Headless-Daemon calling AAD secured API

In AAD series of articles, we will see how to call the AAD protected secure API from a headless (or) console application and its authentication flows and scenarios.

 In the previous article, we have seen how to register an app in aad. I recommend you to read to get familiar with the app registration concept.

How to call the AAD protected secure API from a headless (or) console application

For these types of non-interactive clients, we can use 2 types of authentication flows for different scenarios.

    - client_credentials_grant
   - username/password

 The above grant types allow clients to authenticate silently without any user interaction.

oAuth 2.0 client_credentials_grant

Authentication is done based on the valid "Client Secret" used, so this is available only for the "WebApp Type" app registrations. and copy the below information from the respective app registration for later use.

     - ClientID: Client App's AplicationID.
     - ClientSecret: Client App's "Secret key".
     - ResourceID: Consuming endpoint Application Url.

Username/Password

Authentication is done based on user credentials, usually, this option is used for "auth_code_grant" where users will have to enter their credential in an AAD signIn popup in the iFrame scenario. But we can also use it for username/password authentication types.      
     - ClientID: Native Client ApplicationID.

where to find this information? 

log in to https://portal.azure.com 

 In this article "CogntiveAPIWebDeamonClients" is my Client app registration for headless-daemon which is counter-intuitive. we need to register the client "WebApp Type" to use the "client_credentials_grant" it uses the secret key to authentication.

In this article "NativeCognitiveHeadlessClientsis also my Client app registration for headless-daemon and register as a "Native Type" application.

In this article "CognitiveAPI" is my custom secure API service endpoint and this is where I can get my ResourceID (i.e. App ID URI).


Check here for detailed registration steps

The code

Create a new Console application and install this NuGet package "Microsoft.IdentityModel.Clients"
Use the copied values as appropriate, to create the following web.config entries
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--client_code_grant: Authentication scenario-->
<add key="ida:ClientId" value="c3c3e437-9852-4408-b85b-fba1437d0380" />
<add key="ida:ClientSecret" value="NkxCsNf143QJ+LOhW3Sy/5kZQZAK2F0ChxlThFO/FA=" />
<!--non-interactive: With username/password Authentication scenario-->
<add key="ida:NativeClientId" value="d9071b1b-87c2-4a47-84b9-faf1432d0293" />
<add key="ida:UserName" value="rathanavel@rathanavellive.onmicrosoft.com" />
<add key="ida:Password" value="*******" />
<!--Common_AAD_Keys-->
<add key="ida:Tenant" value="rathanavellive.onmicrosoft.com" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:ServiceResourceId" value="https://rathanavellive.onmicrosoft.com/CogntiveAPI" />
<add key="endpoint:ServiceBaseAddress" value="http://ratsubcognitiveapi.azurewebsites.net/" />
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />
</startup>
</configuration>
view raw headless-daemon-console-app.config hosted with ❀ by GitHub
"client_credentials" authenticationClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
Username/Password authentication
UserCredential userCredential = new UserCredential(userName, password);
UserCredential userCredential = new UserCredential();
//Use without parameter if the client runs on same domain in secure environment.

