Secure Azure Storage API

Overview

AAD App Registration

  • Decide if you want to allow users to sign in only if they belong to your organization.
  • Request scope permissions. For example, “user.read” scope.
  • Define scopes that define access to your web API. These are the scopes that you define.
  • Share a secret with the Microsoft identity platform that proves the app’s identity.

Generate Code

dotnet new webapi -au SingleOrg -o SecureApi
cd SecureApi
dotnet add package Azure.Identity
dotnet add package Azure.Storage.Blobs
Options:
-au|--auth
The type of authentication to use
None - No authentication
IndividualB2C - Individual authentication with Azure AD B2C
SingleOrg - Organizational authentication for a single tenant
Windows - Windows authentication
Default: None

Develop Code From Local

The plan is to get parameter values from appsettings, including storage account name and tenant id . You may not want to check in all these settings to code repo.

  • Update .vscode/launch.json, “ASPNETCORE_ENVIRONMENT”: “Local”
  • Add appsettings.Local.json file, and update it with actual values for local development only
  • Leave appsettings.json with place holder values
  • Add appsettings.Local.json file to .gitignore
  • git reset appsettings.Local.json
    (so that won’t commit the file and won’t push it to repo)
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "need to update xyz.onmicrosoft.com",
"TenantId": "need to update ",
"ClientId": "need to update ",
"Scopes": "ToDoList.Read ToDoList.Write",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"AzureStorage": {
"AcctName": "need to update tbd",
"ContainerName": "need to update tbd"
}
}

Customize Code

Add MyBlobFile.cs and remove WeatherForecast.cs:

namespace SecureApi;
public class MyBlobFile
{
public string? BlobFile { get; set; }
public DateTimeOffset? LastModified { get; set; }
}

Validation

C:\WINDOWS\system32>az login --scope api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write
C:\WINDOWS\system32>az account get-access-token --scope "api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write"
{
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs....",
"expiresOn": "2022-06-10 23:53:19.000000",
"subscription": "24c9c37c-bf59-4b84-907c-43819602e881",
"tenant": "9b2ec8d7-37b8-4aac-acd2-9ed0acfb1c5a",
"tokenType": "Bearer"
}
{
"aud": "api service app registration client id",
"iss": "https://login.microsoftonline.com/<tenant id>/v2.0",
...
"scp": "ToDoList.Read ToDoList.Write",
...
"ver": "2.0"
}
$ curl -k -X 'POST'  'https://localhost:7249/MyBlobFile'   -H 'accept: text/plain'  -H 'Content-Type: application/json' -H 'Authorization: bearer eyJ0eXAiOiJKV1Q....'  -d '{  "blobFile": "dummy.txt"}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45 100 18 100 27 1 1 0:00:27 0:00:14 0:00:13 4
dummy file line #1

Conclusion

It requires almost no coding to secure an API using MS identity platform, in next blog, we will add angular UI code to sing in user and call the secured API.

References

https://www.schaeflein.net/use-a-cli-to-get-an-access-token-for-your-aad-protected-web-api/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and API security.