Authentication in Micro services using Azure AD

Brandon_Azzopardi · 2020-08-14 18:19:33 UTC

Hi,

I’m a bit confused. Basically I have a react js as a front end application, then an API gateway and multiple micro services and one of them is the identity Micro service. The authentication process what is the best practice to do it. I need the user to sign in via Microsoft account, generate token etc and then verify in the db of the identity micro service that the user exists and have permissions to use the system.

https://www.nubo.eu/How-do-I-authenticate-against-Azure-AD-using-React-SPA-and-ASP-NET-Core/ I found this but don’t know if it is the best practice to do the authentication process in react js and then pass the token to apis or does the implantation for the authentication to Microsoft AD need to be done in the Identity micro service?

DocRamirez · 2020-08-16 10:34:33 UTC

Hello Brandon!
Since you are working with a SPA you have to use the Implicit Grant type.
I have answered a question just like this one on stack overflow. You can find the answer for Single Page Applications in the comments.
Which grant type to use

Brandon_Azzopardi · 2020-08-16 18:51:09 UTC

Thanks i saw your comment, but mine is different as im not using razor pages that runs on the server side, it is a stand alone react js ui

DocRamirez · 2020-08-18 06:21:53 UTC

In the comments it says you should use the Implicit Grant type.

Summary

Identity micro service needs to redirect to AzureAD.
You need the implicit Grant Type
The authentication process happens on a log in page on Azure AD OR on a web client that is implemented on the server side. You NEVER implement log in pages on single page applications, you always redirect to server side web page.

Authentication
The identity micro service needs to treat AzureAD as an external provider and redirect your user to the log in page that AzureAD offers. If this is the only way to log in you always do this redirect to the external provider, otherwise you can show the log in page of the identity provider service with an option to use the microsoft account.
AzureAD then will validate that username/email and password exists and redirect back to your identity provider, which will in turn redirect back to the web page. The Bearer Token will be delivered with the redirection.
The bearer token is valid for a limited time so you also need to implement a refresh mechanism, you can implement this later.
All micro services that are registered to the identity provider in their “Startup.cs” class will be able to Authorize the validity of the bearer token against it.
When your web page calls any micro service that implements the [Authorize] tag in the header, that micro service will validate the bearer token with the identity provider, assuming it is registered with the Identity Provider (I would use IdentityServer 4).

I hope this helps

Brandon_Azzopardi · 2020-08-18 15:23:43 UTC

Thanks @DocRamirez now i have a better idea and understands it better!