//App Client ID & Secret
private readonly static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private readonly static string clientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
//App Native Client ID
private readonly static string NativeClientId = ConfigurationManager.AppSettings["ida:NativeClientId"];
private readonly static string NativeServicesBaseAddress = ConfigurationManager.AppSettings["ida:NativeServicesBaseAddress"];
//Azure ActiveDirectory details
private readonly static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private readonly static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
//Source service endpoint
private readonly static string serviceResourceId = ConfigurationManager.AppSettings["ida:ServiceResourceId"];
private readonly static string serviceBaseAddress = ConfigurationManager.AppSettings["endpoint:ServiceBaseAddress"];
//Token Issuer authority
private static readonly string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
//Global Variables
private static AuthenticationContext authContext = new AuthenticationContext(authority);
private static ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
private static AuthenticationResult authResult = null;
static void Main(string[] args)
{
int retryCount = 0;
bool retry = false;
do
{
retry = false;
try
{
#region Using Client Credentials
//synchronous way to aquire token.
authResult = authContext.AcquireToken(serviceResourceId, clientCredential);
//asynchronous way to aquire token.
//Authenticate(serviceResourceId, clientCredential).Wait();
#endregion
#region Using User Credentials
//Provide different username/password to run this application from same/any Network (or) domain.
var userName = ConfigurationManager.AppSettings["ida:UserName"];
var password = ConfigurationManager.AppSettings["ida:Password"];
UserCredential userCredential = new UserCredential(userName, password);
//Use this to run under current LoggedIn user identity, This works for scenario where Desktop/Laptop/VM in connected to same the same domain.
//UserCredential userCredential = new UserCredential();
authResult = authContext.AcquireToken(serviceResourceId, NativeClientId, userCredential);
#endregion
}
catch (AdalException ex)
{
if (ex.ErrorCode == "temporarily_unavailable")
{
Console.WriteLine(ex.ErrorCode + Environment.NewLine + ex.Message);
retry = true;
}
else
{
retry = true;
Console.WriteLine(ex.ErrorCode + Environment.NewLine + ex.Message);
}
Console.WriteLine(string.Format("Retrying ({0}) of 3 attempt(s)", (retryCount + 1).ToString()));
retryCount++;
Thread.Sleep(3000);
}
catch (Exception x)
{
Console.WriteLine(x.Message);
Console.ReadLine();
return;
}
} while ((retry == true) && (retryCount < 3));
if (authResult == null)
{
Console.WriteLine("Cancelling attempt ..");
Thread.Sleep(2000);
return;
}
Console.WriteLine("Authenticated succesfully.." + Environment.NewLine + "Accessing Enpoint.." + Environment.NewLine);
AccessEnpoint(authResult, "api/videos").Wait();
AccessEnpoint(authResult, "api/video/1").Wait();
AccessEnpoint(authResult, "api/video/1/frames").Wait();
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("Completed!");
Console.ReadLine();
return;
}
/// <summary>
/// Helper method to acquire authentication result in async way.
/// </summary>
/// <param name="resource">Resource id</param>
/// <param name="cred">Credentials</param>
/// <returns></returns>
private static async Task Authenticate(string resource, ClientCredential cred)
{
authResult = await authContext.AcquireTokenAsync(serviceResourceId, clientCredential);
}
view raw headless-daemon-authentication-flow-for-bearer-token.cs hosted with ❀ by GitHub
Finally, use the Bearer token from the AuthenticationResult object to access common secure endpoint
/// <summary>
/// Access secure enpoint using authenticated context Bearer token.
/// </summary>
/// <param name="authResult">AuthenticationResult: Authenticated token object</param>
/// <param name="enpoint">Resource enpoint</param>
/// <returns></returns>
private static async Task AccessEnpoint(AuthenticationResult authResult, string enpoint)
{
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await httpClient.GetAsync(serviceBaseAddress + enpoint);
if (response.IsSuccessStatusCode)
{
string output = await response.Content.ReadAsStringAsync();
Console.WriteLine(output);
}
else
{
if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Access Denied!");
authContext.TokenCache.Clear();
}
else
{
Console.WriteLine(response.ReasonPhrase);
}
}
Console.WriteLine(Environment.NewLine + "*******" + Environment.NewLine);
}
view raw access-secure-endpoint-using-bearer-token.cs hosted with ❀ by GitHub

