0

I'm writing an application that will be the backend for a react website. The website is to be used by our customers, but we will fully control the permissions of the user. We have decided to use Azure AD to secure requests, but will also be exposing the API for end users to use directly if desired.

My understanding is in Azure AD I will have to create an application that will allow web based implicit authentication (for the react site), as well as a native application that will allow a dameon based application to authenticate to the API.

This I believe means I will have two audience ids in my application.

I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.

I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.

Sorry I'm just totally lost and the documentation is beyond confusing given how frequently this appears to change!

TLDR: Do I need two applicaitons configured in azure ad, and if so whats the best way to set permissions (claims). Also is oAuth 2 the right choice here, or should I look at open id?

Improve this question

2 Answers 2

Reset to default
1

Right away I gotta fix one misunderstanding. Daemon apps usually have to be registered as Web/API, i.e. publicClient: false. That's because a native app can't have client secrets. Of course the daemon can't run on a user's device then. Since that's what a native app. An app that runs on a user's device.

This I believe means I will have two audience ids in my application.

You will have two applications, at least. If you want, the back-end and React front can share one app (with implicit flow enabled). And the daemon will need another registration.

I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.

Yes, ids are included only. If you need names, you go to Graph API to get them. But why do you need them? For display? Otherwise, you need to be using the ids to setup permissions. Names always change and then your code breaks.

I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.

Your thoughts for multi-tenant scenarios are correct. If you did want to implement these though, I made an article on it: https://joonasw.net/view/defining-permissions-and-roles-in-aad.

Why would you need to setup the roles in multiple apps though? Wouldn't they only apply in the web app? If the native app is a daemon, there is no user.

Overall, I can see your problem. You have people from other orgs, who want access to your app, but you want to control their access rights.

Honestly, the best way might be to make the app single-tenant in some tenant which you control. Then invite the external users there as guests (there's an API for this). Then you can assign them roles by using groups or appRoles.

If I misunderstood something, drop a comment and I'll fix up my answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Azure AD is of course a powerful system, though I also find the OAuth aspects confusing since these aspects are very mixed up:

  • Standards Based OAuth 2.0 and Open Id Connect
  • Microsoft Vendor Specific Behaviour

ROLE RELATED ANSWERS

This is not an area I know much about - Juunas seems like a great guy to help you with this.

OAUTH STANDARDS AND AZURE

I struggled through this a while back for a tutorial based OAuth blog I'm writing. Maybe some of the stuff I learned and wrote up is useful to you.

AZURE SPA AND API CODE SAMPLE

My sample shows how to use the Implicit Flow in an SPA to log the user in via Azure AD, then how to validate received tokens in a custom API:

Not sure how much of this is relevant to your use case, but I hope it helps a little on the tech side of things...

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.