HowTo: Call from SPA (AngularJS based, Azure AD Pr

2019-06-03 06:37发布

Hy All

We have the following Scenario:

Azure-Configuration:

  • Two WebApps (SPA and REST Service)
  • One Directory with the above two Web-Apps as Applications
  • SPA is allowed to call the REST Service

Security-Configuration of the SPA:

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:SPAAudience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
    }

...the same for the Web-API (with the WebAPIAudience).

Flow:

  • Client (Browser, Internet) -> WebAPI SPA (DMZ) -> REST-Service (Internal)

We cannot use Cors and need the above proxy-like Scenario, because the REST-Service is internal.

My Question:

  • How can we call the WebAPI REST Service from the SPA with the signed-in user's permissions (from the SPA Authentification)?

Thanks for your help!

Peter

Edit: What I've found out so far:

  • Oauth2 is using the application identity for Authentication (not the User)

What we want to achieve at the end:

  • A role based access control (RBAC) on the REST-Service Side

Questions:

  • Can we use Oauth2 for that purpose (RBAC) or do we need OpenID Connect like in the example: WebApp-GroupClaims-DotNet (Azure AD Example)

  • Can we use Oauth2 for calling the REST-Service from the SPA with the Application credentials or do we need OpenID Connect like in this example: WebApp-WebAPI-OAuth2-AppIdentity-DotNet (Azure AD Example)

  • What is the best practice in this Scenario?

Thanks.

0条回答
登录 后发表回答