Hey any idea how to make this app a dashboard for monitor my tenant security and compliance ? i can extract the data from graph API security and azure ad but I don't know whats the right logic / architecture to do I my app??
@@gadour97 Do you want to convert this app to a dash board? If you want to prepare dashboard, you can use Tableu or Power BI which are best visual representation tools.
"I'm a beginner at this, and while the tutorial was helpful, I think having a bit more explanation would be a great help for me. Thanks for the tutorial!"
I can say it's very helpful tutorial, it clear lots of doubts and give a lot of insights. Thanks, and keep doing the good work. However, I am wondering the below things, I am requesting you to please explain? so that others who may have the same doubts can also refer the same. 1. I am not seeing any refresh token concepts in both Angular and Web API or I don't see any call made to get refresh token in both apps. 2. What happens if the token gets expired? how and where to maintain this logic. 3. I don't see you append any access token in the header while making the http call ? how come we pass both access and refresh token ?
hi!, you have created 2 app in the register apps azure, this is for development environment, but for qa or production, i will have create other applications in azure?
Hi, thank you for making this very helpful tutorial. I have a question: I want that all users that have a microsoft account can login how can I do that?
In your app registration authentication section, add All microsoft accounts as Identity provider. This video may help - ruclips.net/video/sd6pmmNY1PY/видео.html Please subscribe to the channel, if you have not subscribed yet. Thank you.
Thank you. There are more in the channel. Please take a look and subscribe if they are relevant to you. Here is the link - ruclips.net/channel/UCjT5Tn4qMkVkSYeP-L6gLVwvideos
Thanks a lot for coming to my channel and thanks to your friend too for suggesting. I make video tutorials on Azure, .Net and angular. Please subscribe if your have not subscribed yet.
@@davorinkocbek4779 I dont have one. But you have to implement Angular Guard to protect your routes. Here in this video also we have used roles, Guard (MSALGuard - default azure one) but that is on API.
Have you ever used quarkus as backend api? I have registered 2 applications (backend api and frontend angular) in azure as you did in your video. But response from backend to angular frontend is 401.
I see that the scope created was only for one API controller. Can't we make it work without a scope or by using the .default scope?? I think the role(s) was alone enough with default scope. Can you explain please?
Thanks for you clean explanation, how can we get assigned role in the angular app for the logged in user so we can hide "Show Report" button based on the role on UI ?
you can get the logged in user account details by using this.authService.instance.getAllAccounts()[0]. Please refer to the github code. It will return account info object and from that you can get all the related roles of the user. Based on that you can hide the link. Please subscribe to the channel if you have not subscribed yet. Thank you.
@@dhee26 Roles do exist only for Apis. You should not add them to client applications unless you are using the client app registration for an api too... Please subscribe to the channel if you have not subscribed yet. Thanks.
@@azureteachnet ok well noted. but as you mentioned on this first comment once we get account details you can get the roles of the user, this details actually from angular app right (which do not have roles) ? Currently roles do define at API app registration, how to get information about the roles from angular app? (In order to define hide/show for some links)
Very clean explanation, thanks so much, how to redirect to microsoft login page directly without click on the login button, I have a requirement when I put in the URL of my application it should redirect to the login and then to home page, how to set it up ?
@@azureteachnet Thanks you very much, do you have any tutorial where you have angular app which gets the jwt token and pass it to the API, and how token refresh works like after 1 hour if token expires how to get the refreshed token and pass it to the api as part of the request, and in order to get token how to access azure key vault for client secret in angular app ?
@@vijenderreddy1475 I have Web api tutorial with jwt and refresh token.I have a video on Azure key vault too. not the angular one. In future, I will create a video for angular with jwt.
I am a beginner, this is tutorial very useful. I got error main.ts:6 ERROR Error: NG05104: The selector "app-redirect" did not match any components. when checked in the git hub code link you provided there is no component with name "app-redirect". Thanks for your efforts.
Thanks for the feedback. That is msal component. Please check github.com/AzureTeachNet/AzureTeachTutorials/blob/Angular_WebAPI_AzureAD_Authentication_Authorization/azuread-angular-demo/src/index.html file. you have to add it in index.html. Please subscribe to the channel if you have not subscribed yet. Thanks.
Hi, How do I create users and assign them different roles like Manager or Admin as you have done in the video? For ex: Jessica has a manager role and she is able to access the authorized resource which is accessible to only manager. Please guide. Thanks for your efforts.
Creating roles and assigning them is shown in video. If you want to create the users, Go to Active directory in azure portal, click on Users tab (left side menu). In that you can create users.
The tutorial is very helpful but the constant bell sound really disturbs and it will be helpful if you explain certain things more, like MsalRedirectComponent, or why is app-redirect in index.html required.
Thanks a lot for taking time in providing the feedback in a constructive way. Sorry for the annoying bell sound. Actually I have added that because of desperation. Viewers are appreciating my content in comments and in likes however, forgetting to subscribe to the channel. So I thought of reminding them in every important moment of the video 🙂 . Sorry for that. I will reduce adding them. Regarding MSAL redirect Component - In the demo, we have used Redirect based Azure Ad for angular. MSAL is the library to add Azure Ad to angular app and we are using Redirect Based AzureAd so we used MSALRedirectComponent. App-Redirect - This is needed in the index.html. As we are using Azure AD we must include its related components. It is like, I am a .net guy. If I want to use Azure AD in .net core I must add Azure related dlls to my project. It is also the same. There are more azure videos in my channel. Please take a look and if you feel they are relevant, please subscribe 🙂 .
@@azureteachnet Thanks for acknowledgement and response. Can you please help me in understanding scopes and what if I don't want to decorate controller with scopes
@@kanupriyagoel2257 using scopes we can make the api granular and give the permissions. You can understand it like Roles are for the users and scopes are for the applications. Assume from a .net client app you are trying to access an api. first of all, the client app should be known to your api. there can be multiple client apps which can access the api. assume, there are 3 clients. each client can access a specific controller only and it cannot access other controllers. we can use scopes to restrict the client apps. Here is a video in which I demoed using scopes on different client applications for an api - ruclips.net/video/pS1hER46PQI/видео.html
Hello sir, i am working with angular 8 application, and this MSAL is not working for me, kindly help me out in this or can you do a separate video for angular 8 application with msal azure authentication as well.
Do we need a separate Azure ad app registration for web API We already have an app registration for angular app? Can we use the same client ID and tenant ID for web api as we are using for angular UI?
Very helpful, exactly what I needed. Is there a way to set custom expiration time for a token? And also to request to authorize on a specific api? Thanks in advance and thanks for the tutorial! :)
Changing token life time may need Azure AD Premium license. Here is the information - docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes "request to authorize on a specific api" - Do you mean adding authorization globally for entire api? We can specify the authorization, On an Action, On a Controller and at complete API level too. You can create a custom authorization filter or define a policy. Or even create a base controller and inherit all your controllers from it. Decorate your base controller with Authorize filter with roles. This will ensure that all your controllers can only be accessed if the user has certain roles.
@@azureteachnet Thanks a lot for your reply. But I have some more questions, if you can answer them I would be very grateful 1. Why do we need 2 redirectUri: one in Azure and one in Angular code? What can we do if we have multiple environments (dev, stage, live)? 2. Is the permission "User.Read" from Api permissions needed if I've created custom roles for the users? 3. Why do we need 2 app registrations (the WebApiAzureAngularDemoApp and angularazureadapp) and I didn't understand why we need a scope if we create custom roles? 4. Can we somehow get the roles from Azure in Angular? I have tried some methods, but I only managed to get the name, username, scopes and all other configs, but not the roles 5. Can we update more directly the user roles in app when changing/deleting/adding a role in User roles in Azure? Cuz now if I change a role I need to logout and clear cache and login again so that the roles are updated with the last changes.
@@ramonastoica9042 1. Understand it with a scenario. Your angular app exposes client Id which anybody can read from the url. If any malicious person want to use the same app id he can do so. Then we can make azure AD to redirect to any web site we want. Assume, actual website is www.abc.com. an malicous person want to redirect the request to www.xyz.com. he can easily do it. To avoid it, we must set the redirect uri. Azure will validate the url and check if it is the same url that is configured in it or not. Otherwise simply returns an error.
@@ramonastoica9042 2. It all depends on your need. This video has the use of Azure Graph API. With Every App registration, by default you will get User.Read permission with in app registration. If you dont need it, you can remove it.
