How to retrieve logged in user's authorization code for getting the auth token for an extranal REST API integrated with AAD

vamseeinala · ‎09-15-2016

Hello,

I have a scenario where I need to access a Azure Active Directory authorization enabled Azure Web Api endpoint for Script Include code. I want to use the logged in user's auth code to retrieve the auth token for the AAD resource. Any pointers on how to achieve this?

I have tried configuring a REST API endpoint, but that doesn't have to the option to provide the "AudienceUri" / "ResourceID" of the resource for which I want to acquire the authorization token.

Thanks
Vamsee

Daniel Draes · ‎09-15-2016

I don't think this is possible in our baseline. We do not store the auth-codes we receive from the IdP (SAML). If we would, this could open a door for spoofing user accounts. We could basically send any auth code to the 3rd party as there is no additional security around it. In your case you would need to run the whole thing client side to see if the end point can use another way / means of authorization via client. But this sounds a bit strange to me.

veerendra4 · ‎09-15-2016

Hi,

The issue really here is, we are enabling a feature through Service now extensibility model. We are making a call to our API which is protected by AAD. Since the user has already logged in to service now we have a need to call API in the context of logged in user. Our API is protected with AAD (Azure active directory). If we have logged in user access code, we could request AAD for the token to access our API which is already secured by AAD. It's basically we are getting user token in order to access a resource protected by Azure AD. ServiceNow doesn't necessarily be exposing access code, rather if there is a function that can take resource id and get delegated access token from same AAD to access a resource protected by AAD, it would help us to call our API in the context of user so that we don't really need depend on trusted system model. If we have to do it, again user would get a login dialog which is not a good experience for the already logged in user.

Hope it explains.

vamseeinala

Daniel Draes · ‎09-19-2016

Kind of explains it, but still I believe this is not possible or at least not advisable. If we forward some authentication tokens fro the user via our servers, this would mean we could basically spoof and 'impersonate' any user without a proper control. In this case the call has to happen from client side, as only the client has access to the user credentials.

but maybe i am getting this totally wrong...

Could you talk to the 3rd party endpoint (AAD) and check what exactly they need? Think of a system-to-system integration in this context. As that is what you are trying to achieve. Integrate ServiceNow with their web service.

Ravi Kalivarap1 · ‎10-29-2018

Is there any solution for this? I have the same requirement now with AAD.

Just want to check with community again as this looks 2 year old post.