Deep Dive on Azure Active Directory for Developers. Jelle Druyts Premier Field Engineer Microsoft Services

Transcription

1

2 Deep Dive on Azure Active Directory for Developers Jelle Druyts Premier Field Engineer Microsoft Services

3 Agenda Azure Active Directory for developers Developing for Azure Active Directory

4 Azure Active Directory for Developers

5 Today s Applications Browser JavaScript Web application Native app Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

6 Authentication Protocols Browser JavaScript WS-Federation SAML 2.0 OpenID Connect Web application Native app Server app Standard-based, HTTP-based protocols for maximum platform reach

7 What Is Azure Active Directory? Azure Active Directory for Developers Azure Active Directory Cloud-scale identity service Supports modern authorization & authentication scenarios REST-based Graph API Reduces or removes custom security implementation Authenticating users Detecting suspicious activity Authorizing users via Groups or Roles (RBAC) B2C will allow social and application local accounts

8 Tokens in Azure AD Access and Refresh Tokens Access tokens have a lifetime of 1 hour Allows quick revocation of access Refresh tokens allow silent renewal of the access token User does not have to sign in again (as long as access wasn t revoked) Refresh token lifetime Azure AD accounts: 14 days, sliding up to maximum 90 days External accounts (e.g. Microsoft Account): 12 hours Can be invalidated, e.g. when user s password changes Multi-Resource Refresh Token Can be used to get access token to a different service if delegation exists

9 JSON Web Token (JWT) Base64 URL encoded JSON with optional signature eyj0exaioijkv1qilcjhbgcio.eyjpc3mioijodhrwoi8vc3rzbnrc28uy29ti.zt8zzx6vg9i5hvtm4f8f Header <dot> Claims <dot> Signature { } "typ": "JWT", "alg": "RS256" "x5t": "7dD-gec " { } "iss": " "aud": " "client": " "iat": " ", "exp": " ", "name": "John Doe" "scope": ["read", "write"]

10 Token Signing Key Ensuring the tokens really come from Azure Active Directory Tokens for all tenants are signed by same key Keys published via metadata Keys roll on periodic basis Applications must handle Periodically refreshing keys from metadata Handling multiple keys Microsoft samples and libraries do this automatically

11 Registering Applications Azure AD must know about your app before it will issue tokens Register your application via Azure Management Portal Visual Studio Azure AD REST API s Non-admins may register applications by default Can be disabled The management portal only shows a subset of functionality Advanced features available via application manifest permissions, application roles, group claims, certificates,

12 Application Configuration What Azure AD needs to know about your app All applications Name: shown when authenticating/authorizing Client ID: GUID of the application in Azure AD Native client applications (public clients) Redirect URI s: signaling the end of the flow Web applications and/or s (confidential clients) Sign-On URL: where to send users from the application access portal Single- or Multi-Tenant Keys App ID URI: unique identifier that clients request access to Reply URL s: where to allow tokens to be sent

13 Permissions To Other Applications Declaring access to other applications Application Permissions Access another application as the calling application Delegated Permissions Access another application on behalf of the user

14 Consent Granting permissions to an application Consent can be granted by user or by organization admin Stored in Azure AD for web applications Stored in the Refresh Token for native applications

15 Multi-Tenant Applications Targeting other organizations Single tenant application App for users in a single organization Admin or user registers app in directory tenant Sign in at Multi-tenant application App for users in multiple organizations Admin or user registers app in developer s directory tenant Admin configures application to be multi-tenant Sign in at User prompted to consent based on permissions required by application Consent registers application in user s tenant

16 Groups & Roles Authorization features for applications Groups (defined in Azure or synchronized from on-premise AD) Token contains groups claims (must opt-in) When there are too many groups, overage claim points towards Graph API Not all flows support group claims (e.g. not over URL query parameters) Application Roles Application can declare application-specific roles Administrator can assign users or groups to roles Token then contains roles claims

