Sometimes you need to do app to app based authentication in your applications/services to prevent unauthorized access to your services . Example you may have a service A which needs to be accessed by another service, you can either configure a username/password based authentication or certification based authentication or a simple app to app based authorization.
To enable Azure AAD App to App based authentication, you need to do the following changes :
1) First in your issuer / authorizing apps app manifest, declare some roles which can be applied to applications.
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "Some app role which also needs app based auth",
"displayName": "SERVICE_APPLICATION_ROLE",
"id": "23d29786-d213-40f6-ad11-ddf9f7d71d30",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "SERVICE_APPLICATION_ROLE"
},
2) Next in your consumer /contacting service request access to the producer/servicing access from MS portal API permissions section
Pic 1
3) in your consumer/client service have a configuration section defined as :
"AzureAdConfig": {
"ClientId": "5186aaaf-d222-458d-83c1-faa73773bbc",
"ClientSecret": "SOME-clIenT=SEcret.7&---",
"TenantId": "a263c89-4222-4555a-222c-6fe11111cb"
},
Next bind this section in your application config as :
AzureAdConfig azureAdConfig = new AzureAdConfig();
this.configuration.Bind("
AzureAdConfig", azureAdConfig);
and then authenticate it as follows :
var app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
.WithClientSecret(config.ClientSecret)
.WithAuthority(AadAuthorityAudience.AzureAdMyOrg)
.WithTenantId(config.TenantId)
.Build();
//auth scopes API is the api guid of the authorizing app (check image below Pic 2)
List<string> authScopes = new List<string> { "api://f1ffff77-f224-456a-8222-3777773/.default"};
var result = await app.AcquireTokenForClient(authScopes).ExecuteAsync();
return result.AccessToken;
Next you can use this token to make all service to service calls
Pic 2