Authorization method for REST API utilising Active Directory

All we need is an easy explanation of the problem, so here it is.

What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.

  • There are two “roles” in the system, users will have one of the
    roles. One role should allows access to some APIs (call it “VIEW”),
    the other role allows access to other APIs
  • All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
  • I would like to persist the session so I don’t have to look up AD for every API call
  • I would like single sign on. On the Windows machines, I don’t require them to enter user and pass as I already can retrieve their username using Windows Authentication.

I believe that Oauth would be my best option.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

There are two “roles” in the system, users will have one of the roles.
One role should allows access to some APIs (call it “VIEW”), the other
role allows access to other APIs

  • For role based authentication, you can use [Authorize(“Role” = “Manager”)]. The token will be provided by the identity server and will contain the claim as Role.

All users are in Active Directory, so if I have a username, I can
check what role they are in- Some clients are on Windows boxes, the
others are on Linux

  • If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.

I would like to persist the session so I don’t have to look up AD for
every API call

  • For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don’t need to ask for AD again and again.

I would like single sign on. On the Windows machines, I don’t require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.

  • For this one, you can have your Identity sever trust the WSFederation for windows Authentication.

So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.

Method 2

I am not sure what you expect exactly. Anyway, first I’m gonna reformulate your question with requirements:

  • you accounts and role are in active directory
  • you want to manage roles based on an active directory group
  • you want anybody whatever the system (windows, linux, mac, mobile…) to connect on your application using the same authentication
  • you want to avoid your AD to be hit constantly (not at any call for example)
  • if the user is connected on an application that uses the authentication system, he doesn’t have to do it so again on another application that uses the same authentication system

If these requirements are yours. I believe the only standard (and clean) solution is to use OAuth. I’m not gonna go in detailed description of OAuth, but this authentication protocol is the most standard one on the net (facebook, google, twitter…). Of course as you don’t want to use facebook, google or twitter accounts in your business applications but your active directory accounts you’ll have to install/setup/develop your OAuth identity provider using accounts of your active active directory server. Your choice will depend on how well you know ADFS protocol and its different flows (code, implicit, assersion) You have two solutions for it:

  • Use ADFS: install ADFS; it provides a OAuth portal that will work out of the box with asp.net mvc. This uses the code flow of OAuth that is the only OAuth flow supported by ADFS. For roles and its related AD groups, you’ll have to map role claims with AD groups. (it’s in the setup of adfs, you’ll find many tutos on the net). You’ll find lot of tutos as well about how to use ADFS with asp.net mvc/asp.net webapi. I mention .net here, but every technology has an implementation for OAuth authentication (nodeJs/express, php, java…).
  • Use thinktecture identity server (.net technology). This will provide all the foundation to implement a custom identity server with the least effort: http://www.thinktecture.com/identityserver / https://github.com/IdentityServer/IdentityServer3. It contains an addin to plug its accounts to active directory. With this, you can use implicit and assertion flows.
  • Use oauth2orize (for nodeJs): https://www.npmjs.com/package/oauth2orize. This will permit you to make the same than thinktecture identity server but in nodeJs. Apparently you’ll have to make all the wirering with ad manually. With this, you can use implicit flows (not sure about assertion flows).

At application side, most of frameworks can authenticate easily using OAuth with a lot of existing frameworks. For example, even if you make a single page application, you can use adal.js or oidc.js for angular if you use angular. As I mentioned above, all this is taken in charge by asp.net mvc/webapi out of the box but I know it’s the case for other server technologies. If you have more questions, don’t hesitate as I’m not sure of what you expect exactly.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply