Deep Dive on Azure Active Directory for Developersdownload.microsoft.com/download/5/2/8/528501B8-AB83-4F2C-8BE1-4B...Azure Active Directory for Developers ... • Web: WS-Federation,

Deep Dive on

Azure Active Directory

for Developers Jelle Druyts | Premier Field Engineer | Microsoft Services

Agenda

Azure Active Directory for developers

Developing for Azure Active Directory


for Developers

Browser

Native app

Server app

Web application

Web API

Web API

Web API

Today’s Applications

Clients using wide variety of devices/languages/platforms

Server applications using wide variety of platforms/languages

JavaScript

Standard-based, HTTP-based protocols for maximum platform reach

Browser

Native app

Server app

Web application

Web API

Web API

Web API

WS-Federation SAML 2.0

OpenID Connect

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

Authentication Protocols

JavaScript

OAuth 2.0

What Is Azure Active Directory?


• Cloud-scale identity service

• Supports modern authorization & authentication scenarios

• REST-based Graph API

Reduces or removes custom security implementation

• Authenticating users

• Detecting suspicious activity

• Authorizing users via Groups or Roles (RBAC)

• B2C will allow social and “application local” accounts

Azure Active Directory for Developers

Tokens in Azure AD

Access tokens have a lifetime of 1 hour

• Allows quick revocation of access

Refresh tokens allow silent renewal of the access token

• User does not have to sign in again (as long as access wasn’t revoked)

Refresh token lifetime

• Azure AD accounts: 14 days, sliding up to maximum 90 days

• External accounts (e.g. Microsoft Account): 12 hours

• Can be invalidated, e.g. when user’s password changes

Multi-Resource Refresh Token

• Can be used to get access token to a different service if delegation exists

OAuth 2.0 Access and Refresh Tokens

JSON Web Token (JWT) Base64 URL encoded JSON with optional signature

{ "typ": "JWT", "alg": "RS256" "x5t": "7dD-gec…" }

{ "iss": "http://sts.contoso.com/", "aud": "http://api.contoso.com/", "client": "http://www.contoso.com/", "iat": "1432235632", "exp": "1432239532", "name": "John Doe" "scope": ["read", "write"] }

eyJ0eXAiOiJKV1QiLCJhbGciO.eyJpc3MiOiJodHRwOi8vc3RzbnRc28uY29tI.ZT8zzX6vg9I5HvTm4f8f

Header Claims Signature <dot> <dot>

Token Signing Key

Tokens for all tenants are signed by same key

• Keys published via metadata

• https://login.microsoftonline.com/common/.well-known/openid-configuration

• Keys roll on periodic basis

Applications must handle

• Periodically refreshing keys from metadata

• Handling multiple keys

• Microsoft samples and libraries do this automatically

Ensuring the tokens really come from Azure Active Directory

Registering Applications

Register your application via

• Azure Management Portal

• Visual Studio

• Azure AD REST API’s

Non-admins may register applications by default

• Can be disabled

The management portal only shows a subset of functionality

• Advanced features available via application manifest

• OAuth 2.0 permissions, application roles, group claims, certificates, …

Azure AD must know about your app before it will issue tokens

Application Configuration

All applications

• Name: shown when authenticating/authorizing

• Client ID: GUID of the application in Azure AD

Native client applications (public clients)

• Redirect URI’s: signaling the end of the flow

Web applications and/or Web API’s (confidential clients)

• Sign-On URL: where to send users from the application access portal

• Single- or Multi-Tenant

• Keys

• App ID URI: unique identifier that clients request access to

• Reply URL’s: where to allow tokens to be sent

What Azure AD needs to know about your app

Permissions To Other Applications

Application Permissions

• Access another application as the calling application

Delegated Permissions

• Access another application on behalf of the user

Declaring access to other applications

Consent

Consent can be granted by user or by organization admin

• Stored in Azure AD for web applications

• Stored in the Refresh Token for native applications

Granting permissions to an application

Multi-Tenant Applications

Single tenant application

• App for users in a single organization

• Admin or user registers app in directory tenant

• Sign in at https://login.microsoftonline.com/contoso.com/<protocol>

Multi-tenant application

• App for users in multiple organizations

• Admin or user registers app in developer’s directory tenant

• Admin configures application to be multi-tenant

• Sign in at https://login.microsoftonline.com/common/<protocol>

• User prompted to consent based on permissions required by application

• Consent registers application in user’s tenant

Targeting other organizations

Groups & Roles

Groups (defined in Azure or synchronized from on-premise AD)

