Base solution for your next web application
Open Closed

Replace ABP token with AAD token #7652


User avatar
0
JapNolt created

We have been able to successfully use the builtin support for OpenID to allow users to authenticate with our site using AAD. But the way ABP works, it just uses AAD for authentication but then ABP issues it's own token issued by the TokenAuthController.

We would like to uss AAD token for the whole stack. In other words, I want the app service api's to take AAD token for authentication. Do you have any guidance on how to implement this?


11 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @japnolt

    Unfortunately we don't have such a guide.

  • User Avatar
    0
    JapNolt created

    How involved would it be? Can you give a general direction on what would be needed?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @japnolt

    We couldn't came up with a solution, sorry. Even if you manage to achieve this, each request to server must access to Azure to validate the token. I think it will make each request slower.

    Could you explain why do you need such a use case ? Maybe we can find another solution.

    Thanks.

  • User Avatar
    0
    JapNolt created

    I'm sorry that it's been awhile and I got sidetracked. The use case is similar to this auth flow https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph. I want to make a request to Graph through our WebAPI on behalf of the user (delegated auth). Our frontend is Angular so the concept would be similar to this sample.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    A user can login to AspNet Zero's Angular app using OpenIdConnect with Azure AD. When Azure AD returns to AspNet Zero, Angular app sends token to server app and server app calls Microsoft Graph API internally. If you want to make such calls, you need to store token returned from Azure AD.

  • User Avatar
    0
    JapNolt created

    This feels kludgy. What about token refresh, etc?

    Isn't there some interface I can implement or a class I can override to implement AAD more deeply in the product?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Integrating AAD into AspNet Zero is very easy, you just need to fill the configuration (OpenIdConnect) in the appsettings.json file. Your request is a bit different and AspNet Zero doesn't support it by default. You can check https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-3.1 for more information.

  • User Avatar
    0
    JapNolt created

    Thanks for the additional information! I'm assuming I need the ability to SaveTokens as described here but I don't know where to configure that in ANZ. Also how would I access them later when needed in an app service?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    You can use a repository and retrieve it from AbpUserTokens table.

  • User Avatar
    0
    JapNolt created

    I'm sorry Ismail, but I'm struggling to understand how I can incorporate On-Behalf-Of flow into ANZ Can you give some more detail after reading the below docs?

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/on-behalf-of

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @japnolt,

    Sorry, I think I didn't understand your question at first place.

    1. Do you want to store AAD token in your Angular app when its retrieved from Azure AD during login.
    2. Send it with every request to your AspNet Zero server app
    3. And you want AspNet Zero server app to contact with Azure AD for every request to validate this token ?

    If it is something else, could you explain it again ?

    Thanks,