@@ramonastoica9042 3. General rule of thumb - number of app registrations = number of applications which uses Azure AD. However we can use a few app registrations for all the applications which is not recommended. Scope is needed because, Azure needs to validate the app which is accessing it. Other thing is, Assume your organization has 1000 applications and all of them have various roles defined in azure. A user, may be an admin user who has access to all the applications. Now user login to Application-1. How will azure know which roles to include in the access token (jwt)? It cannot include roles of 1000 apps rite? So it will check the scope and based on the scope it will include the roles which are specific to that application. You can assume like , Roles are for the users and scopes are for the client applications. You can check this video - ruclips.net/video/pS1hER46PQI/видео.html . It has web api authentication and authorization using Azure AD and the client applications which has scopes
at 29:24, I don't have the automatic redirection to the login page (localhost:4200), it stays on the Microsoft login page: "You signed out of your account" I'm using Google Chrome.
Here is the video - ruclips.net/video/jv_vi1G6eGA/видео.html . Please watch it if you are still looking for it. Also please subscribe to the channel. Thank you.
@@azureteachnet Yes, all of this. For example how frontend communicate with Azure AD when user try to login, what is happening in the background when we try to login, how Azure AD know which user is trying to login, things like that. Can you draw or explain entire logic?
@@aleksastokanic4221 I hope you know how JWT authentication works. Please refer this ruclips.net/video/4y0sg9omQ5E/видео.html 12 minute video, if you dont know that. This entire flow use JWT authentication with oAuth2.0. Every application, which uses Azure AD authentication is identified with a client ID (Id of app registration). When the user access the application which has Azure AD authentication, it will redirect the user to the azure login page. Once user provides the credentials, azure generates the JWT token and returns it back to the application. How this work? - When the application redirect the user to azure login page, It sends ClientId, Scope and credential type as parameters. Scope means, the criteria that azure needs to consider while generating the token. For example, In an organization, it can have 100s of apis. However, the client application (here angular app) may need to access only few apis. Based on the scope, azure will limit the scopes in the token generation. IF YOU DECODE THE TOKEN OF AZURE, you can easily understand what I mean. In this example, angular app is passing scopes of azure graph api and web api. so it passed two scopes. If this client app is authorized to access these two apis, Azure validates them and generates the token with a scope array of these two apis. Here is the key thing is, most of the information that is needed is embedded inside the token itself. so once the token is generated and it will be returned to the client app and it stores the token in the local storage. Client app uses the token to call the downstream apis. I know it is lengthy answer. There is more I can explain. Please let me know If you want me to make a video. Thanks
Once the user logs in to the angular app using azure ad, azure returns the token. It will be preserved in browser cache. As we have mentioned the Web Api scope in app.module.ts , azure includes claims related to the api in token. When angular app send request to the api, MSAL interceptor (we have mentioned it in app.module.ts) includes the token in request header. As we have used azure AD at web api end too, it decodes the token and authenticates the user.
After implementing this I'm facing issue with "Provisional headers " issue on chrome as im sending bearer token with auth header. , tried all the ways to fix it, but could not able to.. please help.
github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization This is complete code of the video which has both backend and UI. Please subscribe to the channel if you have not subscribed yet. Thanks
yup. If you use Azure AD on API, you have to use MSAL on client side. You can write your own logic to call Azure AD authorize end point to get the token, however it is a kind of re-inventing the wheel. Please subscribe to the channel, if you have not subscribed yet.
could you please let me know what you are looking for in .net 6. I will create tutorial. I am creating tutorials on .net 5 or .net 3.1 because most of the big enterprises are still using it. 🙂
I worked on Java for sometime but too less. I am primarily a dotnet developer/lead from past 11 years. If I have to create a video on quarkus, I need to spend time in learning the basics instead of directly creating a tutorial 😁
You dont have to learn quarkus 🙂 Angular part is enough for me to try Azure SSO. Btw, is it possible to automatically redirect an unauthenticated user to the MS login page when a user visit the site (without clicking the login button)?
@@matjazhafner2000 yes. we can do that. In this video, in routes module, I did not add MSALGuard to Home route. so it is not redirecting to login. But If you add MSALGuard to any route, if somebody who is not logged and open the page, it will redirect to login page.
Thank you. I will try. I am choosing between MSAL and angular-oauth2-oidc library. I dont have much experiences with Azure SSO so I need to find a proper library which will suit my needs.
Is it possible to get the name of logged in user without calling the graph/me endpoint? I would like to display the name of logged in user in page header. What would be the best way to do that (another Subject like isUserloggedIn in app.component.ts)?
we can, but not recommended. Also, it depends on the way you are developing/configuring. App registrations are free and it is better to create an app registration for each app
@@tipsandhacksbygaurav nope. It need two app registrations. Also , you have to configure app registrations with roles, authentication url etc. may I know what preventing you in creating a separate app registration for each app.
i don"t have a startup.cs file when i added it I think I forgot to add something, so I got an error and now it doesn't work anymore can I see your startup.cs file and program.cs file ?