17 Developing for Azure Active Directory

18 Developing For Azure AD And mostly equivalent when using Windows Server 2016 on-premise Register your application in Azure AD Retrieve Client ID & (optional) Keys Configure Redirect URL Configure API permissions Add code to your application for sign in Web: WS-Federation, SAML 2.0, OpenID Connect Other (native, desktop, server): Add code to your for Bearer Token authorization

19 Microsoft Security Libraries Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

20 Active Directory Authentication Library Acquiring, refreshing & caching tokens Consistent API across platforms for acquiring tokens Pluggable cache for token persistence Automatic refresh of Access Tokens using Refresh Tokens Works against Azure AD as well as Windows Server.JS Sign in and bearer token support for JavaScript Provides current user info Secure invocation via JavaScript/CORS

21 Adding Sign-In To ASP.NET Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

22 Adding Sign-In To ASP.NET OpenID Connect Use OpenID Connect OWIN Middleware Microsoft.Owin.Security.OpenIdConnect NuGet package app.useopenidconnectauthentication( new OpenIdConnectAuthenticationOptions { ClientId = "187ff6ec-eae d-5ffa3d28645b", Authority = " } ); [Authorize] public class HomeController : Controller {... }

23 Protecting s Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

24 Protecting s Bearer Token Authorization Use Bearer Token OWIN Middleware Microsoft.Owin.Security.ActiveDirectory NuGet Package Automatically acquires signing keys and issuer values app.usecors(... ); // For SPA clients app.usewindowsazureactivedirectorybearerauthentication new WindowsAzureActiveDirectoryBearerAuthenticationOptions { TokenValidationParameters = new TokenValidationParameters { ValidAudience = " }, Tenant = "contoso.com" } ); [Authorize] public class ProductController : ApiController {... }

25 Calling s General pattern Use Active Directory Authentication Library () Microsoft.IdentityModel.Clients.ActiveDirectory NuGet Package Retrieve an access token and send it on the Authorization HTTP header var context = new AuthenticationContext( " var result = context.acquiretoken(... ); var client = new HttpClient(); client.defaultrequestheaders.authorization = new AuthenticationHeaderValue("Bearer", result.accesstoken);

26 Calling s Web App Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

27 Calling s Web App OpenID Connect (user identity) At OpenID Connect sign-in Receive an ID Token + Authorization Code Use to redeem the Authorization Code for an Access + Refresh Token Save the tokens in a persistent per-user cache When you need to access a resource Initialize with the same cache you used earlier Ask for the token you need via AcquireTokenSilent Upon failure, trigger re-authentication new OpenIdConnectAuthenticationOptions { Notifications = new OpenIdConnectAuthenticationNotifications() { AuthorizationCodeReceived = async (context) => { var usertokencache = GetTokenCacheForUser(context.AuthenticationTicket.Identity); var context = new AuthenticationContext(authority, usertokencache); var result = await context.acquiretokenbyauthorizationcodeasync(... ); } } }

28 Calling s Web App Client Credentials Grant (client identity) Call a using the client identity Access a resource on behalf of the client application itself Not in the context of a particular user No user interaction required, only client id + secret ( key ) var context = new AuthenticationContext(aadAuthority); var credential = new ClientCredential(clientId, clientsecret); var authenticationresult = await context.acquiretokenasync(resourceid, credential);

29 Calling s Native Client Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

30 Calling s Native Client Authorization Code Grant, Public Client Native clients (phone, tablet, desktop, ) Also registered as an application in Azure AD Has a Client ID but cannot have its own credentials Authentication typically pops up a browser window Server-driven sign-in experience (same as web application sign-in) Allows consent, MFA, independently configured of the application

31 Calling s Daemon Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

32 Calling s Daemon Client Credentials Grant Same as Web App to using client identity Non-interactive methods depending on the platform Kerberos Name + Secret (Client ID + Key) X509 Certificate # Azure PowerShell Assign a certificate to an Azure AD application service principal $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.import("mydaemoncertificate.cer") $certificatedata = [System.Convert]::ToBase64String($certificate.GetRawCertData()); New-MsolServicePrincipalCredential -AppPrincipalId "e b1-46e4-96a8-16d811aceb87" # AAD Application Client ID -Type asymmetric -Usage Verify -Value $certificatedata -StartDate $certificate.notbefore -EndDate $certificate.notafter

