Web API Multiple Authentication during login

Question

I'm trying to establish whether it's possible to make use of various authentication mechanisms in our web API. The two we are looking at is:

Auth against db using username and password (current implementation)
Auth against Azure AD

The thing I'm struggling to get my head around is:

How do I configure both. In other words, know which mechanisms to use in the API
Secondly, how do I make use of a different ida:ClientId (Azure AD Auth) during run-time (multi tenant site)

Many thanks in advance!

Did you meant the web-api provides login-page for the db and azure ad account? Or the web API can accept both the token and username/password for the authentication? — Fei Xue, Jun 29 '17 at 07:54
@FeiXue-MSFT no the api does not provide a login page. The front-end (angularjs) would present a login page. That login page would basically state, do you want to login in with x or y. The api should then handle the auth and dish-out the token to the calling client. But like I said, I'm trying to get my head around this - so chances are good I do not understand the process — Richard Bailey, Jun 29 '17 at 08:06
The client id will always be same no matter which tenant is using the API. It's the identifier for the original app registration in your tenant. — juunas, Jun 29 '17 at 08:11
@juunas many thanks for the response. Your telling me that if I register the app in my azure ad, and another subscription of azure registers the same app in their ad, the `ClientId` is kinda irrelevant? Did I understand correctly? — Richard Bailey, Jun 29 '17 at 08:21
Yes, an administrator on their side must give consent to the app, and then a service principal corresponding to the app is created in their directory. But the app will always remain in the directory where it was created. So the client id is always same. What is different in multi-tenant though is the *tenant id* in the access token's claims. Issuer validation is also a bit different in multi-tenant scenarios. — juunas, Jun 29 '17 at 08:25
My answer linked below might help with the multiple authentication methods, but you can add multiple filters into the API pipeline that try and perform authentication. https://stackoverflow.com/questions/31740224/asp-net-web-api-set-custom-iidentity-or-iprincipal/31743422#31743422 — Craig H, Jun 29 '17 at 08:35
@juunas holy smokes ... that makes allot more sense. thanks! — Richard Bailey, Jun 29 '17 at 08:43

score 2 · Accepted Answer · answered Jun 29 '17 at 09:25

We can add multiple authentication middleware directly in the web API project. To add the authentication using Azure AD, we can use Microsoft.Owin.Security.ActiveDirectory. And here is the code support both for the individual and Azure AD account for your reference:

public void ConfigureAuth(IAppBuilder app)
{
    // Configure the db context and user manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

    // Enable the application to use a cookie to store information for the signed in user
    // and to use a cookie to temporarily store information about a user logging in with a third party login provider
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    // Configure the application for OAuth based flow
    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        // In production mode set AllowInsecureHttp = false
        AllowInsecureHttp = true
    };

    // Enable the application to use bearer tokens to authenticate users
    app.UseOAuthBearerTokens(OAuthOptions);

    app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
          Audience = ConfigurationManager.AppSettings["ida:Audience"],
          Tenant = ConfigurationManager.AppSettings["ida:Tenant"],

      });    
}

To authenticate the local account, we can get the access token from the authorization server build with web API project. And for the Azure AD account, we need to get the token from Azure AD.

How do I configure both. In other words, know which mechanisms to use in the API

In the front-end application, you should also provide a button to login with Azure AD then acquire the access token from Azure AD. Then you can call the web API using this access token as the individual accounts.

Secondly, how do I make use of a different ida:ClientId (Azure AD Auth) during run-time (multi tenant site)

If you want to develop a multi tenant site, when you register the web app/API app on Azure AD, we need to enable the Multi-tenanted. And replace the tenant in the authorization/token endpoint with common. After that, the users from other tenants could login-in your app. More detail about multi-tenant development, you can refer link below:

How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern

Web API Multiple Authentication during login

1 Answers1