• Token contains “groups” claims (must opt-in)

• When there are too many groups, “overage” claim points towards Graph API

• Not all flows support group claims (e.g. not over URL query parameters)

Application Roles

• Application can declare application-specific roles

• Administrator can assign users or groups to roles

• Token then contains “roles” claims

Authorization features for applications

Developing for


Developing For Azure AD

Register your application in Azure AD

• Retrieve Client ID & (optional) Keys

• Configure Redirect URL

• Configure API permissions

Add code to your application for sign in

• Web: WS-Federation, SAML 2.0, OpenID Connect

• Other (native, desktop, server): OAuth 2.0

Add code to your Web API for OAuth 2.0 Bearer Token authorization

And mostly equivalent when using Windows Server 2016 on-premise

Browser

Native app

Server app

Web application

Web API

Web API

Web API


OpenID Connect

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

Microsoft Security Libraries

JavaScript

OAuth 2.0

OIC-MW

ADAL.JS

ADAL

BT-MW BT-MW

BT-MW

ADAL

ADAL

ADAL

ADAL: Active Directory Authentication

Library

OIC-MW: OpenID Connect

Middleware

BT-MW: Bearer Token Middleware

ADAL

Active Directory Authentication Library

ADAL

• Consistent API across platforms for acquiring tokens

• Pluggable cache for token persistence

• Automatic refresh of Access Tokens using Refresh Tokens

• Works against Azure AD as well as Windows Server

ADAL.JS

• Sign in and bearer token support for JavaScript

• Provides current user info

• Secure Web API invocation via JavaScript/CORS

Acquiring, refreshing & caching tokens


OpenID Connect

Native app

Server app

Web API

Web API

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

JavaScript

OAuth 2.0

ADAL.JS

ADAL

BT-MW BT-MW

BT-MW

ADAL

ADAL

ADAL


Library


Middleware


ADAL

Browser Web

application

OIC-MW

Adding Sign-In To ASP.NET

Adding Sign-In To ASP.NET

Use OpenID Connect OWIN Middleware

• “Microsoft.Owin.Security.OpenIdConnect” NuGet package

app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = "187ff6ec-eae0-4376-807d-5ffa3d28645b", Authority = "https://login.microsoftonline.com/contoso.com", } );

[Authorize] public class HomeController : Controller { ... }

OpenID Connect

Native app

Server app

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

JavaScript

OAuth 2.0

ADAL.JS

ADAL ADAL

ADAL

ADAL


Library


Middleware


ADAL

Browser Web

application


OpenID Connect

OIC-MW

Protecting Web API’s

Web API

Web API BT-MW

BT-MW

Web API BT-MW

Protecting Web API’s

Use Bearer Token OWIN Middleware

• “Microsoft.Owin.Security.ActiveDirectory” NuGet Package

• Automatically acquires signing keys and issuer values

app.UseCors( ... ); // For SPA clients app.UseWindowsAzureActiveDirectoryBearerAuthentication new WindowsAzureActiveDirectoryBearerAuthenticationOptions { TokenValidationParameters = new TokenValidationParameters { ValidAudience = "http://example.org/mywebapi" }, Tenant = "contoso.com" } );

[Authorize] public class ProductController : ApiController { ... }

OAuth 2.0 Bearer Token Authorization

Calling Web API’s

Use Active Directory Authentication Library (ADAL)

• “Microsoft.IdentityModel.Clients.ActiveDirectory” NuGet Package

Retrieve an access token and send it on the “Authorization” HTTP header

var context = new AuthenticationContext( "https://login.microsoftonline.com/contoso.com"); var result = context.AcquireToken( ... ); var client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