33 Calling s SPA Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

34 Calling s SPA Implicit Flow Enable oauth2allowimplicitflow in Azure AD Application Manifest Use Active Directory Authentication Library for JavaScript (.JS) Even easier when using AngularJS // configuration adalprovider.init( { instance: " tenant: "contoso.com", clientid: "187ff6ec-eae d-5ffa3d28645b" }, $httpprovider); // Route registration $routeprovider.when("/home", { controller: "homectrl", templateurl: "views/home.html", requireadlogin: true });

35 Calling s Browser JavaScript.JS Native app Server app WS-Federation SAML 2.0 OpenID Connect OIC-MW Web application OIC-MW: OpenID Connect Middleware : Bearer Token Middleware : Active Directory Authentication Library

36 Calling s On-Behalf-Of Flow (user identity) Acquire a token based on the current authorization token Save sign-in token in the bootstrap context Acquire token based on user assertion var context = new AuthenticationContext(authority, usertokencache); var credential = new ClientCredential(clientId, clientsecret); var useridentity = (ClaimsIdentity)ClaimsPrincipal.Current.Identity; var bootstrapcontext = (BootstrapContext)userIdentity.BootstrapContext; var userassertion = new UserAssertion(bootstrapContext.Token); var result = await authcontext.acquiretokenasync( resourceid, credential, userassertion);

37 Configuring Tokens Adding groups and roles to claims Update the Azure AD Application Manifest Update groupmembershipclaims to emit group claims Add approles to declare application-specific roles "groupmembershipclaims": "SecurityGroup" "approles": [ { "allowedmembertypes": [ "User" ], "description": "Administrators can manage the application", "displayname": "Administrator", "id": "6f7a2ff f dfbcf8d", "isenabled": true, "value": "administrator" },... ]

38 Declaring Permissions Allowing clients to request access to only subsets (scopes) of functionality Update the Azure AD Application Manifest Add permission to oauth2permissions Make sure to generate a new GUID for the id { } "adminconsentdescription": "Allow the application to create todo's on behalf of the signed-in user.", "adminconsentdisplayname": "Create todo's", "id": "5f54c eaf-853c-91cf5b487d1e", "isenabled": true, "type": "User", "userconsentdescription": "Allow the application to create todo's on your behalf.", "userconsentdisplayname": "Create todo's", "value": "todo_write"

39 Requesting Permissions Getting access to scoped resources Update the Azure AD Application Manifest (or use the portal) Find the target application id ( resourceappid ) Add the permission id to requiredresourceaccess The scope claim will now contain the permission s defined value "requiredresourceaccess": [ { "resourceappid": "93fc871a-3e18-4f2c-b7a5-dcc65efd6384", "resourceaccess": [ { "id": "5f54c eaf-853c-91cf5b487d1d", "type": "Scope" } ] } ]

40 Azure AD Graph API Interacting with Azure Active Directory Use REST API directly or use a client library Microsoft.Azure.ActiveDirectory.GraphClient NuGet Package Optionally use to get an access token var client = new ActiveDirectoryClient( new Uri(" async () => { var context = new AuthenticationContext(... ); var result = await context.acquiretokenasync(... ); return result.accesstoken; } ); var groups = await client.groups.where(... ).ExecuteAsync();

41 Wrapping Up...

42 Summary Developing for Azure Active Directory Develop for a modern cloud-scale identity service Serves millions of users/organizations Supports most common identity features and protocols Security hardened out of the box Social and application local identities coming in B2C Develop using open source libraries for all scenarios for authorization OpenID Connect for authentication

43 Resources What s next? Documentation & News Open Source Tools & Samples

44 Your feedback is important! Scan the QR Code and let us know via the TechDays App. Laat ons weten wat u van de sessie vindt via de TechDays App! Scan de QR Code. Bent u al lid van de Microsot Virtual Academy?! Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft. Meld u vandaag aan op de MVA Stand. MVA biedt 7/24 gratis online training on-demand voor IT- Professionals en Ontwikkelaars.

45