Introduction

I’ve recently done a knowledge sharing session about how to protect web API with Azure AD. Long story short, I’ve decided to use the Pode module in addition to MSAL.PS and ValidateAADJwt which is a module that I’ve published which optimize the Azure AD token verification.

In this article I will expose a template that I’ve created that I can paste for later usage where I expose several grouped routes where each group use the middleware to verify if the received token is first a valid one (exp, signature, iss, aud validation) and then add more claim validation.

Note: The ValidateAADJwt, which is a cross platform module, downloads public key used for signature validation to speed up later verification.

Web API

I won’t explain the Azure AD configuration, don’t hesitate to ask if you need help. You will be able to find the code here.

In this example, I will expose 3 groups of routes:

Anonymous for fun.
Admin where the token received required to be valid and with the admin property in claim role.
NonAdmin where the token received required to be valid and with the nonadmin property in claim role.

Note: I’ve used some random key pair just to get a valid dockerfile.

The only comment I want to add in addition to the well commented code is defaultRule.ps1 (Under authentication folder). You don’t have to touch this file, this one will validate the required fields. If you need to validate something else, just add a new file like adminRole.ps1 and put your logic. Then simply add a new line ine the startpode.ps1 (line 19).

I hope the code will be helpful to some of you.

Cheers

How to protect a Pode web api with Azure AD

Introduction

Web API

Further Reading

Build a Powershell API with Pode

Execute AD queries protected by modern authentication from Azure without VPN

Simplest way to generate tokens with Azure AD (not best practices)