I have a IoT Hub and Device Update Service configured.
Now my requirement is to upload the files from Blob container to IoT Hub Updates. This I need to do with REST API. I had the below API.
POST https://XXXXXXXXXX.api.adu.microsoft.com/deviceupdate/XXXXXXXXX/v2/updates?action=import
But, I don't understand on how to authenticate this POST request.
I see some documentation that we need to use TENANT ID and CLIENT ID for authentication. But I dont have anything in my hand right now. How to get this ?
So, Kindly provide me the best solution to use this API and Authenticate it.
In order to use this API you will need to authenticate as mentioned in the Security Section here: https://learn.microsoft.com/en-us/rest/api/deviceupdate/2020-09-01/updates/import-update
azure_auth_implicit, azure_auth_code , azure_auth_application or azure_auth_password
Read how to Register your client application with Azure AD here.
Most Azure services (such as Azure Resource Manager providers and the classic deployment model) require your client code to authenticate with valid credentials before you can call the service's API. Authentication is coordinated between the various actors by Azure AD, and provides your client with an access token as proof of the authentication.
Related
We have REST WEB API hosted on Azure(OAuth2.0 in place). If I have to call the REST API from Azure Batch Tasks, I guess I need to pass some access token so API can authenticate the call from batch service. Need inputs on how to implement, please note we are using BATCH .NET SDK(not Batch management library)
The current recommendation for authenticating with other Azure services is to give a service principal permissions for the APIs and then using a managed identity to authenticate with that service principal.
If your API only supports key based authentication then you can upload a certificate and add it to your pool. That certificate could then be used to access Azure Key Vault with the relevant keys (https://learn.microsoft.com/en-us/azure/batch/credential-access-key-vault).
I have a Data Factory pipeline that calls a Logic App. The URL provided by the logic app designer includes a signature in the URL. In the Data Factory pipeline I have a Web activity that uses POST method to call the Logic App. This works, the app is called.
I would either prefer to separate this signature from the URL and store it in Azure Key Vault, or use authentication. Authentication options in Data Factory include; Basic, Managed Identity or Client Certificate. I tried to follow this article to enable authentication via Azure Active Directory OAuth but do not currently see how this would work with Azure Data Factory.
I know it is possible to enable API Management Gateway to enable more sophisticated authentication to APIs including Logic Apps but am not currently convinced that I should need to do this.
The other thing I noticed in the Logic App interface is that you cannot issue authorizations to execute. This differs from other Azure services like Data Lake for example where you can issue 'use-like' authorization to read a container. There is only the Authorization pane that can be used to define claims. I had a little go but I am missing key information.
Ultimately I would not want the signature exposed to developers including myself.
I believe you could pair the Managed Identity of the Web Activity with the Azure AD OAuth feature for Logic Apps.
The required claims need to be setup on the Authorization blade for validation of the tokens.
I personally like storing the PostURL in the Azure KeyVault then doing an Azure KeyVault GET API Call in ADF, then passing the output securely in ADF to the request to trigger the logic app. It's two activities which is like nothing and it's a secure method that can just use managed identity authentication that's Native in ADF.
Here is example of how you get a value from AKV:
Getting value from AKV
Here is the URL for Azure KeyVault example secret:
https://kv-ccok-ops-#{pipeline().globalParameters.Environment}.vault.azure.net//secrets/FILESERVER-UserName?api-version=7.1
Using value from AKV
This example should be super easy to follow.
Be warned possibly noob question ahead.
I'm a little unsure where exactly Azure AD or IdentityServer is supposed to fit in in the overall communication flow.
Here is a scenario that I often face.
Some "dumb" client (e.g. a Windows App that can't use external assemblies or some JavaScript in a web app) has to contact my Web API which will then contact other APIs or other resources.
If I want to try and implement either Azure AD or IdentityServer as a means of authentication and authorization in the Web API, I don't see that this can be done in any other way, than it has to be the Web API that communicates with Azure AD or IdentityServer as the client doesn't have the ability to do so due to the lack of required assemblies.
If this assumption is not correct, then how would I do this?
If it is correct however, then what means of security is there between the client and the Web API other than communicating over HTTPS when the client has to send it's credentials to the Web API, so the Web API can authenticate and authorize the user against either Azure AD or IdentityServer?
If I understand your requirements correctly, then you are able to change the client Windows app, but unable to add external assemblies to it? So you would not be able to add the ADAL NuGet package to it.
You can still use Azure AD authentication - it is possible, but not trivial, to implement the client code yourself.
Or you can, as you already mentioned, pass the user's credentials to the Web API somehow, and then use that to have the Web API do authentication towards Azure AD on behalf of the user. There is a sample app which shows how to use username/password credentials.
This however, goes against the whole OAuth/OpenIdConnect mindset, where your app should never know the user's credentials.
Here:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-directory-v2-protocols-oidc.md
Be careful with trying to use the most recent version of the Azure AD endpoint (just don't use version 2.0, they shot themselves in the foot by excluding all Azure AD webapp registrations & by "securing" web APIs by making them only available to apps with the same appid - as far as I'm concerned, it's unusable until they fix those two issues) - see the "[!NOTE]" near the top of that linked page for the v2.0 limitations.
I would like to see an example of the set of messages that I need to authenticate the rest Api Azure , ie the get and post specified in this list but examples. The web page is
https://msdn.microsoft.com/en-us/library/partnercenter/dn974935.aspx
https://azure.microsoft.com/es-es/documentation/articles/resource-manager-api-authentication/
There are two blogs which shows how to authenticate the REST API with ARM via get the access token and use the token to authorize a REST call.
For C#, please see How to call the Azure Resource Manager REST API from C#.
For Java, please see Authenticating Azure Resource Management REST API requests using Java.
Meanwhile, you can refer to Azure samples about Azure AD via access https://github.com/Azure-Samples?utf8=%E2%9C%93&query=active-directory.
Hope it helps. Any concern, please feel free to let me know.
I have several web services that I want to make available to clients. My clients are split into two groups:
users using a web browser (I serve a web page that uses javascript + AJAX to request data from the web services)
applications (e.g. server app pulling data into a client's system)
1) I can solve the former by exposing my web services to external users using the application server and I can use the identity server to authenticate access (haven't worked how to do this out yet).
2) The latter is nicely satisfied by using the API manager. I can happily tell clients to log in to the API manager and subscribe to APIs. The APIs I create are proxies for the web services mentioned in 1).
I know that an API I create in the API manager can include a username and password for accessing the proxied web service. Is it possible to let an API proxy a web service that is authenticated using the identity manager? Sorry I'm reading documentation and struggling to understand if I can do this. Thanks
". Is it possible to let an API proxy a web service that is
authenticated using the identity manager? "
Currently APIManager supports the service endpoints which are secured using basicauth/usernametoken.
If you use identityserver to secure you service, using any other mechanism, that wont be supported by APIManager.
Stodge,
Default API manager authentication mechanism is Oauth. it uses Oauth token mechanism to authenticate all APIs.
Please refer [1],
Here the authentication component also sits in the AM. This can be delegated to a different AM instance if required.
Hope this helps.
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs