问题:

Hy All

We have the following Scenario:

• Single Page Application (AngularJS based, Azure-AD protected). Like in this sample: https://github.com/AzureADSamples/SinglePageApp-AngularJS-DotNet

• Separate REST Service (WebAPI only, Azure-AD protected) with BusinessLogic, DAL, DataBase-Connectivity

• Security over Azure AD (ADAL)

Azure-Configuration:

• Two WebApps (SPA and REST Service)
• One Directory with the above two Web-Apps as Applications
• SPA is allowed to call the REST Service

Security-Configuration of the SPA:

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:SPAAudience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
    }

...the same for the Web-API (with the WebAPIAudience).

Flow:

• Client (Browser, Internet) -> WebAPI SPA (DMZ) -> REST-Service (Internal)

We cannot use Cors and need the above proxy-like Scenario, because the REST-Service is internal.

My Question:

• How can we call the WebAPI REST Service from the SPA with the signed-in user's permissions (from the SPA Authentification)?

Thanks for your help!

Peter

Edit: What I've found out so far:

• Oauth2 is using the application identity for Authentication (not the User)

What we want to achieve at the end:

• A role based access control (RBAC) on the REST-Service Side

Questions:

• Can we use Oauth2 for that purpose (RBAC) or do we need OpenID Connect like in the example: WebApp-GroupClaims-DotNet (Azure AD Example)

• Can we use Oauth2 for calling the REST-Service from the SPA with the Application credentials or do we need OpenID Connect like in this example: WebApp-WebAPI-OAuth2-AppIdentity-DotNet (Azure AD Example)

• What is the best practice in this Scenario?

Thanks.