dotnet-school/dotnet-oauth-aad

OAuth with Azure Active Directory

Sources:

• Code- https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi
• Doc - https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview

Objective

• Setup two services on local machine
  • DemoAuthServer
  • DemoAuthClientService
• Configure AAD to implement following workflow to enable authorizatoin and authentication in DemoAuthServer

Summary

• Choose a Tenant

  We use the default organization for user account

  Domain: "nishantsingh87gmailcom.onmicrosoft.com", TenantId: "345cb91a-f138-4ce4-90e0-c3902a912866"

• App registration for server

  Define identity of a service/app and get created client-id (aka application-id)

  Application (client) ID : 91af0621-857a-4cda-bf0e-76e9ad9ecb88

  Directory (tenant) ID: 345cb91a-f138-4ce4-90e0-c3902a912866

  Object ID :6fabe4c3-e574-4bc4-9c20-5fdb39bd99ac

  ApplicatoinID URI: api://91af0621-857a-4cda-bf0e-76e9ad9ecb88

• Create a role for server to use for Role Based Access Control (RBAC)

  Create a role that can be accesses by applicatoin only (we won't use user roles for now).

  We will assign access control to roles and then assign these roles to individual services.

  allowedMemberTypes : ["Application"]

  description : "Daemon apps in this role can consume the web api." displayName : "DaemonAppRole"

  origin: "Application"

  value: "DaemonAppRole"

• App registration for client

  Display name:DemoAuthClientService

  Application (client) ID: a4d814ba-6d10-4b3e-97cc-95ec47d62f3f

  Directory (tenant) ID: 345cb91a-f138-4ce4-90e0-c3902a912866

  Object ID: 9ad88898-3dcb-4f09-88a9-0217d168d93e

• Setup Api Permissions in client

  This allows client to request for Oauth token with role created earlier.

  After adding permission to DemoAuthServer role created earlier, click on Grant admin consent.

  The Azure admin has to explicitly approve this permission. i.e. app can only request a permission in outh token if admin has consented for it.

• Add configuration in code for server

  Update app settings with azure config

  Instance: "https://login.microsoftonline.com/",

  ClientId: "91af0621-857a-4cda-bf0e-76e9ad9ecb88", Domain: "nishantsingh87gmailcom.onmicrosoft.com", TenantId: "345cb91a-f138-4ce4-90e0-c3902a912866"

• Add configuration in code for client service