Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…

Introduction

Sometimes we come across applications that needed some basic form of protection, but (sadly enough) the code base did not allow it. Today we’ll see how we can enable authentication / authorization on your web app, -without- altering any code! We’ll be doing this capability from the web app service itself, without the code noticing anything of this.
Enable / Configure the Azure Active Directory Authentication

Let’s start by doing to our web app and looking for the “Authentication / Authorization” section.

2017-03-01-14_27_51-authentication-_-authorization-microsoft-azure

We’ll enabling the “App Service Authentication”. As we do not want guests, we’ll select “Log in with Azure Active Directory” as a way to force authentication. Next up we’ll configure the Azure Active Directory ;

2017-03-01-14_28_04-authentication-_-authorization-microsoft-azure

Continue reading “Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…”

Azure : Using PHP to go all oauth2 on the management API!

Introduction

As a hobby effort, I wanted to create a small poc where any user would be able to login with their AAD user, grant access to an application, after which that application could query their subscriptions.

In all honesty, I’ve been struggling more than I like to admit with getting this working… So this post will cover all the steps that you need to do to get this working!

 

Oauth & Azure AD

Before getting our hands dirty, read up on the following post ; Authorize access to web applications using OAuth 2.0 and Azure Active Directory

Ready it thoroughly! To be honest, I didn’t at first and it cost me a lot of time. 😉

Anyhow, the flow looks as follows…

active-directory-oauth-code-flow-native-app

So basically;

  • We’ll redirect the user to sign-in (and if this hasn’t been done, grant our application access)
  • If all went well, we’ll receive an authorization code
  • We’ll use this code to get a bearer (and refresh) token
  • Next up we’ll use the bearer code to connect to the Azure REST API for getting the list of subscriptions for that user.

Continue reading “Azure : Using PHP to go all oauth2 on the management API!”

Azure : Basic Network Hardening between a Webapp & the SQL Database

A quick tip on hardening your SQL database in combination with an Azure Webapp. Browse to the properties of your webapp. Copy the “outbound ip addresses” to your text editor.

2016-03-16 08_38_56-Properties - Microsoft Azure

Now browse to the “SQL Server” you have provisioned in Azure. Click on “Show firewall settings” and enter the IP addresses you just noted down.

2016-03-16 08_38_13-Firewall settings - Microsoft Azure

A small pointer ; You have to enter this an address at the time and save after each entry… Annoying as hell, though this is how the UI works.

Anyhow, let’s see how our webapp behaves…

2016-03-16 08_43_42-Welcome to CodeIgniter

As you probably do not believe my right off the bat. So let’s clear up the firewall rules…

2016-03-16 08_44_52-Firewall settings - Microsoft Azure

and test again! 2016-03-16 08_45_35-Database Error

Now we notice that the access to the database was denied. The address listed there is the one that was present in the outbound ip addresses listing from earlier on.

Have fun hardening!

Web Development : A step up with Automated Deployment

Developing a website… ; Open up “notepad++”, browse to your web server via FTP and edit the files. Then refresh to see the changes…

Sounds familiar? Probably… It’s a very straight forward and easy process. The downside however is that you have no tracking of your changes (Version Control) and that the process is pretty manual. So this becomes a problem when you aren’t the only one on the job or if something goes wrong.

So let’s step it up and introduce “version control”… Now we have an overview of all the revisions we made to our code and we are able to revert back to it. Yet suddenly, we need to do a lot more to get our code onto the web server. This brings us to the point where we want a kind of helper that does the “deployment” for us.

The basic process
automated-web-development-kvaes.be

  • Local Development : The development will happen here. Have fun… When you (think you) are happy with what you have produced, you update the files via your version system.
  • Source Repository : The source repository will contain all the versions of your code. Here you can configure it to send a notification to your deployment system whenever a new version has been introduced.
  • Deployment System : The deployment system will query the source repository and retrieve the latest code. This code will be packaged, transmitted and deployed onto the target system(s).
  • Target Systems : The systems that will actually host your code and deliver the (web) service!

Real Life Example?
Ingredients

Recipe

  • Create a private repository at BitBucket
  • Pull/push the repository between BitBucket & your local SourceTree
  • In GitHub, go to “Settings”, “Deployment Keys” and generate a key for your automation. Copy it to your clipboard…
    2015-01-12 15_33_53-kvaes _ kvaes.be - 2015 _ Admin _ Deployment keys — Bitbucket
  • In DeployHQ, go to “Settings”, “General Settings” and copy to key into the “Public Key Authentication” textbox.
    2015-01-12 15_31_19-Website 2015 - LogiTouch - Deploy
  • In DeployHQ, go to “Settings”, “Servers & Group” and create a new server.
    2015-01-12 15_36_53-Website 2015 - LogiTouch - Deploy
  • In the same screen, Enable “Auto Deploy” and copy the url hook.
    2015-01-12 15_38_19-Website 2015 - LogiTouch - Deploy
  • Now go to “Settings” in GitHub, and then “Hooks”. Add a “POST” hook containing the url hook you just copied.
    2015-01-12 15_39_11-kvaes _ kvaes.be - 2015 _ Admin _ Hooks — Bitbucket
  • Now every time you do a commit on your workstation, the code will be deployed to your server!

In fact, this is the mechanism I utilize for my own (hobby) development projects. An example of here, is my own homepage, which is deployed via the system as described above.

Are my sites up?

Are My Sites Up is a very simple service to help you keep an eye on your sites and warn you if they go down. It is completely free.

aremysitesup

You need to know if there are any issues with your own sites or the ones you maintain. The guys at “aremysitesup.com” offer you this service for free! It’s just a small test offcourse, but in most cases this will suffice… 😉

The 3 kinds of free models

Logic+Emotion featured an article called Visualizing Chris Anderson’s “Free” Model.

  • Free 1 : Kinda like the concept often used by Telecom operators. Buy a subscription and get the mobile phone for free. (Too bad this concept isn’t allowed by law in Belgium…. “Koppelverkoop”)
  • Free 2 : The concept where the whole web 2.0 is running towards… Offer something for free to your community, but let an external party pay for their “subscription” by means of advertising.
  • Free 3 : Shareware meets web 2.0… Get a limited version for free, but pay for the premium version.

You might also want to read the original article