API Security with ASP.NET Core 5.0 and Azure AD for Dummies
This blog is part of a complete blog series.
- Part 1: Authentication vs authorization (this blog)
- Part 2: The different actors
- Part 3: Authentication with Azure AD
- Part 4: Authorization with Access Control List
- Part 5: Authorization with Application Roles
- Part 6: Authorization with Delegated Permissions
- Part 7: Retrieve more user information
- Part 8: Access APIs on behalf of a user (coming soon)
- Part 9: Automate the Azure AD configuration (coming soon)
Authentication vs authorization
It’s important to understand the difference between these two concepts:
Authentication is the process to determine whether API consumers are who they claim to be.
Within Azure Active Directory, there are different ways to authenticate:
- Users: username + password, preferably combined with MFA, …
- Applications: client id + secret, client id + certificate, managed identity, …
As a result of these authentication mechanisms, Azure AD creates signed access tokens (JWT) with a limited lifetime. These access tokens need to be verified, to ensure the identity of the API consumer.
Authorization: is the process to determine what API consumers are allowed to access
With Azure Active Directory, these are the three main options:
- Access control list
- Delegated permissions
- Application roles
These options will be further explored in the next parts. There are also custom authorizations possible, which are often implemented in a specific business context. These are out of scope for this series.