General pattern

Native app

Server app

Web API

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

JavaScript

OAuth 2.0

ADAL.JS

BT-MW

BT-MW

ADAL

ADAL

ADAL


Library


Middleware


ADAL

Browser


OpenID Connect

OIC-MW

Calling Web API’s – Web App

Web API

ADAL

BT-MW

Web application


At OpenID Connect sign-in

• Receive an ID Token + Authorization Code

• Use ADAL to redeem the Authorization Code for an Access + Refresh Token

• Save the tokens in a persistent per-user cache

When you need to access a resource

• Initialize ADAL with the same cache you used earlier

• Ask for the token you need via AcquireTokenSilent

• Upon failure, trigger re-authentication

OpenID Connect (user identity)

new OpenIdConnectAuthenticationOptions { Notifications = new OpenIdConnectAuthenticationNotifications() { AuthorizationCodeReceived = async (context) => { var userTokenCache = GetTokenCacheForUser(context.AuthenticationTicket.Identity); var context = new AuthenticationContext(authority, userTokenCache); var result = await context.AcquireTokenByAuthorizationCodeAsync( ... ); } } }


Call a Web API using the client identity

• Access a resource on behalf of the client application itself

• Not in the context of a particular user

No user interaction required, only client id + secret (“key”)

OAuth 2.0 Client Credentials Grant (client identity)

var context = new AuthenticationContext(aadAuthority); var credential = new ClientCredential(clientId, clientSecret); var authenticationResult = await context.AcquireTokenAsync(resourceId, credential);

Server app

Web API

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

JavaScript

OAuth 2.0

ADAL.JS

BT-MW

BT-MW

ADAL

ADAL


Library


Middleware


ADAL

Browser


OpenID Connect

OIC-MW

ADAL

Web application

Native app ADAL

Calling Web API’s – Native Client

Web API BT-MW

Calling Web API’s – Native Client

Native clients (phone, tablet, desktop, …)

• Also registered as an application in Azure AD

• Has a Client ID but cannot have its own credentials

Authentication typically pops up a browser window

• Server-driven sign-in experience (same as web application sign-in)

• Allows consent, MFA, … independently configured of the application

OAuth 2.0 Authorization Code Grant, Public Client

Web API

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

JavaScript

OAuth 2.0

ADAL.JS

BT-MW

BT-MW ADAL


Library


Middleware


ADAL

Browser


OpenID Connect

OIC-MW

ADAL

Web application

Native app ADAL

Server app ADAL

Calling Web API’s – Daemon

Web API BT-MW

Calling Web API’s – Daemon

Same as Web App to Web API using client identity

Non-interactive methods depending on the platform

• Kerberos

• Name + Secret (Client ID + Key)

• X509 Certificate

OAuth 2.0 Client Credentials Grant

# Azure PowerShell – Assign a certificate to an Azure AD application service principal $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.Import("MyDaemonCertificate.cer") $certificateData = [System.Convert]::ToBase64String($certificate.GetRawCertData()); New-MsolServicePrincipalCredential -AppPrincipalId "e1055105-33b1-46e4-96a8-16d811aceb87" # AAD Application Client ID -Type asymmetric -Usage Verify -Value $certificateData -StartDate $certificate.NotBefore -EndDate $certificate.NotAfter

Web API

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0 BT-MW

BT-MW ADAL


Library


Middleware


ADAL

Browser


OpenID Connect

OIC-MW

ADAL

Web application

Native app ADAL

Server app ADAL

JavaScript ADAL.JS

Calling Web API’s – SPA

Web API BT-MW

Calling Web API’s – SPA

Enable “oauth2AllowImplicitFlow” in Azure AD Application Manifest

Use Active Directory Authentication Library for JavaScript (ADAL.JS)

• Even easier when using AngularJS

// ADAL configuration adalProvider.init( { instance: "https://login.microsoftonline.com/", tenant: "contoso.com", clientId: "187ff6ec-eae0-4376-807d-5ffa3d28645b" }, $httpProvider); // Route registration $routeProvider.when("/Home", { controller: "homeCtrl", templateUrl: "views/Home.html", requireADLogin: true });

