Protect a ASP.NET Core web API with the Microsoft identity platform - Azure AD - Microsoft Entra

{tocify} $title={Table of Contents}

In this quickstart, you download an ASP.NET Core web API code sample and review the way it restricts resource access to authorized accounts only. The sample supports authorization of personal Microsoft accounts and accounts in any Azure Active Directory (Azure AD) organization. 

Prerequisites
  • Azure account with an active subscription. Create an account for free.
  • Azure Active Directory tenant
  • .NET Core SDK 3.1+
  • Visual Studio 2019 or Visual Studio Code

Step 1: Register the application

First, register the web API in your Azure AD tenant and add a scope by following these steps:

  • Sign in to the Azure portal.
  • If you have access to multiple tenants, use the Directories + subscriptions filter  in the top menu to switch to the tenant in which you want to register the application.
  • Search for and select Azure Active Directory.
  • Under Manage, select App registrations > New registration.
  • For Name, enter a name for your application. For example, enter AspNetCoreWebApi-Quickstart. Users of your app will see this name, and you can change it later.
  • Select Register.
  • Under Manage, select Expose an API > Add a scope. For Application ID URI, accept the default by selecting Save and continue, and then enter the following details:
    • Scope name: access_as_user
    • Who can consent?: Admins and users
    • Admin consent display name: Access AspNetCoreWebApi-Quickstart
    • Admin consent description: Allows the app to access AspNetCoreWebApi-Quickstart as the signed-in user.
    • User consent display name: Access AspNetCoreWebApi-Quickstart
    • User consent description: Allow the application to access AspNetCoreWebApi-Quickstart on your behalf.
    • State: Enabled
  • Select Add scope to complete the scope addition.

Step 2: Download the ASP.NET Core project


Step 3: Configure the ASP.NET Core project

In this step, configure the sample code to work with the app registration that you created earlier.

  • Extract the .zip archive into a folder near the root of your drive. For example, extract into C:\Azure-Samples.

  • We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.

  • Open the solution in the webapi folder in your code editor.

  • Open the appsettings.json file and modify the following code:

"ClientId": "Enter_the_Application_Id_here",
"TenantId": "Enter_the_Tenant_Info_Here"


  •  Replace Enter_the_Application_Id_here with the application (client) ID of the application that you registered in the Azure portal. You can find the application (client) ID on the app's Overview page.
    • Replace Enter_the_Tenant_Info_Here with one of the following:
    • If your application supports Accounts in this organizational directory only, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, contoso.onmicrosoft.com). You can find the directory (tenant) ID on the app's Overview page.
    • If your application supports Accounts in any organizational directory, replace this value with organizations.
    • If your application supports All Microsoft account users, leave this value as common.
  • For this quickstart, don't change any other values in the appsettings.json file.


How the sample works

The web API receives a token from a client application, and the code in the web API validates the token. This scenario is explained in more detail in Scenario: Protected web API.

Startup class


The Microsoft.AspNetCore.Authentication middleware uses a Startup class that's executed when the hosting process starts. In its ConfigureServices method, the AddMicrosoftIdentityWebApi extension method provided by Microsoft.Identity.Web is called.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
    }
The AddAuthentication() method configures the service to add JwtBearer-based authentication.

The line that contains .AddMicrosoftIdentityWebApi adds the Microsoft identity platform authorization to your web API. It's then configured to validate access tokens issued by the Microsoft identity platform based on the information in the AzureAD section of the appsettings.json configuration file:

appsettings.json key Description
ClientId                         Application (client) ID of the application registered in the Azure portal.
Instance                         Security token service (STS) endpoint for the user to authenticate. This value                                             is typically https://login.microsoftonline.com/, indicating the Azure public                                             cloud.
TenantId                         Name of your tenant or its tenant ID (a GUID), or common to sign in users                                             with work or school accounts or Microsoft personal accounts.


The Configure() method contains two important methods, app.UseAuthentication() and app.UseAuthorization(), that enable their named functionality:

// The runtime calls this method. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    // more code
    app.UseAuthentication();
    app.UseAuthorization();
    // more code
}


 Protecting a controller, a controller's method, or a Razor page

You can protect a controller or controller methods by using the [Authorize] attribute. This attribute restricts access to the controller or methods by allowing only authenticated users. An authentication challenge can be started to access the controller if the user isn't authenticated.


namespace webapi.Controllers

{

    [Authorize]

    [ApiController]

    [Route("[controller]")]

    public class WeatherForecastController : ControllerBase


 Validation of scope in the controller

The code in the API verifies that the required scopes are in the token by using HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);

namespace webapi.Controllers

{

    [Authorize]

    [ApiController]

    [Route("[controller]")]

    public class WeatherForecastController : ControllerBase

    {

        // The web API will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API

        static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };


        [HttpGet]

        public IEnumerable<WeatherForecast> Get()

        {

            HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);


            // some code here

        }

    }

}


Thanks πŸ˜€


Reference:

Comments

Post a Comment

Popular posts from this blog

File Transformation (variable substitution) and issues faced in Azure Devops  -  YAML

Variable substitution in Azure Devops | File Transformation in azure devops using YAML | Troubleshooting File Transformation in Azure Devops {tocify} $title={Table of Contents} Following this document used file transformation task in Azure Devops to substitute variables in json and xml files: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/file-transform?view=azure-devops # File transform # Replace tokens with variable values in XML or JSON configuration files - task: FileTransform@1  inputs:  #folderPath: ‘$(System.DefaultWorkingDirectory)/**/*.zip’  #enableXmlTransform: # Optional  #xmlTransformationRules: ‘-transform **\*.Release.config -xml **\*.config-transform **\*.$(Environment.Name).config -xml **\*.config’ # Optional  #fileType: # Optional. Options: xml, json  #targetFiles: # Optional When using this you will get following error message: “ changes already present message ”. Got the changes already present message when directly targeting the source f
Read more

Power BI Report on Bot Analytics for Chatbot in Bot Framework Composer | Custom Trace Event in PowerBI report from Application Insights logs | Bot Analytics for Bot Framework Composer - Readymade template

Image
{tocify} $title={Table of Contents} Tutorial: View analytics with Power BI Intro Purpose The BOT framework Composer sample provides a Power BI template that can be used to understand how your bot is performing. Overall usage Personalize your experience for your brand and customers. All dialogs overview All dialogs' popularity and status based off of SDK telemetry Dialog overview Review a specific dialog's popularity and status LUIS intents A count of LUIS intents per day All conversation metrics Highlights the average number of conversations per unique user and the average duration by day https://lkgforit.com/power-bi-report-on-bot-analytics-for-chatbot-in-bot-framework-composer Conversations drill down Per conversation, this highlights the dialogs triggered and common utterances https://lkgforit.com/power-bi-report-on-bot-analytics-for-chatbot-in-bot-framework-composer Transcript Review interactions, sessions, and the transcript between a bot and its users https://lkgforit.
Read more

Low Level Design GitHub Materials | Low level design materials | Low level design end to end open source

{tocify} $title={Table of Contents} 𝟏 ) 𝐓𝐇𝐄 𝐋𝐋𝐃 Low level Design / Machine Coding Question Collections ————— What is Machine Coding Round ? Machine Coding Round has become very popular interview round in most Product and startup companies like Flipkart, Cleartrip, navi and Udaan,the way the round is structured is the candidate will be provided with a Problem statement and the minimum set of features which needs to implemented within the 90 min window period, we as a candidate need to identity the data models, the service interfaces which will be consumed by the clients and other set of functions and classes, we should be able to present the same to the panel with are design choices / design patterns being made / used and the complete working code. What is the purpose behind this LLD repo ? During my recent Preparation, found out that there was no single resources where we get a collections of all the questions and the corresponding Answers, so currently updating the repo
Read more