Are you trying out this demo using regular .net or with .net core. If your project is not .net core, Startup.cs may not be there. Please check your project .net framework. In the video, the changes related to Startup.cs is there. I will add this project to Git by Monday and let you know.
Sir, i've created SAP app with your code, first it was working fine . But now when i run the app it goes to Microsoft login without clicking Login button and localhost page is reloading again and again... please help
please check the configuration in app.module.ts. Did you add it in protected resource map. Please comapre with github code and let me know if you still face the issue.
@@azureteachnet All looks good, Infact the User Profile information is working and I am getting that data, but just the Profile Pic endpoint is erroring out with 401
Here is the source code - github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization
IrrwlSrk mz
Th
Hey any idea how to make this app a dashboard for monitor my tenant security and compliance ? i can extract the data from graph API security and azure ad but I don't know whats the right logic / architecture to do I my app??
@@gadour97 Do you want to convert this app to a dash board? If you want to prepare dashboard, you can use Tableu or Power BI which are best visual representation tools.
in case you already posted how to CRUD up and MSAL with angular +node.js API i`d love it!!!! thanks in advance.
"I'm a beginner at this, and while the tutorial was helpful, I think having a bit more explanation would be a great help for me. Thanks for the tutorial!"
keep doing more videos. Step by step approach is super useful
Very helpful tutorial clear lots of doubts and give a lot of insights Thanks a lot keep doing the good work👍
just had a query how can we do SSO using jwt.. any reference on that
I can say it's very helpful tutorial, it clear lots of doubts and give a lot of insights. Thanks, and keep doing the good work.
However, I am wondering the below things, I am requesting you to please explain? so that others who may have the same doubts can also refer the same.
1. I am not seeing any refresh token concepts in both Angular and Web API or I don't see any call made to get refresh token in both apps.
2. What happens if the token gets expired? how and where to maintain this logic.
3. I don't see you append any access token in the header while making the http call ? how come we pass both access and refresh token ?
Thanks for the feedback. Right now I dont have any videos which shows angualr refresh token with Azure AD. will make video soon.
hi!, you have created 2 app in the register apps azure, this is for development environment, but for qa or production, i will have create other applications in azure?
Great video, very informative and crisp clear.
Thank you so much for this tutorial. This is working like a charm. You are a life saver!! Thanks again.
Thanks for your words. It motivates me a lot in making content like this :-)
Hi, thank you for making this very helpful tutorial.
I have a question: I want that all users that have a microsoft account can login how can I do that?
In your app registration authentication section, add All microsoft accounts as Identity provider. This video may help - ruclips.net/video/sd6pmmNY1PY/видео.html
Please subscribe to the channel, if you have not subscribed yet. Thank you.
Excellent 👏👍
Great resource. Thank you.
Very good explanation!!
Thank you. There are more in the channel. Please take a look and subscribe if they are relevant to you. Here is the link - ruclips.net/channel/UCjT5Tn4qMkVkSYeP-L6gLVwvideos
Hi. My friend suggested me your videos. Exactly what I need.
Thanks a lot for coming to my channel and thanks to your friend too for suggesting. I make video tutorials on Azure, .Net and angular. Please subscribe if your have not subscribed yet.
Do you have any video how to protect access to angular frontend depends on azure ad roles?
@@davorinkocbek4779 I dont have one. But you have to implement Angular Guard to protect your routes. Here in this video also we have used roles, Guard (MSALGuard - default azure one) but that is on API.
Have you ever used quarkus as backend api? I have registered 2 applications (backend api and frontend angular) in azure as you did in your video. But response from backend to angular frontend is 401.
@@davorinkocbek4779 I am sorry. I am primarily a .Net senior Fullstack developer. I think quarkus is related to Java and I dont have idea on that.
I see that the scope created was only for one API controller. Can't we make it work without a scope or by using the .default scope?? I think the role(s) was alone enough with default scope. Can you explain please?
Thanks for you clean explanation, how can we get assigned role in the angular app for the logged in user so we can hide "Show Report" button based on the role on UI ?
you can get the logged in user account details by using this.authService.instance.getAllAccounts()[0]. Please refer to the github code. It will return account info object and from that you can get all the related roles of the user. Based on that you can hide the link. Please subscribe to the channel if you have not subscribed yet. Thank you.
@@azureteachnet Hello, does it mean even at angular app reg we need to create an app role and assign to user? Same like we did for web api side?
