Microsoft-identity-web: [Feature Request] Detect and support Easy Auth

Created on 18 Feb 2020  路  5Comments  路  Source: AzureAD/microsoft-identity-web

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

  1. Web app that signs in users

    1. [ x] with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg

    2. [ x] with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg

    3. [ x] with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal

    4. [x ] with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign

    5. [ ] with B2C users 1-WebApp-OIDC/1-5-B2C

  2. Web app that calls Microsoft Graph

    1. [ x] Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph

    2. [ ] With specific token caches: 2-WebApp-graph-user/2-2-TokenCache

    3. [ ] Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph

  3. [ ] Web app calling several APIs 3-WebApp-multi-APIs
  4. [ ] Web app calling your own Web API 4-WebApp-your-API
  5. Web app restricting users

    1. [ ] by Roles: 5-WebApp-AuthZ/5-1-Roles

    2. [ ] by Groups: 5-WebApp-AuthZ/5-2-Groups

  6. [ ] Deployment to Azure
  7. [ ] Other (please describe)

Repro-ing the issue

Repro steps

Enable AAD authentication with Easy Auth (on an App Service). See https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad

Expected behavior

  • The Web App should sign-in the user that was authenticated with Easy Auth (by using the X-MS-TOKEN-AAD-ID-TOKEN, and possibly X-MS-TOKEN-PRINCIPAL-NAME
  • The Web App should be able to call any Web Apis from the refresh token provided by Easy Auth (using MSAL.NET AcquireTokenByRefreshToken)

Actual behavior

Does not work as 2 validations occur

Possible Solution

Additional context/ Error codes / Screenshots

Open question
How to validate the refresh token? we could validate the Access token and require both ...

enhancement fixed azure

All 5 comments

How to handle if both easy auth and asp.net/asp.net core handlers are setup to provide AuthN?

I just found out that ASP.NET Core has a UseAzureAppServices() feature (which is not very well documented)

https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.appserviceswebhostbuilderextensions.useazureappservices?view=aspnetcore-3.0

I looked at UseAzureAppServices() and it's only for logging (cc: @navyasric)

See also http://jsandersblog.azurewebsites.net/2020/01/17/easy-auth-using-x-ms-token-aad-access-token-as-a-bearer-token/

Included in 1.2.0 release.

Was this page helpful?
0 / 5 - 0 ratings