Skip to main content

What is the Resource in Azure AD OAuth2

In my post about getting the Azure AD JWT via Postman, we kind of skipped over the part on what the resource is when requesting a token.  Basically, its the Application Id URI of the app you will be calling, not the app you are login in as.  Let's talk through a scenario, using the https://github.com/Azure-Samples/active-directory-dotnet-daemon sample from my post on Service to Service auth.

You would create two applications in Azure AD, and they don't even need to be in the same AD (we will cover that at a later date).  The service that is going to consume the API (TodoListDaemon) is the one that would be using the method I described to get a bearer token, and it would have its own Application as we would use its App ID for the Client Id.  Then the service hosting the API (TodoListService) would also have its own Application, but we don't need to generate an Application Key, as we are not logging on as this application.  But in TodoListService we would put it's Application ID URI in as the "Audience" when configuring our authentication options.

Then when TodoListDaemon requests a token, it will put the Application ID URI for TodoListService as the resource.  Azure AD will validate the URI is correct, and then add it as a claim in the JWT.  When TodoListService checks the JWT, it can see that Azure granted the claim for this application and no others, and it can then trust all the other claims, like "act on behalf of", or any other role you setup in when you created the TodoListService application.  Yet another topic for another day.

Because this field goes by so many names, here is a cheat sheet for some of the places you use the resource:
  • Resource: this is used when making requests to the token endpoint.
  • Audience: this is used when validating the JWT per request
  • identifierURIs: this is in the Azure Active Directory application manifest
  • App Id URI: this is what the documentation for the application manifest calls this value.
Labels:

Popular posts from this blog

Querying for items in an Array in CosmosDB

If you have spent any time looking at the documentation for Microsoft CosmosDB / DocumentDB, you will see a lot of examples where the data model has a property named "Tags" that is a list of strings.  But you don't see many times they query on something in that Tag property...  One example I saw a query on Tags[0] = "some value" I don't know how often I will need that, but you know, good to know you can do it. After looking through the SQL syntax reference .  The 2 ways I most likely query the Tags would be to use a join on the Tags property or use the ARRAY_CONTAINS function. Side note; the performance of the two methods are basically identical, leading me to believe the query optimizer generates the same instruction sets for both. So unless you have an array of complex objects, just use ARRAY_CONTAINS. Cool, we know how to query for documents that have our tag on them now... One small problem, when you load a million, or even a hundred thousand do...
Read more

Service to service auth via Azure Active Directory with ASP.Net Core

Sample configuration for ASP.Net Core 1.1 to use Azure AD for Service to Service Authentication.  Update your Startup.cs to have the following public void ConfigureServices(IServiceCollection services) { services.AddAuthentication(); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { app.UseJwtBearerAuthentication(new JwtBearerOptions { Authority = "https://login.microsoftonline.com/{AAD Tenant Name or ID}", Audience = "{Application ID URL}" }); ... } Microsoft.AspNetCore.Authentication.JwtBearer defaults to using OpenID Connect discovery document to validate the bearer token. The Authority is the prefix for the the discovery document.  The middleware will append ".well-known/openid-configuration/" to whatever you pass in to the Authority.  If your IDP has a diffrent endpoint for the discovery document, you can specify the MetadataAddress option, tha...
Read more

WebAPI2 and MVC5 with Google OAuth2 : Access and Refresh token security

So recently I started looking at using WebAPI2, and well, the documentation on what's really going on here, sucks.   My goal here is to allow a user to log-in via OAuth2, pull the access token and the refresh token and handle them safely. This post is really just a place for me to take notes as I dig into this. Firstly, this is none trivial in Microsoft's implementation.  After digging into this, I must ask if they even thought about how this would be done.  From what I can tell, they are expecting that if you want to get extra information from a provider that you do it in the OnAuthenticated method on the AuthenticationProvider, and then add it to the claim.  And if that's all you need, by all means, do that. Step one: Requesting the Token For Google we need the include the access type of offline in our request.  It was talked about on the Katana Project at   GoogleOAuth2Authentication never really get RefreshToken So given that bit of info we know...
Read more