainly by back-end Web apps • App redirects user to Azure AD login page • After user logs in, your app gets back an authorization code • The app back-end can exchange the code + its client id and secret for an Id token, access token, and a refresh token o Refresh token used to get new access tokens • So it requires a little OpenID Connect dance ☺ • App will use delegated permissions in this case https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code
- 19. AUTHORIZATION CODE FLOW PT.1 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code User + browser App back-end /oauth2/authorize Clicks Sign In 302 redirect Client id + reply URL Navigate Client id + reply URL Login Form POST to reply URL Authorization code
- 20. AUTHORIZATION CODE FLOW PT.2 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code User + browser App back-end /oauth2/token Establish session Session cookie HTTP POST Authorization code, client id, client secret, resource Access token, refresh token, id token
- 22. CLIENT CREDENTIALS https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth- service-to-service App /oauth2/token HTTP POST Client id, client secret, resource Access token
- 23. CLIENT CREDENTIALS • Authentication for scripts, Azure Web Jobs etc. • App sends client id and client secret to token endpoint • Receives access token • Application Permissions used https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth- service-to-service
- 24. OTHERS • Implicit o Single Page Apps: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-authentication-scenarios#single-page- application-spa • Device code o For text-only clients: https://joonasw.net/view/device-code-flow • On-behalf-of o Calling an API from another API as the user: https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core • Resource Owner Password Credentials Grant o Don’t. https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner- Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for- Modern-Applications o There are use cases for it, but you should avoid it if possible
- 26. AZURE AD V2? • New ”converged” endpoint for authentication • Some new capabilities • Azure AD or personal MS accounts can be used • MS Graph API allows calling with either for some endpoints (e.g. Mail and Calendar) https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2- overview
- 27. V2: MAIN DIFFERENCES FROM V1 • New portal! https://apps.dev.microsoft.com/ o Login with MSA -> Apps created *somewhere* o Login with AAD -> Apps created in user home tenant • Personal MS accounts allowed • Native + Web App + Web API under same application identity • All apps are multi-tenant https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare
- 28. V2: SCOPES • In v1, you would ask for a token with: o resource=https://graph.microsoft.com o Requires you to specify which permissions you need ahead of time o User has to accept all of them • Now you can ask for a token with: o scope=https://graph.microsoft.com/User.Read o This is actually standards-compliant now
- 29. V2: INCREMENTAL CONSENT • Your app can, at any time ask for another scope • Don’t have to mention needed scopes at all when defining app • Users can opt-in to features of the app • No need to ask for consent for everything https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2- compare#incremental-and-dynamic-consent
- 30. V2: MSAL • With v1, you would use Azure AD Authentication Library (ADAL) • Microsoft Authentication Library replaces ADAL in v2 • API is a bit different • .NET, JS, and Android versions are in ”production-ready preview” https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
- 31. SUMMARY • Azure AD and identity in general are hard topics • My suggestion: Practice, practice, and digging through examples • Loads of sample apps on GitHub • The apps that Visual Studio generates are pretty good samples too • If you have trouble, ask on Stack Overflow ;)
- 32. SOME THINGS NOT COVERED • Azure AD B2C: https://docs.microsoft.com/en-us/azure/active-directory- b2c/ • New v2 endpoint: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-appmodel-v2-overview • IT Pro topics o Multi-Factor Authentication: https://docs.microsoft.com/en- us/azure/multi-factor-authentication/multi-factor-authentication o On-prem sync with AAD Connect: https://docs.microsoft.com/en- us/azure/active-directory/connect/active-directory-aadconnect • Pricing: https://azure.microsoft.com/en-us/pricing/details/active-directory/ o Spoiler: basic stuff can be done for free
- 33. LINKS • Documentation: https://docs.microsoft.com/en-us/azure/active- directory/active-directory-whatis • Developer guide: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-developers-guide • Samples: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-code-samples • MS Graph API: https://developer.microsoft.com/en- us/graph/docs/concepts/overview • My posts on AAD: https://joonasw.net/tag/azure-ad