Can we use our website SSL certificate to secure our Azure Active Directory App

JohnJohn
February 5, 2023
266 views
0 votes
2 Answers

I created a new ASP.NET Core 6.0 MVC web application using Visual Studio 2022, and I define it to use Azure AD for authentication, as follows:

Then I was asked to create an owned application, so I created one named "ad" as follows:

Inside my application’s appsetting.json I have these settings:

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "*****",
        "TenantId": "***",
        "ClientId": "***",
        "CallbackPath": "/signin-oidc"
    },
    ....
}

It seems Visual Studio did all the work for us.

But when I checked the "Certificate & Secrets" in the Azure portal for the generated Azure AD APP, I found that there is not anything assigned:

So now we are going to upload a certificate (.crt file), but i have those questions:-

Now the above ASP.NET Core MVC web application already have SSL certificate bought from Go-daddy, so can we use this certificate also inside our Azure Active directory App ?
Also, after uploading a certificate inside our Azure Active Directory App >> do we need to pass the certificate Thumbprint from our web application ? if the answer is yes, then what i need to do exactly , do we need to modify the Identity platfrom code?

Answers

- TinyWang
- February 6, 2023 at 8:42 am
- 0 votes
0
If you used VS to integrate AAD and create resource for you, then the appsettings.json file should look like this. And it’s also OK to add configurations manually.
```
{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xxx.onmicrosoft.com",
    "TenantId": "tenant_id",
    "ClientId": "client_id",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
    //"ClientCertificates": []//I comment this line
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "MicrosoftGraph": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  }
}
```
=============================================================

Firstly, the client secret is used for calling API, for example Ms graph API. Then in this answer, I demonstrate how to integrate Graph API in the APP, then you can get the client secret which is already generated for you.

After finishing all these steps, your project has already set up, going to Program.cs you can see code below, and it already read the configurations including the secret.
```
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
            .AddInMemoryTokenCaches();
```
but you still need to go to appsettings.json to paste the client secret into "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",. You’d better to comment "ClientCertificates": [] because you are using secret but not certificate.

By the way, the client secret can exist several valid secret at the same time, this is designed for avoid app crash because of secret expired. So you can have 2 client secrets, if one of the secret is about to expire, you can create a new one in Azure AD then paste the secret value into your project. This means, for example, you used the Visual Studio to generate the secret, but you didn’t store the secret, you also create another secret manually in Azure portal and use it in your app.
Login or Signup to reply.

To authenticate against an Azure AD app using a certificate you need an X.509 cert that:

Has 2048-bit or longer keys. 2048-bit size is highly recommended for the best combination of security and performance.
Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.
Is signed with the SHA256 hash algorithm. Azure AD also supports certificates signed with SHA384 and SHA512 hash algorithms.

You will have to reach GoDaddy to see if they can issue certificates that follow the aforementioned requirements.

And yes, you will need to pass the certificate thumbprint. Keep in mind this can be used when requesting an access token alone or in tandem with an id token (hybrid flow):

Follows how to configure your ASP.NET application:

appsettings.json

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "alfredorevillaatmsft.com",
    "TenantId": "22a84c88-253a-4025-a5c4-e0dc365b8d17",
    "ClientId": "efd38bbf-562c-4cc7-ba4d-2191b3931c95",
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "Scopes": "user.read" 
  }
}

Program.cs

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches();

And how to acquire an access token:

[AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{"user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
 // Use the access token to call a protected web API.
 // ...
}

For more information take a look to Scenario: A web app that authenticates users and calls web APIs. For a hybrid flow sample take a look at this sample.

Please signup or login to give your own answer.

Click here to cancel reply.