Some key points to remember:-
  1. Anyone(or) any authenticated application knows you "Client ID & Secret" can access your API. It's API's responsibility to ensure the current request came from the legitimate client based on ClaimsPrincipal alternatively you can also define custom "Roles" (i.e. Application Permission) & "Scope" (i.e. Delegated Permission) for your API while registering the app in AAD. - How to do this? This will see in the upcoming article.
    • Question is as an Azure Admin how to securely share the "Client ID & Secret" to an external ISV or any developer: I could think of 2 options
    • If you are creating and hosting it has an Azure App Service as a WebJob, then you create an "Application Setting" and share that key to your the developer.
    • Use Azure Key Vault to store and access the key securely, It also provides various security controls/policy/IP range etc.. to expose and access this key.
  2. If you choose to authenticate using "Native" registration type (Username/Password). then the client is on a trusted sub-system (i.e. Desktop/Server/VM/Laptop) where the client runs in the same domain. But you can still run this client from any domain if you know the username/password and update them in app.config. But still, request legitimate check like "Roles" are in API side only.
Hope I have covered all the nuances of non-interactive AAD authentication. in the next article will see how to use in Windows-Native-App calling secure WebAPI. Catch you all there!

-Ratsub

Comments

Post a Comment

Enter your comments..

Popular posts from this blog

Secure When a HTTP request is received Power Automate a.k.a MS Flow

Image
Secure "When a HTTP request is received" connector in MS Flow This connector can act as the Incoming webhook and perform underling business functionality but its very important to protect it to receive payload from unknown audience. lets see the steps to secure this incoming request. Add `when a HTTP request is received as a trigger condition` Provide the required payload a per the needs (optional). change method to POST if you need to use the payload (optional) relativePath: add /{token} (required) Click the ... dots and select "settings" @equals(triggerOutputs()['relativePathParameters']['token'],'YOUR-SECRET-PASSWORD') That's it. your business logic continues... I have added the received 'token' and 'firstName' from my payload for testing. Call the webhook from postman. Replace /{token} from the URL with your secret password. Enter the required payload and click send. Notice : S...
Read more

People picker Control in PowerApps

Image
With the latest PowerApps update we can do more customization to achieve more use-cases. Especially with the new "Rule" feature in PowerApps(which keeps remembers me of InfoPath form 😏) But, Then I was looking for People picker control in this latest PowerApps update. cant find any straight forward control thought. But now saw a connector called "Office365Users" then I started exploring it. How to create People picker control in PowerApps Update 1. Add  "Office365Users" data source to the app. 2.  Insert a "Combobox" from the ribbon. 3. Select "Combobox" and select 'Items' in the formula bar then enter below formula Office365Users . SearchUser ({searchTerm :  ComboBox1. Text }) 4. Then, select "Fields" from the property pane and choose "Primary text" a.k.a "Display Names" and "Search Fields". 5. Play the app and test it. The below steps applies mostly in the early st...
Read more

Upload attachment to SharePoint list item using Microsoft Flow

Image
Microsoft Flow is one of the Microsoft offerings for automation. In this series will see how to upload a file to SharePoint ListItem using MSFlow Workflow for our scenario Login to Microsoft Flow site  and log in to create a new flow. Add action and Type 'Data Operations' connector. Then choose 'Data operations - Compose' action Select 'Expression' tab and enter the following to create 'ListName' variable Repeat this process for all other variables  ListName - SharePoint list name. ItemID     - SPList item ID. AttachmentContent - Actual attachment content. FileName - Attchment name. Expressions: we can read values from Query String will discuss how to pass them next article. ListName: trigger() [ 'outputs' ][ 'queries' ][ 'listname' ] ItemID: trigger() [ 'outputs' ][ 'queries' ][ 'itemid' ] At...
Read more

Modern page provisioning using page template

Image
In this article let's see how to dynamically provision a modern page based on a modern page template and update its webpart properties using pnp/js in SPFx React webpart. Create a modern page template Create a page and add the webpart as per your requirements, finally save it as a template. it will be stored under the  "Templates" folder in SitePages. In the below example I have as Section=>3 Colum layout=>3 webparts. Create a page provision form component public   render ():  React . ReactElement < IDynamicPageCreaterProps > {      let   thisHandler  =  this ;      return  (        < div >          < h1 > { this . props . webpartName } </ h1 >           {           ( this . props . selectedTemplate  !=  undefined )...
Read more

