Question about Authentication using Azure AD

[julianadormon]

Sorry I am complete newb when it comes to using Azure AD. I need to understand how Authorization works in very general terms.
I am running a Blazor server app which is a multi-tennant application for photographers to allow them to sell their images to any number of customers. These customers are issued a single password by our app, which when submitted, tells who they are and what galleries they are allowed to see. We handle that logic in our app.

So I am just not sure the flow of getting and using a JWT token in this scenario.

My guess is it goes something like this:

1. End user enters password in our app
2. This request calls the API to pull back their info and what galleries they are allowed to access. This "endpoint" allows anonymous requests.
3. Our app creates the JWT claims and sends a request to Azure AD for a token
4. All other requests sent to the API are authenticated with the JWT token

Does this sound like it could work?
I see that I need to add users to AzureAD, is the user a generic user or do I somehow have to create a new user for each of the thousands of end users that are app is aware of?

I appreciate the help. Thanks.

[julianadormon]

I guess this called an ROPC flow.

[seantleonard]

Hi @julianadormon,

Inline answer to your bullet points

1. End user enters password in our app

• Where is this password stored/ how does your app facilitate user registration and sign in currently? It sounds like you're looking into having Data Api builder facilitate user sign/in registration? DAB isn't designed to 'authenticate' users and expects an identity provider to have already done that and provided the user with the appropriate access token.

2. This request calls the API to pull back their info and what galleries they are allowed to access. This "endpoint" allows anonymous requests.

• By API, this would be an endpoint made available by Data Api builder?

3. Our app creates the JWT claims and sends a request to Azure AD for a token

• Azure AD would be the mechanism which inserts claims into the access tokens. Data Api builder assumes the user has already been authenticated when trying to access role protected endpoints or actions. Azure AD/AzureAD B2C provide mechanisms called API connectors which allow the user sign-in/registration process to call an API in the middle of the process to get supplemental data to insert as claims into access tokens. This is similar to Auth0's actions.

4. All other requests sent to the API are authenticated with the JWT token

Additional thoughts:

Within the scope of Azure Identity, this sounds like a use case which would align with Azure AD B2C, which allows you to set up end user registration, management, and sign-in for (consumer, not enterprise) users who belong to your platform.

Data Api builder could then be configured to be a downstream API for which users could request and get access tokens. An example of this architecture can be found in this Azure AD B2C doc article: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app-with-api?tabs=visual-studio

[julianadormon]

Thank you so much for this info. I think, perhaps, I am overthinking DAB's requirements.
I guess my client app simply needs to authenticate with DAB via Azure AD, much like any API scenario and my app can control user login and authorization. I got confused going down a documentation rabbit hole.

[seantleonard]

Is there anything with DAB's documentation on AuthN/Z or Azure AD setup that you think should be added or updated to be easier to find or understand for your use case? I'm happy to answer any other questions you may have.

[julianadormon]

I think the problem was more on the Azure AD side of the documentation and my not quite understanding what the minimum requirement was for DAB. Maybe a simple one liner added to the doc that says something like, Your app needs to authenticate with Azure AD as with most APIs. This would frame the scope for simpletons like me! Thanks.

[julianadormon]

As a follow-up, according to your docs, I was able to get and use a token using the AZ CLI, however I assume this is not the preferred way to get a token in production so I tried using IdentityModel but I am running into 403 errors using this approach. Would you mind taking a look? Thanks.

https://stackoverflow.com/questions/76142957/how-to-get-proper-jwt-token-using-identitymodel-and-azure-ad-to-authenticate-wit

[seantleonard]

I posted an answer there. I wasn't clear on how you intended the auth scenario to work and gave possible solutions to the two scenarios that may apply.

[julianadormon]

You nailed it. Thank you so much!!!