What is App Service authentication and authorization?

Azure App Service authentication and authorization is a feature that provides a way for you to restrict access to your app services. It requires no complex configuration or writing any code for implementation. Let's see how it works and manages to do this.

Authentication

For app services users to get authenticated, we can choose from a set of identity providers (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), or we can implement our own custom authentication mechanism.

To get authenticated using one of the identity providers, you first need to configure the identity provider to know about your application. The identity provider will then provide with IDs and secrets that we provide to the App service. After this, the users can be directed to an endpoint that enables them to sign in.

In the case of service-to-service scenarios, App Service can protect your application using Azure Active Directory. The calling application needs to provide an Azure Active Directory service principal authorization token.

Authorization

You can authorize the incoming requests to allow them to reach your application only if they are authenticated. This will be enabled when you choose an identity provider from Action to take when request is not authenticated from the portal.

You will choose Allow Anonymous requests (no action) when you want to defer the authorization decision to your code. This is done when applications have varying access restrictions for different parts of the application. In this case, the authentication information is provided in the headers of the requests.

Tip

A cookie will be set for the users who will interact with your application using a web browser. This will keep them authenticated as long as they browse the application. For a mobile client, the client SDK will create a JSON web token or JWT or in Azure Active Directory's case the access token is included as part of the authorization header. This is also named a bearer token.

App Service will validate any cookie or token that your application issues to authenticate users.

Scenario on Authenticating an API App and consuming the authenticated API App

In this example, we will see how to protect the Products API using AAD (Azure Active Directory).

1. Create an Azure Active Directory. Navigate to the Azure Classic Portal. Click on Custom Create Directory:
   
2. Select your directory and then select the APPLICATIONS tab at the top. Click on ADD at the bottom to create a new app registration:
   
3. Click on ADD APPLICATION my organization is developing.
4. In the ADD APPLICATION Wizard, enter a NAME for your application, which is ProductApi in our case, and click on the WEB APPLICATION AND/OR WEB API type. Then, click to continue:
   
5. In the SIGN-ON URL box, paste the application URL you copied earlier. Enter that same URL in the APP ID URI box. Then, click to continue:
   

   Once the application has been added, click on the Configure tab. Edit the REPLY URL (this URL will let Azure AD return tokens to your Azure App like an API App) under Single Sign-on to be the URL of your application concatenated with the path, /.auth/login/aad/callback. For example, https://ProductApi.azurewebsites.net/.auth/login/aad/callback:

   
6. Click on Save. Then, copy the Client ID for the app. You will configure your application to use this later.
7. In the bottom command bar, click on View Endpoints, copy the Federation Metadata Document URL, and download that document or navigate to it in a browser. This document has a list of services that will be able to accept the security tokens issued by Azure Active Directory.
8. Within the root EntityDescriptor element, there should be an entityID attribute of the form https://sts.windows.net/ followed by a GUID specific to your tenant (named tenant ID). Copy this value; it will serve as your Issuer URL. This is the URL that will uniquely identify your application. You will configure your application to use this later.
9. Add Azure Active Directory information to your application.
10. For the ProductApi that has been published, navigate to the settings and click on Authentication/Authorization.
11. If the Authentication/Authorization feature is not enabled, turn the switch to On:
    
12. Click on Azure Active Directory and then click on Advanced under Management Mode. Paste in the Client ID and Issuer URL value, which you obtained previously. Then, click on OK.
    1. By default, App Service provides authentication but does not restrict authorized access to the site content and APIs. You must authorize users in your app code.
    2. You should set the property Action to take when request is not authenticated to Log in with Azure Active Directory to restrict access to only authenticated users. This will make sure that all requests will be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
    3. Click on Save.
13. You are now ready to use Azure Active Directory for authentication in your app.
14. After these steps, when we try to access the ProductApi from the browser, we are redirected to an authentication page for Azure Active Directory where we are asked to put in our credentials:
    

Now we will show how to consume this authenticated API. To do this, we will take the example of a native client application for Sunny Electricals, which is responsible for use by the customer service department. This application needs to access the ProductsApi to display the products.

1. In the Visual Studio solution for the app, we will add a reference to the Products API. To do so, we can select REST API Client:
   
2. After this, download the Swagger metadata file for the ProductsApi by browsing the following URL on Internet Explorer, https://ProductsApi.azurewebsites.net/swagger/docs/v1, or you can provide the Swagger Url in the window:
   
3. This will install the Nuget package Microsoft.Rest.ClientRuntime to add Azure API App and creates the following folder:
   
4. Now we have to log in to the Azure Classic Portal and add the new CustomerServices application to the Active Directoryy that we have created. Note that we are creating this app as a NATIVE CLIENT APPLICATION:
   
5. Then, we have to provide the REDIRECT URI, which can be anything related to the business objective:
   
6. From the Configure page, copy the Client ID and the REDIRECT URI for this application. Also, from the portal, we need to get the following parameters: Authority – From the Active Directory Applications tab, click on the View Endpoints button and copy the value for OATH2.0 AUTHORIZATION ENDPOINT:
   
7. At this stage, you should have the following pieces of information:
   • The authority, resource, or URL of the API you are consuming
   • The Client ID of your client application
   • The secret of your client application from the Azure Portal
8. In the Visual Studio solution, add the Nuget Package: Microsoft.IdentityModel.Clients.ActiveDirectory. This will add the binaries for Active Directory Authentication Language, which we will be using to authenticate our request against the API:
   
9. The following is the code where the client application passes its credentials to get a token from the Azure Active Directory. If the user is not already signed in, then the ADAL library will launch a sign-in page for the user to sign in. This can be maintained by the PromptBehavior property. You can have the user login every time he wants to access the API. Once authenticated successfully, a security token is issued to access the API:
   

   Please note that the communication is happening over HTTPS to ensure that the bearer token is not visible in the HTTP header over the network.

10. After calling the API from the application, we see the same list of products from the API that we saw earlier in the chapter:
    

     On the similar lines, there are many other options that can be implemented to harden the API App as follows:

    • Disabling browser access: This can be done by changing to REPLY URL to not point the Api App's URL
    • Restricting access to only a particular client: This can be done by imposing restrictions to receive connections only from a particular service principal
    • Using your own authentication method
    • Using the API Management Service: This is defined in the next chapter

ADAL can also be used with iOS-, Android-, and Xamarin-based apps.