Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Tobbe 81 posts 387 karma points c-trib
    Oct 17, 2017 @ 19:36
    Tobbe
    0

    Secure web API by using bearer tokens from Azure AD

    Hello!

    I need to secure a web api (NOT backoffice) with bearer tokens from Azure AD. This should be possible according to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devquickstarts-webapi-dotnet .

    But how do I integreate this with Umbraco? Can anyone point me in the right direction?

    I've tried this:

    public class UmbracoCustomOwinStartup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseWindowsAzureActiveDirectoryBearerAuthentication(
               new WindowsAzureActiveDirectoryBearerAuthenticationOptions
               {
                   Tenant = "<tennant>",
                   TokenValidationParameters = new TokenValidationParameters
                   {
                       ValidAudience = "<tennant>/<guid>"
                   }
               });
    
            app.ConfigureUserManagerForUmbracoBackOffice(
                ApplicationContext.Current,    
                MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());
                .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext.Current)
                .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext.Current);
        }
    }
    

    And then in my api controller:

        [HttpGet]
        [Authorize]
        public HttpResponseMessage Feed() {
    
            return Request.CreateResponse(HttpStatusCode.OK, ApiCache.Current.NewsFeed.OrderByDescending(x => x.Date).Take(30));
        }
    

    But I get 401, and I dont think UseWindowsAzureActiveDirectoryBearerAuthentication is even used.

  • Viktor Ekholm 8 posts 98 karma points
    Oct 18, 2017 @ 09:01
    Viktor Ekholm
    0

    I have no answer for you, but I need to do something similar. I want to expose some download links and the files they refer to based on whether a user is logged into our Azure AD B2C. The rest of the content on the site is public, just that this secret content is hidden from the anonymous visitor.

  • Tobbe 81 posts 387 karma points c-trib
    Oct 24, 2017 @ 08:27
    Tobbe
    101

    I was close..

    The solution is below. But its also VERY IMPORTANT to use the right settings..... (surprise!). You MUST sign in with to the same APP_ID you're using below. In my app I signed in to another one...

    /// <summary>
    /// The standard way to configure OWIN for Umbraco
    /// </summary>
    /// <remarks>
    /// The startup type is specified in appSettings under owin:appStartup - change it to "UmbracoStandardOwinStartup" to use this class
    /// </remarks>
    
    using Microsoft.IdentityModel.Protocols;
    using Microsoft.Owin;
    using Microsoft.Owin.Security.ActiveDirectory;
    using Owin;
    using RoGruppen.Application;
    using System.IdentityModel.Tokens;
    using Umbraco.Web;
    using System.Linq;
    [assembly: OwinStartup("UmbracoStandardOwinStartup", typeof(UmbracoStandardOwinStartup))]
    
    namespace Thing.Application
    {
        public class UmbracoStandardOwinStartup : UmbracoDefaultOwinStartup
        {
            public override void Configuration(IAppBuilder app)
            {
                var stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", "https://login.microsoftonline.com/<tenant>");
                var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);
                var config = configManager.GetConfigurationAsync().Result;
    
                app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = "<tenant>",
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudience = "<tenant>/<APP_ID>",
                        ValidIssuer = config.Issuer,
                        IssuerSigningTokens = config.SigningTokens.ToList(),
                        RequireSignedTokens = true
                    }
                });
    
                base.Configuration(app);
            }
        }
    }
    
  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies