On premise DAB cli authentication

[kenshinjeff]

Hi everyone, I've been playing around with the cli and it seems really convenient to expose my ms sql server via a config file. What I can't seem to understand is how can I restrict the API to authenticated users.

From this page, it seems like DAB assumes that if I were to configure it to with "Use the StaticWebApps provider" it will accept any Base64 encoded payload.

My intention is to expose the API on the internet, and allow authenticated users, or users with an API key to use the API. Is this possible?

Can anyone please point me in the right direction?

[seantleonard]

Hi @kenshinjeff,

Depending on the Identity Provider you use to manage users, user registration, etc. (such as Azure Active Directory), you can configure DAB to accept access tokens issued only by that provider. A tutorial on configuring DAB to accept Azure AD access tokens for a specific tenant can be found here: https://learn.microsoft.com/azure/data-api-builder/authentication-azure-ad

You can use Static Web Apps to restrict your API to authenticated users as well. Including configuring Azure AD as a configured authentication provider.

• You would have to configure authentication via Static Web Apps. From DAB's perspective, you may also want to exclude usage of the anonymous role in your entity permissions in DAB's runtime configuration.
• Additionally, you can restrict access to your Static Web Apps site by creating route rules https://learn.microsoft.com/azure/static-web-apps/configuration#restrict-access-to-entire-application
• DAB, when configured to use StaticWebApps, will only accept a Base64 HTTP header injected by Static Web Apps. Any instance when a client tries to include the base64 encoded user payload will result in that header beign ignored and dropped. For more information about this header, X-MS-CLIENT-PRINCIPAL, see https://learn.microsoft.com/azure/static-web-apps/user-information?tabs=javascript#api-functions

[kenshinjeff]

Hi @seantleonard,

Thank you for your replies. I went to check out all the suggestions. I noticed the Azure AD solution is a paid solution, so that's out for the moment.

I re-read everything including the docs to try to understand how this would work. Please let me know if my understanding is correct.

When the DAB CLI is configured to authenticate via Static Web Apps, it means that I need to write a Static Web App application for authentication purposes, with the payload the client would be able to gain access to the API provided by DAB. But how would DAB know if the payload is valid?

Sorry for these basic questions as I'm really new to the Azure family.

[seantleonard]

I took another look at your initial post, and you mention you are using on-premises SQL Server. In that scenario, you would need to configure an identity provider other than static web apps. Alternatives to Azure AD would be (Cloud) Auth0, Okta, and (on-prem) IdentityServer4. You would need to identify within those providers' documentation, which values to include in the following DAB runtime config fields:

"authentication": {
        "provider": "AzureAD",
        "jwt": {
          "audience": "<DAB_APP_CLIENT_ID>",
          "issuer": "<IdentityProvider_Token_Issuance_Endpoint>"
        }
      }

If you have on-premises Active Directory and ADFS, you might be able to configure ADFS to issue tokens for DAB, but that is both untested, and undocumented.

We don't have the ability to issue and validate API keys, but if you would like that functionality, please feel free to open an idea request in the discussions page: https://github.com/Azure/data-api-builder/discussions/categories/ideas