Add authorization to App API

jmprieur · jmprieur · commit 905bbee5ffc7 · 2019-06-12T17:23:32.000+02:00
diff --git a/articles/active-directory/develop/TOC.yml b/articles/active-directory/develop/TOC.yml
@@ -139,6 +139,8 @@
           href: scenario-protected-web-api-app-registration.md
         - name: Code configuration
           href: scenario-protected-web-api-app-configuration.md
+          name: Verification of scopes or app roles
+          href: scenario-protected-web-api-verification-scope-app-roles.md
         - name: Move to production
           href: scenario-protected-web-api-production.md
       - name: Web API that calls web APIs
diff --git a/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md b/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md
@@ -156,4 +156,4 @@ The validators are all associated with properties of the `TokenValidationParamet
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Move to production](scenario-protected-web-api-production.md)
+> [Move to production](scenario-protected-web-api-verification-scope-app-roles.md)
diff --git a/articles/active-directory/develop/scenario-protected-web-api-app-registration.md b/articles/active-directory/develop/scenario-protected-web-api-app-registration.md
@@ -57,18 +57,19 @@ Scopes are usually of the form `resourceURI/scopeName`. For Microsoft Graph, the
 During app registration, you'll need to define the following parameters:
 
 - One resource URI - By default the application registration portal recommends that you to use `api://{clientId}`. This resource URI is unique, but it's not human readable. You can change it, but make sure that it's unique.
-- One or several scopes
+- One or several **scopes** (that client applications will refer to as **delegated permissions** for your Web API)
+- One or several **app roles** (that client applications will refer to as **application permissions** for your Web API)
 
-The scopes are also displayed on the consent screen that's presented to end-users who use your application. Therefore, you'll need to provide the corresponding strings that describe the scope:
+The scopes are also displayed on the consent screen that's presented to end users who use your application. Therefore, you'll need to provide the corresponding strings that describe the scope:
 
 - As seen by the end user
 - As seen by the tenant admin, who can grant admin consent
 
-### How to expose the API
+### How to expose delegated permissions (scopes)
 
 1. Select the **Expose an API** section in the application registration, and:
    1. Select **Add a scope**.
-   1. Accept the proposed Application ID URI (api://{clientId}) by selecting **Save and Continue**.
+   1. If requested, accept the proposed Application ID URI (api://{clientId}) by selecting **Save and Continue**.
    1. Enter the following parameters:
       - For **Scope name**, use `access_as_user`.
       - For **Who can consent**, make sure the **Admins and users** option is selected.
@@ -79,6 +80,59 @@ The scopes are also displayed on the consent screen that's presented to end-user
       - Keep **State** set to **Enabled**.
       - Select **Add scope**.
 
