https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication
There are 2 services:
Service1 sends a request to Service 2. Service 1 generate token base on (see appsettings.json):
Resource - it is a resource in the Azure AD. It can be Exposed API of an arbitrary registered application in Azure AD.
TenantId - Azure AD tanant Id.
ClientId - ClientId of the registered app in Azure AD that you will use to acquire token
ClientSecret - ClientId of the registered app in Azure AD that you will use to acquire token
The registered application that contains ClientId and ClientSecret and another registered application that contains exposed API (see Resource) should be in the same Azure AD tenant.
Service2 should:
- receive a request from Service1
- Authenticate request (means validate token based on AddJwtBearer method)
- Authorize token (using IAuthorizationHandler we check claim "group")
We use:
Audience - it's ClientId of a registered application with the Expose API. This exposed API we used in Resource configuration of the Service1.
TenantId - Azure AD tanant Id.
You can re-check you auth settings in the following way:
Catch AccessToken sent from Service1 (you can use debugging in IDE for this purpose). Put AccessToken to https://jwt.io/.
ValidAudience should be equal to "aud".
ValidIssuer should be equal to "iss".
Depending on the Supported account types "iss" should distinguish:
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
iss: https://sts.windows.net/88b28885-115e-4d82-b554-b8785399306e/
Accounts in this organizational directory only (Default Directory only - Single tenant)
iss: https://sts.windows.net/88b28885-115e-4d82-b554-b8785399306e/
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
"iss": "https://login.microsoftonline.com/88b28885-115e-4d82-b554-b8785399306e/v2.0"
Register a new application in Azure AD for Service1
Add "New client secret" in the section "Certificate and secrets"
- to have the value that will be specified in Resource in Service1 ("Exposed API" name will be used) and Audience in Service2 (ClientId)
Expose an API -> Application ID URI -> Set
- We need to add "groups" claim
Interservice.Communication.Resource -> Token configuration -> Add groups claim
⚠️ Please pay attension, logically it seams we have to add group claim for Interservice.Communication.Service1 but it doesn't work. In fact we need to add token claim for registerd app which we use for "Resource" (Audience) parameter in config.
Create AzureAD group. Add this service Interservice.Communication.Service1 (especially his Service Principle) to new group. This group ID will be chenked on the Service2.
