juunas11/aspnetcore2aadauth

How can AppX call AppY without using the logged in users info?

Closed this issue · 1 comments

Icehunter commented

HI!

I have an application X that needs to get info from application Y.

I currently have this working; but to ensure that user perms get updated when I update what the application calls I have the following code:

        private Task OnRedirectToIdentityProvider(RedirectContext context)
        {
            context.ProtocolMessage.Prompt = "consent";
            return Task.FromResult(0);
        }

The problem with this is after 24 hours of inactivity or a closed browser it always asks.

I’ve followed examples for setting up NaiveSessionCaches and I can successfully call the API’s to get data but the extra clicks is frustrating to the user. Do you know of how to setup a service principal that acts on a webapplications behalf to call another AAD application in the same tenant or how I can achieve a way of calling the other application on behalf of main web app; without using the current logged in users credentials?

Example auth code I have now:

        private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
        {
            // Acquire a Token for the Graph API and cache it using ADAL.  In the TodoListController, we'll use the cache to acquire a token to the Todo List API
            var userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            var credential = new ClientCredential(ClientID, ClientSecret);
            var authenticationContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectId, context.HttpContext.Session));
            var authenticationResult = await authenticationContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), credential, GraphResourceID);

            // Notify the OIDC middleware that we already took care of code redemption.
            context.HandleCodeRedemption();
        }

If you have any questions please let me know.

Thanks!

juunas11 commented

Yeah, well that is what the client credentials grant flow is for. There are two ways to call APIs protected by Azure AD: Delegated and App-only. Delegated = with user + app identity, App-only = app calls as itself.

My answer on SO might help you: https://stackoverflow.com/a/47210307/1658906

So you define an app permission an app Y, and then grant that permission (app role) on app X's service principal.

Then your app X can get access tokens for app Y with its client id and secret, with no user present.

Please do ask if you have further questions :)