Expose API Using Azure AD Token
Question

Hi,

I have a requirement to expose API's for my application hosted on Azure, but by making use of an Azure Token received from the consuming application.

I'm already accessing Azure API's passing tokens that I get from Azure using App Secrets, but now I need to verify Bearer tokens in my own API's against Azure AD.

Has anyone implemented this successfully yet? I have seen this post but it's not very clear as to how it works really. Any assistance will be greatly appreciated.

mvp_badge
MVP

Hi Rudi,

Do you mean using Azure AD for authentication of your own app? What is described here?

Hi Kilian,

We're already successfully using it to access our own apps using the MicrosoftLoginConnector, not exactly your link.

I'm also integrating with Azure API's using App secrets... to do this, I'm hitting the MS OAuth token endpoint to get a token, which I then pass to the API's. This all works.

Now I need to expose an API of my own, but in the Auth should also make use of the regsitered application's Secret, so the client app just have to send me a Bearer Token which I should then verify in the OnAuthentication action I guess... so I've been struggling with this last part, how to verify the Bearer Token received as being valid on Azure AD?


I hope this helps

mvp_badge
MVP

I'm not sure that's possible. A token is provided for a certain application, not for random other applications. The one issuing the token can verify the validity, but for a certain application. I'm tempted to say what you want is not possible.

I would be really surprised if this is not possible.

So, my app is registered in Azure with a specific app secret, known by the client app only. Once that client app requests a token from Azure (Service Principle Method), they should be able to provide it to the relevant API hosted within the registered app .scope.

This is exactly what I am doing integrating with other Azure API's, getting a token specific to that app so that I can access the API.

mvp_badge
MVP

Ok, then I misunderstood what you meant. Perhaps this article can be of help. Basically you need to validate the JWT token that's passed as bearer token.

Thanks, I've got that page open already as my next step. Will update here with clear steps when I come right. Thanks for the assistance so far

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.