Best practices for user authentication on .NET REST API

[necik11]

What version of PnPjs library you are using

3.x

Minor Version Number

3.20.1

Target environment

All

Additional environment details

I am using .NET API. Which is published to the public.

And using SPFX webparts and extensions that are sending requests to this API.

Question/Request

I would like to ask if there is a correct way to set up authentication on the. SharePoint + SPFX -> NET API -> SharePoint . This API will be visible to the public, and I want to make a REST request using spfx webpart or extension.

Next, this rest service will connect back to SHP and do things under the service account.

So far it works by setting CORS, but I'm not sure if that guarantees proper security. .NET :

builder.Services.AddCors(options =>
{
     options.AddPolicy(name: MyAllowSpecificOrigins,
                       policies =>
                       {
                           policy.WithOrigins("http://example.com",
                                               "http://www.contoso.com");
                       });
});

and in SPFX classic POST/GET.

I want to ask if I am not needed to read the token in SPFX like: this.context.aadTokenProviderFactory.getTokenProvider(); and send this token or "bearer" to API and before starting verify the token is authenticated for this site. starting

[juliemturner]

@necik11 - Yes you would use the aadTokenProviderFactory to access your API. Your API should then be secured with Microsoft Entra ID (formerly Azure Active Directory). You don't say how your hosting your .NET based API but here's a link to an article from @andrewconnell explaining the process. The article might be a bit old as I think the screens have updated in Azure but the concepts are correct.

[necik11]

The problem is not how to call from our .NET application to SharePoint or anywhere else. Here we already have a registered application that only has access to specific things and we auth by certificate. It all works.

The problem is how to verify that when I click on something in the spfx webpart, for example, POST - Load Customers. And I will call a request to ourDomain.com/Customers.

How secure this .NET API which consumes the method LoadCustomers. Request is from an account for sample - me.ourDomain.com.onsharepoint.com. I think I have some token/bearer in context which can be sent? For sample PNP CMD using accessToken either, which just verify connect: Connect-PnPOnline -Url -AccessToken and when this token is okay I can run my Job in the background. When we could make app service in azure it would be much easier...But we cant

Everything works now, but I just don't know if there is any security threat? And if CORS, as mentioned above, ensures that the request is only from this domain can someone forge it?

[juliemturner]

Yes, I understood your question, I'm suggesting that you secure the API endpoint with Microsoft Entra ID instead of just using CORS.

[necik11]

Ok, and one last question, is there an example somewhere? I can find many solutions but which one is the right one... For instance i found how to get token (which work) in SPFX:

    var tokenId = 'https://graph.microsoft.com'
    let provider = this.context.aadTokenProviderFactory.getTokenProvider();
    console.log("provider", provider);
    let token = (await provider).getToken(tokenId);
    console.log("token", token);

so this token I will send like a bearer / JWT or in body??

[juliemturner]

You don't send the token that's what the aadTokenProviderFactory provides to you... please see this documentation for a complete explanation of the steps and the why's.

[andrewconnell]

@necik11 I +1 to everything @juliemturner said. Adding a few more points...

• Remember in SPFx, when you grant your SPFx permission to call your secured endpoint, you aren't REALLY granting your SPFx app, you're granting ANY client-side app to call your endpoint with that permission. Why? Because you're really granting SPO permission to your app... SPO can't tell if the original request comes from a specific SPFx app, the browser's JS console, or some code written with jQuery running in a client-side web part.

  I elaborate more on this topic in this post 👉 Consider Avoiding Declarative Permissions with Entra ID Services in SharePoint Framework Projects

• The way you can address this issue I bring up, is within your custom API, you can check WHO is making the call. The access token contains the identity of the user who's making the call (not the app that it was made through), so if you wanted to secure it further, you could have a list of users who are allowed to make the call. That list would be managed by YOU, not by SharePoint.
• In my SPFx course, I cover this topic and scenario showing how you can create custom roles in your Azure AD (aka: Entra ID) app and grant that role to specific users.
• FWIW, the doc @juliemturner linked to in her last comment is a bit outdated... but the spirit of it is still correct... the screens & steps have just changed a bit over time.

[bcameron1231]

Closing this issue as answered. If you have additional questions or we did not answer your question, please open a new issue, ref this issue, and provide any additional details available. Thank you!

[github-actions[bot]]

This issue is locked for inactivity or age. If you have a related issue please open a new issue and reference this one. Closed issues are not tracked.