Call to protected web API in Azure withot login page

Pako Porras 81 Reputation points
2020-08-06T12:00:02.46+00:00

Hi:

I have a web app and a web api app. Web api methods are protected so the user need to be authorized to make calls to it.

At the web site I can login the user agaisnt Azure and call the API sending a Bearer token.

Now I need to call the API from another app that has no login page. So I'm wondering how can I get a Bearer token to send it to the API.

Which is the approach used in that scenario? How can I login and then get a jwt token?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,439 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,771 Reputation points Microsoft Employee
    2020-08-06T12:53:11.38+00:00

    @Pako Porras , Thank you for reaching out. If you would like to not want to user to enter the user name and password on the authentication forms page of AAD, the only other OAuth flow that is available in the Resource Owner Password Grant Flow of OAuth. The only caveat to this flow of OAuth is that you would have to mention the user's credentials in your code.

    Apart from this if you want a user to sign-in silently, it's not possible as the rest of the OAuth flows for user auth, posts the request on the /authorize endpoint of AAD, which would provide the forms page and ask the user to interactively enter the credentials.

    You can also check the Client-credentials flow, which is another OAuth flow that uses silent login, but its used mostly when an application tries to fetch a token for itself.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Krish G 2,331 Reputation points
    2020-08-06T13:08:55.763+00:00

    Hello @Pako Porras , when there is no user login (service to service call), it's a common practice to use Client Credential grant flow. You need to

    1. Create another client application in your AAD tenant for your second app (which does not have user login).
    2. Enable a secret or certificate for this new application
    3. Expose your API scope (just like you did for your other scenario)
    4. Use client id and secret/certificate of the new applicate to acquire bearer token for the API scope to call your protected API.

    Quick reference of few useful links:

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.