Approval and auto escalation with time out in Microsoft Flow

Image
Let's see how to create an Approval workflow with timeout and escalation. I have used Office 365 Custom List "item created or modified" as my trigger. Create "Supervisor Approval" Create "Escalation Approval" Specify duration in ISO 8601 format. refer here for more time-out formatting. "Escalation Approval" would trigger only after the "Supervisor Approval timeout" Final Flow -Ratsub
Read more

Developing custom reusable components in PowerApps

Image
I am very excited to see the latest PowerApps Experimental preview feature  for canvas based PowerApps development & its capabilities. It provides you with the ability to increase your productivity and re-use the same component on all available layouts.  Design & develop it once reuse the component across layouts within PowerApps. How to enable the experimental feature in PowerApps? Step1 - Go to File->App Settings. Step2 - Select Advanced Settings-> Experimental feature->Enable Components The above feature is not listed; then possibly your are not created developer preview environment. Follow these official MSDN instructions . Also, it's important to understand the  Preview & Experimental feature . Create Carousel reusable component in PowerApps Step 1- Click add "New component. Step 2- Add all necessary controls             -> Image control.     ...
Read more

Step-By-Step Azure AD App Registration

Image
Enterprise developers and software-as-a-service (SaaS) providers can develop commercial cloud services or line-of-business applications, that can be integrated with Azure Active Directory (Azure AD) to provide secure sign-in and authorization for their services. To integrate an application or service with Azure AD, a developer must first register the application with Azure AD. Any application that wants to use the capabilities of Azure AD must first be registered in an Azure AD tenant. This registration process involves giving Azure AD details about your application, such as the URL where it’s located, the URL to send replies after a user is authenticated, the URI that identifies the app, and so on.  In the upcoming series of articles will see different 'grant_type' and which one to use for what scenario? how to use in Daemon-Headless-App calling secure WebAPI - client_credentials/password_credentials how to use in Windows-Forms-App calling secure WebAPI - cod...
Read more

Create and configure custom connectors for PowerApps and MSFlow from AzureFunctions

Image
I have already discussed How to Create, Configure and Deploy AzureFunction using VisualStudio  and how to create swagger(OpenApi) endpoint for AzureFunctions .  So, In this article will see how to import and use them in PowerApps & MSFlow .  Upon completion of yaml  definition creation, Click->Export to PowerApps + Flow button or copy the API definition URL. Alternatively you can also download  ApiDef.json file. Go to  https://web.powerapps.com  and authenticate then select 'Custom Connectors' from the left navigation. Then Click Create custom connector->Import an OpenApi from URL as mentioed below. Enter function secret code which we copied earlier, Then name the connector and click Contiue. Now, Fill values in each wizard General -> Upload/configure connector icon. Security -> In my scenario I used 'Function' scope access. configure it as appropriate. Definition -...
Read more

HTML field & Date Time formatting in powerapps

Image
Hi All, When i dig around powerapps found an interesting control called HTML field. the potential of this control is enormous based on the scenario lets see couple of examples. 1. Formatting Datetime Go to insert -> Text=>HTML Text Insert the control in the list view Add the below in the formula box Concatenate(" < div style = 'height:100%;width:100%;padding:1px;background-color: #418bca;border-right: 1px solid #fff;float:left;' > < div style = 'position: relative;text-align: center;color: #fff;font-size:20px;padding:0px 3px;' > ",Text(DateTimeValue(Text(Modified)),"dd")," < h4 style = 'margin: 5px 0 0 0;color: #fff;text-align: center;' > ",Upper(Text(DateTimeValue(Text(Modified)),"mmm-yy"))," </ h4 > </ div > ") i.e. Concatenate(" < html > ",Text(DateTimeValue(Text(Modified)),"dd")," < html > ")  Output Note :...
Read more