@@dhee26 Roles do exist only for Apis. You should not add them to client applications unless you are using the client app registration for an api too... Please subscribe to the channel if you have not subscribed yet. Thanks.
@@azureteachnet ok well noted. but as you mentioned on this first comment once we get account details you can get the roles of the user, this details actually from angular app right (which do not have roles) ?
Currently roles do define at API app registration, how to get information about the roles from angular app? (In order to define hide/show for some links)
Hello, sir. Thank you for this tutorials. Is there a way to look for the source code of this tutorial?
I have not added this to Git Repo yet. Will share it soon. Thank you for your interest.
yes please add it!!!
Here is the source code - github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization
Very clean explanation, thanks so much, how to redirect to microsoft login page directly without click on the login button, I have a requirement when I put in the URL of my application it should redirect to the login and then to home page, how to set it up ?
In this video, for home page, in routes module, I have not added MSALGuard. If we add MSALGuard on the route, it should redirect to the login page.
@@azureteachnet Thanks you very much, do you have any tutorial where you have angular app which gets the jwt token and pass it to the API, and how token refresh works like after 1 hour if token expires how to get the refreshed token and pass it to the api as part of the request, and in order to get token how to access azure key vault for client secret in angular app ?
@@vijenderreddy1475 I have Web api tutorial with jwt and refresh token.I have a video on Azure key vault too. not the angular one. In future, I will create a video for angular with jwt.
I am a beginner, this is tutorial very useful. I got error main.ts:6 ERROR Error: NG05104: The selector "app-redirect" did not match any components. when checked in the git hub code link you provided there is no component with name "app-redirect". Thanks for your efforts.
Thanks for the feedback. That is msal component. Please check github.com/AzureTeachNet/AzureTeachTutorials/blob/Angular_WebAPI_AzureAD_Authentication_Authorization/azuread-angular-demo/src/index.html file. you have to add it in index.html.
Please subscribe to the channel if you have not subscribed yet. Thanks.
Hi, How do I create users and assign them different roles like Manager or Admin as you have done in the video?
For ex: Jessica has a manager role and she is able to access the authorized resource which is accessible to only manager.
Please guide. Thanks for your efforts.
Creating roles and assigning them is shown in video. If you want to create the users, Go to Active directory in azure portal, click on Users tab (left side menu). In that you can create users.
@@azureteachnet thanks I will have a re-look.
Already watched the video twice.
Appreciate your efforts.
The tutorial is very helpful but the constant bell sound really disturbs and it will be helpful if you explain certain things more, like MsalRedirectComponent, or why is app-redirect in index.html required.
Thanks a lot for taking time in providing the feedback in a constructive way. Sorry for the annoying bell sound. Actually I have added that because of desperation. Viewers are appreciating my content in comments and in likes however, forgetting to subscribe to the channel. So I thought of reminding them in every important moment of the video 🙂 . Sorry for that. I will reduce adding them.
Regarding MSAL redirect Component - In the demo, we have used Redirect based Azure Ad for angular. MSAL is the library to add Azure Ad to angular app and we are using Redirect Based AzureAd so we used MSALRedirectComponent.
App-Redirect - This is needed in the index.html. As we are using Azure AD we must include its related components. It is like, I am a .net guy. If I want to use Azure AD in .net core I must add Azure related dlls to my project. It is also the same. There are more azure videos in my channel. Please take a look and if you feel they are relevant, please subscribe 🙂 .
@@azureteachnet Thanks for acknowledgement and response. Can you please help me in understanding scopes and what if I don't want to decorate controller with scopes
@@kanupriyagoel2257 using scopes we can make the api granular and give the permissions. You can understand it like Roles are for the users and scopes are for the applications.
Assume from a .net client app you are trying to access an api. first of all, the client app should be known to your api. there can be multiple client apps which can access the api. assume, there are 3 clients. each client can access a specific controller only and it cannot access other controllers. we can use scopes to restrict the client apps. Here is a video in which I demoed using scopes on different client applications for an api - ruclips.net/video/pS1hER46PQI/видео.html
Hello sir, i am working with angular 8 application, and this MSAL is not working for me, kindly help me out in this or can you do a separate video for angular 8 application with msal azure authentication as well.
sure. I will give a try in my machine and if it works share you the code over github.
Do we need a separate Azure ad app registration for web API We already have an app registration for angular app?
Can we use the same client ID and tenant ID for web api as we are using for angular UI?
