Azure AD REST API authentication

Hi all,
I’m struggling to make authentication on our REST API for UD work. We have the following scenario:

UD instance with AzureAD Authentication running on port 443.
UD REST API instance running on the same server on port 8443.

REST API is working fine when supplying arbitrary (forms-based) credentials to the api/login endpoint, receiving a bearer token and using this for the endpoints.
What I’m wondering is if I can somehow (programmatically) authenticate against the UD (with AzureAD) to retrieve the bearer token and then continue to talk to the REST API with that.

The goal would be to auth against UD, issue bearer token only when specific claims from AzureAD token AND specific authorization policies are met and then continue to API with the bearer token.
While this will work interactively (user logging into UD with a browser and requesting token), we need to make this work from other services that talk to UD in a programmatic way.

is this possible?

thanks,
Stefan

1 Like

Hi,
I’ve not really dabbled with azuread authentication, but I can see you’re presenting the rest api on a different port from your dashboard, any specific reason for this? I’m assuming in doing this, the two are treated as independent points of authentication.

When you start the rest endpoint are you passing in the same auth mechanism through -AuthenticationMethod ?
Once you’ve done this are you then applying any -AuthorizationPolicy 's to your API endpoints?

In my dashboard, I dont specify a separate port, I just run my rest endpoints under the same port/443, the same as my dashboard - and all my existing auth methods apply (windows pass through - with policies based on ad group membership).
So I’m not using start-udrestapi, I’m just passing additional endpoints into my dashboard for rest, e.g:

$Endpoints += New-UDEndpoint -Url “/test” -Method “GET” -AuthorizationPolicy “Admin” -Endpoint {
[PSCustomObject]@{
Name = “Test”;
Value=“Hello World”
} | ConvertTo-Json
}