OAuth 2.0 Implicit Flow

Web API

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

BT-MW ADAL


Library


Middleware


Browser


OpenID Connect

OIC-MW

ADAL

Web application

Native app ADAL

Server app ADAL

JavaScript ADAL.JS

BT-MW Web API

BT-MW ADAL

Calling Web API’s – Web API

Web API

Calling Web API’s – Web API

Acquire a token based on the current authorization token

• Save sign-in token in the bootstrap context

• Acquire token based on user assertion

var context = new AuthenticationContext(authority, userTokenCache); var credential = new ClientCredential(clientId, clientSecret); var userIdentity = (ClaimsIdentity)ClaimsPrincipal.Current.Identity; var bootstrapContext = (BootstrapContext)userIdentity.BootstrapContext; var userAssertion = new UserAssertion(bootstrapContext.Token); var result = await authContext.AcquireTokenAsync( resourceId, credential, userAssertion);

OAuth 2.0 On-Behalf-Of Flow (user identity)

Configuring Tokens

Update the Azure AD Application Manifest

• Update “groupMembershipClaims” to emit group claims

• Add “appRoles” to declare application-specific roles

"groupMembershipClaims": "SecurityGroup"

"appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "Administrators can manage the application", "displayName": "Administrator", "id": "6f7a2ff9-5741-41f6-9476-39286dfbcf8d", "isEnabled": true, "value": "administrator" }, ... ]

Adding groups and roles to claims

Declaring Permissions

Update the Azure AD Application Manifest

• Add permission to “oauth2Permissions”

• Make sure to generate a new GUID for the id

{ "adminConsentDescription": "Allow the application to create todo's on behalf of the signed-in user.", "adminConsentDisplayName": "Create todo's", "id": "5f54c597-8838-4eaf-853c-91cf5b487d1e", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application to create todo's on your behalf.", "userConsentDisplayName": "Create todo's", "value": "todo_write" }

Allowing clients to request access to only subsets (scopes) of functionality

Requesting Permissions

Update the Azure AD Application Manifest (or use the portal)

• Find the target application id (“resourceAppId”)

• Add the permission id to “requiredResourceAccess”

• The “scope” claim will now contain the permission’s defined “value”

"requiredResourceAccess": [ { "resourceAppId": "93fc871a-3e18-4f2c-b7a5-dcc65efd6384", "resourceAccess": [ { "id": "5f54c597-8838-4eaf-853c-91cf5b487d1d", "type": "Scope" } ] } ]

Getting access to scoped resources

Azure AD Graph API

Use REST API directly or use a client library

• “Microsoft.Azure.ActiveDirectory.GraphClient” NuGet Package

• Optionally use ADAL to get an access token

var client = new ActiveDirectoryClient( new Uri("https://graph.windows.net/contoso.com"), async () => { var context = new AuthenticationContext( ... ); var result = await context.AcquireTokenAsync( ... ); return result.AccessToken; } ); var groups = await client.Groups.Where( ... ).ExecuteAsync();

Interacting with Azure Active Directory

Wrapping Up...

Summary

Develop for a modern cloud-scale identity service

• Serves millions of users/organizations

• Supports most common identity features and protocols

• Security hardened out of the box

• Social and “application local” identities coming in B2C

Develop using open source libraries for all scenarios

• OAuth 2.0 for authorization

• OpenID Connect for authentication

Developing for Azure Active Directory

Resources

Documentation & News

• http://aka.ms/aaddev

• http://aka.ms/aadauthprotocols

• http://blogs.technet.com/b/ad/

Open Source Tools & Samples

• https://github.com/azuread

• https://github.com/azureadsamples

• https://github.com/jelledruyts/identitysamples

What’s next?

Your feedback is important!

Scan the QR Code and let us know via the TechDays App.

Laat ons weten wat u van de sessie vindt via de TechDays App!

Scan de QR Code.

Bent u al lid van de Microsot Virtual Academy?! Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft. Meld u vandaag aan op de MVA Stand. MVA biedt 7/24 gratis online training on-demand voor IT-Professionals en Ontwikkelaars.

Documents

Deep Dive on Azure Active Directory for Developersdownload.microsoft.com/download/5/2/8/528501B8-AB83-4F2C-8BE1-4B...Azure Active Directory for Developers ... • Web: WS-Federation,