You must secure the microservices-based applications you are building. Only authorized users and applications who have access to the microservices should be allowed to access them. Azure Active Directory (Azure AD) is an Identity-as-a-Service (iDaaS) offering that you can use to configure authentication for your microservices. You can easily configure Azure AD for your application and use it for authentication and authorization purposes. In the previous chapter we developed a simple Math microservices application and orchestrated it in the Azure Kubernetes Service. However, we did not secure it and anyone could access the application.
In this chapter, you will learn how to secure the Math microservices application using Azure AD. We will also explore the basics of Azure AD.
In this chapter, we will explore the following topics related to microservices and Azure AD:
Introduction to Azure AD
Create an application in Azure AD
Create scopes for the Azure AD application
Configure authentication and authorization for the Math microservices application running in Azure Kubernetes Service
After completing this chapter, you’ll understand the fundamentals of Azure AD and be able to secure containerized .NET-based microservices applications running inside Azure Kubernetes Service.
Introduction to Azure AD
As mentioned, Azure AD is an iDaaS offering on Azure. Azure AD is completely managed by the underlying Azure platform. You need not create any additional infrastructure to manage identity and authentication for your application running on Azure. You can configure authentication and authorization for your application with ease. You need to register your application in Azure AD and then you can create users who can use your application. You can also let the application users authenticate using third-party authentication providers like Google, Facebook, and many more. Application users can authenticate using SAML, OAuth, Open ID Connect, or WS-Federation. Azure AD supports modern authentication features like single sign-on (SSO) and multifactor authentication (MFA).
You can integrate applications running on the on-premises server or Azure or any other supported cloud with Azure AD. You can integrate on-premises Active Directory with Azure AD using Azure AD Connect. Both on-premises users and users created in Azure AD can authenticate to applications registered with Azure AD. Using Azure AD, you can configure business-to-business (B2B) scenarios where the businesses can authenticate and authorize their applications and resources. You can also configure business-to-consumer (B2C) scenarios where the end users can authenticate their applications.
Azure AD can help you as a domain controller and you can join your virtual machines to Azure AD that works as domain controller. You can join the on-premises Active Directory and sync the on-premises users and roles to Azure AD. Azure AD is a multitenant directory management service.
You need to complete the following steps to configure your microservices-based application for Azure AD–based authentication:
1.
Register an application with Azure AD.
2.
Create scopes for the application created in Azure AD to perform authorization.
3.
Create a secret for your registered application.
4.
Configure your microservices-based application with an Azure AD application ID, secret, and tenant ID.
We will follow these steps and configure authentication for the Math microservices application that we developed in Chapter 4.
Register an Application in Azure AD
Let’s go to the Azure portal and register an application in Azure AD default tenant. Click Azure Active Directory as in Figure 5-1.
Click App registrations and then click New registration as shown in Figure 5-2. This enables us to register a new application in Azure AD.
Provide a name for the application you need to register and then click Register as shown in Figure 5-3.
The application will get registered. Click Authentication and then click Add platform as shown in Figure 5-4. We need to add a web platform because we need to use this application to authenticate the MathAPI.
Select Web as shown in Figure 5-5. We need to authenticate a WebAPI.
We are going to access the application from Postman, so we need to provide the redirect URI of Postman. Once the authentication is successful, the response will get redirected to the Postman from where you are invoking the application. Provide the Postman URL as the redirect URI as shown in Figure 5-6. The URL will standard for all the calls from Postman. You can use the URL as is without any modifications. Click Configure as shown in Figure 5-6.
Create the Application Scope
We can use the scope for the registered application to restrict access to the application. To create the application scope, click Expose an API and then click Add a scope as shown in Figure 5-7.
Keep the application ID URI generated as is, and shown in Figure 5-8, and click Save and continue.
Provide a name for the scope and other required values as shown in Figure 5-9. Click Add scope. The scope will get added.
Create the Application Secret
We’ll use the secret for the application to access the application from the client, which is Postman in our case. To create the application secret, click Certificates & secrets and then click New client secret as shown in Figure 5-10. Copy the secret value. We will use the secret value later.
Go to the Overview page and copy the application ID and the tenant ID as shown in Figure 5-11.
Configure MathAPI for Authentication and Authorization
Now we’ll modify the MathAPI project we created in Chapter 4. MathAPI invokes the AddAPI and SubtractAPI services. The AddAPI and SubtractAPI services are not exposed outside the Kubernetes cluster. We can enable authentication for the MathAPI and need not make any changes for AddAPI and SubtractAPI. Open the appsettings.json file in the MathAPI project and add the tenant ID, client ID, scope, and other necessary values as shown in Listing 5-1.
Register the authentication service and add the authentication and authorization middleware in the Program.cs file for the MathAPI project. You can replace the code in the Program.cs file with the code specified in Listing 5-2.
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.JwtBearer;
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
//Enable Authentication and authorization middleware
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
Listing 5-2
Program.cs
Add the Authorize attribute for the MathController. You can replace MathController.cs file with code as in Listing 5-3. This enables authentication for the MathAPI.
using (Stream responseStream = response.GetResponseStream())
{
StreamReader reader = new StreamReader(responseStream, Encoding.UTF8);
result = reader.ReadToEnd();
}
return result;
}
}
}
Listing 5-3
MathController.cs
We can use the same Azure Kubernetes Service cluster that we have created earlier and have deployed the APIs in Chapter 4. We need to containerize the MathAPI and push it to Azure Container Registry. You need not redeploy the AddAPI and the SubtractAPI to the Kubernetes cluster. We need to deploy the MathAPI service to the cluster. If you have deleted the Azure container registry and the Azure Kubernetes Service, you can follow the instructions provided in Chapter 4 to re-create them. And then deploy the AddAPI and SubtractAPI to the Kubernetes cluster. Follow the steps illustrated in Chapter 4 to containerize and deploy the MathAPI to the Azure Kubernetes Service cluster.
Once the MathAPI deployment is complete, we can use the Postman tool to test the deployed API. Get the External IP address of the MathAPI using the kubectl command as shown in Listing 5-4.
kubectl get services
Listing 5-4
Get Services in the Cluster
Figure 5-12 depicts the response for the command in Listing 5-4.
We can use the URL shown in Listing 5-5 to browse the math service.
As shown in Figure 5-14, provide in the Client ID, Client Secret, and Scope fields the information for your application registered in Azure AD. Click Get New Access Token. You will be prompted for your Azure credentials.
Once the authentication is successful, the access token will get generated. Click Use Token as shown in Figure 5-15.
Fire a GET query for the math service URL. You should get the response shown in Figure 5-16. Without the access token, you will get a 401 – Unauthorized error.
Summary
In this chapter, you learned the basic concepts of Azure AD. We registered an application in Azure AD and made necessary configurations in Azure AD to secure the Math microservice running inside the Azure Kubernetes Service cluster. We then modified the MathAPI service that we created in Chapter 4 and added code and configurations for Azure AD authentication.
In the next chapter we will explore how to run APIs in Azure Container Apps.