+### Case where your Web API is called by daemon application
+
+In this paragraph, you'll learn how to register your protected Web API so that it can be called securely by daemon applications:
+
+- you'll need to expose application permissions
+- tenant admins may require AAD to acquire tokens for your Web App only for registered applications;
+
+#### How to expose application permissions (app roles)
+
+To Expose application permissions, you'll need to edit the manifest.
+
+1. In the application registration for your application, click **Manifest**.
+1. Edit the manifest by locating the `appRoles` setting and adding one or several application roles. The role definition is provided in the JSON block below.  Leave the `allowedMemberTypes` to "Application" only.
+1. Save the manifest.
+
+The content of `appRoles` should be the following (the `id` can be any unique GUID)
+
+```JSon
+"appRoles": [
+	{
+	"allowedMemberTypes": [ "Application" ],
+	"description": "Accesses the TodoListService-Cert as an application.",
+	"displayName": "access_as_application",
+	"id": "ccf784a6-fd0c-45f2-9c08-2f9d162a0628",
+	"isEnabled": true,
+	"lang": null,
+	"origin": "Application",
+	"value": "access_as_application"
+	}
+],
+```
+
+#### How to ensure that Azure AD issues tokens for your Web API only to allowed clients
+
+The Web API tests for the app role (that's the developer way of doing it). But you can even ask Azure Active Directory to issue a token for your Web API only to applications that were approved by the tenant admin. To add this additional security:
+
+1. On the app **Overview** page for your app registration, select the hyperlink with the name of your application in **Managed application in local directory**. The title for this field can be truncated. You could, for instance, read: `Managed application in ...`)
+
+   > !INFO
+   >
+   > When you select this link you will navigate to the **Enterprise Application Overview** page associated with the service principal for your application in the tenant where you created it. You can navigate back to the app registration page by using the back button of your browser.
+
+1. Select the **Properties** page in the **Manage** section of the Enterprise application pages
+1. If you want AAD to enforce access to your Web API from only certain clients, set **User assignment required?** to **Yes**.
+
+   > ! IMPORTANT
+   >
+   > By setting **User assignment required?** to **Yes**, AAD will check the app role assignments of the clients when they request an access token for the Web API. If the client was not be assigned to any AppRoles, AAD would just return `invalid_client: AADSTS501051: Application xxxx is not assigned to a role for the xxxx`
+   >
+   > If you keep **User assignment required?** to **No**, <span style='background-color:yellow; display:inline'>Azure AD  won’t check the app role assignments when a client requests an access token to your Web API</span>. Therefore, any daemon client (that is any client using client credentials flow) would still be able to obtain the access token for the  Web API just by specifying its audience. Any application, would be able to access the API without having to request permissions for it. Now this is not then end of it, as your Web API can always, as is done in this sample, verify that the application has the right role (which was authorized by the tenant admin), by validating that the access token has a `roles` claim, and the right value for this claim (in our case `access_as_application`).
+
+1. Select **Save**
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md b/articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md
@@ -0,0 +1,151 @@
+---
+title: Protected web API - app code configuration | Azure
+description: Learn how to build a protected Web API and configure your application's code.
+services: active-directory
+documentationcenter: dev-center-name
+author: jmprieur
+manager: CelesteDG
+editor: ''
+
+ms.service: active-directory
+ms.subservice: develop
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 05/07/2019
+ms.author: jmprieur
+ms.custom: aaddev 
+#Customer intent: As an application developer, I want to know how to write a protected Web API using the Microsoft identity platform for developers.
+ms.collection: M365-identity-device-management
+---
+
+# Protected web API - adding authorization to your API.
+
+This article describes how you can add authorization to your Web API. This protection ensures that it's only called by:
+
+- applications on behalf of users with the right scopes 
+- or by daemon apps with the right application roles.
+
+For an ASP.NET / ASP.NET Core Web API to be protected, you'll need to add the `[Authorize]` attribute on:
+
+- the Controller itself if you want all the actions of the controller to be protected
+- the individual controller action for your API, otherwise.
+
+```CSharp
+    [Authorize]
+    public class TodoListController : Controller
+    {
+     ...
+    }
+```
+
+But this protection isn't enough. It only guaranties that ASP.NET / ASP.NET Core will validate the token. Your API needs to verify that the token used to call your Web API was requested with the claims it expects, in particular:
+
+- the **scopes** if the API is called on behalf of a user
+- the **app roles** if the API can be called from a daemon app.
+
+## Verifying scopes in APIs called on behalf of users
+
+If your API is called by a client app on behalf of a user, then it needs to request a bearer token with specific scopes for the API (see [Code configuration | Bearer token](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#bearer-token))
+
+```CSharp
+[Authorize]
+public class TodoListController : Controller
+{
+    /// <summary>
+    /// The Web API will only accept tokens 1) for users, 2) having the `access_as_user` scope for
+    /// this API
+    /// </summary>
+    const string scopeRequiredByAPI = "access_as_user";
+
+    // GET: api/values
+    [HttpGet]
+    public IEnumerable<TodoItem> Get()
+    {
+        VerifyUserHasAnyAcceptedScope(scopeRequiredByAPI);
+        // Do the work and return the result
+        ...
+    }
+...
+}
+```
+
+The `VerifyUserHasAnyAcceptedScope` method would do something like the following:
+
+- verify that there's a claims named `scope`
+- verify that the claim has a value containing the scope expected by the API. 
+
+```CSharp
+    /// <summary>
+    /// When applied to an <see cref="HttpContext"/>, verifies that the user authenticated in the 
+    /// Web API has any of the accepted scopes. *
+    /// If the authentication user does not have any of these <paramref name="acceptedScopes"/>, the
+    /// method throws an HTTP Unauthorized with the message telling which scopes are expected in the token
+    /// </summary>
+    /// <param name="acceptedScopes">Scopes accepted by this API</param>
+    /// <exception cref="HttpRequestException"/> with a <see cref="HttpResponse.StatusCode"/> set to 
+    /// <see cref="HttpStatusCode.Unauthorized"/>
+    public static void VerifyUserHasAnyAcceptedScope(this HttpContext context,
+                                                     params string[] acceptedScopes)
+    {
+        if (acceptedScopes == null)
+        {
+            throw new ArgumentNullException(nameof(acceptedScopes));
+        }
+        Claim scopeClaim = HttpContext?.User
+                                      ?.FindFirst("http://schemas.microsoft.com/identity/claims/scope");
+        if (scopeClaim == null || !scopeClaim.Value.Split(' ').Intersect(acceptedScopes).Any())
+        {
+            context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+            string message = $"The 'scope' claim does not contain scopes '{string.Join(",", acceptedScopes)}' or was not found";
+            throw new HttpRequestException(message);
+        }
+    }
+```
+
+This sample code is for ASP.NET Core. For ASP.NET just replace `HttpContext.User` by `ClaimsPrincipal.Current`, and the claim type `"http://schemas.microsoft.com/identity/claims/scope"` by `"scope"` (See also the code snippet below)
+
+
+## Verifying app roles in APIs called by daemon apps
+
+If you Web API is called by a [Daemon application](scenario-daemon-overview.md), then that application should require an application permission
+to your Web API. We've seen in [scenario-protected-web-api-app-registration.md#how-to-expose-application-permissions--app-roles-] that your API
+exposes such permissions (for instance as the `access_as_application` app role). You now need to have your APIs verify that the token it received contains the `roles` claims and 
+that this claim has the value it expects. To do this, the code is similar to the code that verifies delegated permissions, except that, instead of testing for `scopes`, your controller action will test for `roles`:
+
+```CSharp
+[Authorize]
+public class TodoListController : ApiController
+{
+    public IEnumerable<TodoItem> Get()
+    {
+        ValidateAppRole("access_as_application");
+        ...
+    }
+```
+
+The ValidateAppRole() method can be something like this:
+
+```CSharp
+    private void ValidateAppRole(string appRole)
+    {
+        //
+        // The `role` claim tells you what permissions the client application has in the service.
+        // In this case we look for a `role` value of `access_as_application`
+        //
+        Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("roles");
+        if (scopeClaim == null || (scopeClaim.Value != appRole))
+        {
+            throw new HttpResponseException(new HttpResponseMessage { StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = $"The 'roles' claim does not contain '{appRole}' or was not found" });
+        }
+    }
+}
+```
+
+This sample code is for ASP.NET. For ASP.NET Core, just replace `ClaimsPrincipal.Current` by `HttpContext.User` and the `"roles"` claim name by `"http://schemas.microsoft.com/identity/claims/roles"` (see also the code snippet above)
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Move to production](scenario-protected-web-api-production.md)