No
Hi
In the same way as you did for angular and .net with azure ad, do you have something for react js and .net with azure ad?
I have a plan to post a video in future. Thanks.
Very helpful, exactly what I needed. Is there a way to set custom expiration time for a token? And also to request to authorize on a specific api? Thanks in advance and thanks for the tutorial! :)
Changing token life time may need Azure AD Premium license. Here is the information - docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
"request to authorize on a specific api" - Do you mean adding authorization globally for entire api?
We can specify the authorization, On an Action, On a Controller and at complete API level too. You can create a custom authorization filter or define a policy. Or even create a base controller and inherit all your controllers from it. Decorate your base controller with Authorize filter with roles. This will ensure that all your controllers can only be accessed if the user has certain roles.
@@azureteachnet Thanks a lot for your reply. But I have some more questions, if you can answer them I would be very grateful
1. Why do we need 2 redirectUri: one in Azure and one in Angular code? What can we do if we have multiple environments (dev, stage, live)?
2. Is the permission "User.Read" from Api permissions needed if I've created custom roles for the users?
3. Why do we need 2 app registrations (the WebApiAzureAngularDemoApp and angularazureadapp) and I didn't understand why we need a scope if we create custom roles?
4. Can we somehow get the roles from Azure in Angular? I have tried some methods, but I only managed to get the name, username, scopes and all other configs, but not the roles
5. Can we update more directly the user roles in app when changing/deleting/adding a role in User roles in Azure? Cuz now if I change a role I need to logout and clear cache and login again so that the roles are updated with the last changes.
@@ramonastoica9042
1. Understand it with a scenario. Your angular app exposes client Id which anybody can read from the url. If any malicious person want to use the same app id he can do so. Then we can make azure AD to redirect to any web site we want. Assume, actual website is www.abc.com. an malicous person want to redirect the request to www.xyz.com. he can easily do it. To avoid it, we must set the redirect uri. Azure will validate the url and check if it is the same url that is configured in it or not. Otherwise simply returns an error.
@@ramonastoica9042 2. It all depends on your need. This video has the use of Azure Graph API. With Every App registration, by default you will get User.Read permission with in app registration. If you dont need it, you can remove it.
@@ramonastoica9042 3. General rule of thumb - number of app registrations = number of applications which uses Azure AD. However we can use a few app registrations for all the applications which is not recommended.
Scope is needed because, Azure needs to validate the app which is accessing it. Other thing is, Assume your organization has 1000 applications and all of them have various roles defined in azure. A user, may be an admin user who has access to all the applications. Now user login to Application-1. How will azure know which roles to include in the access token (jwt)? It cannot include roles of 1000 apps rite? So it will check the scope and based on the scope it will include the roles which are specific to that application.
You can assume like , Roles are for the users and scopes are for the client applications. You can check this video - ruclips.net/video/pS1hER46PQI/видео.html . It has web api authentication and authorization using Azure AD and the client applications which has scopes
Newly added components it is same?
can you please eloborate.
at 29:24, I don't have the automatic redirection to the login page (localhost:4200), it stays on the Microsoft login page: "You signed out of your account"
I'm using Google Chrome.
did you find any fix for this?
Great tutorial. Can you please also show how to use Azure AD to authenticate one API that calls another API? I.e., the API itself is a client. Thanks.
sure. will create a video soon.
Here is the video - ruclips.net/video/jv_vi1G6eGA/видео.html . Please watch it if you are still looking for it. Also please subscribe to the channel. Thank you.
@@azureteachnet Yes, thank you!
Great video mate! Can you draw the entire flow of the backend frontend and Azure? I would like to understand as well as possible
Thanks for your feedback. Do you need the flow of the components, that has been shown in this video or azure front end and backend?
@@azureteachnet Yes, all of this. For example how frontend communicate with Azure AD when user try to login, what is happening in the background when we try to login, how Azure AD know which user is trying to login, things like that. Can you draw or explain entire logic?
@@aleksastokanic4221 I hope you know how JWT authentication works. Please refer this ruclips.net/video/4y0sg9omQ5E/видео.html 12 minute video, if you dont know that.
This entire flow use JWT authentication with oAuth2.0. Every application, which uses Azure AD authentication is identified with a client ID (Id of app registration). When the user access the application which has Azure AD authentication, it will redirect the user to the azure login page. Once user provides the credentials, azure generates the JWT token and returns it back to the application.
How this work? - When the application redirect the user to azure login page, It sends ClientId, Scope and credential type as parameters. Scope means, the criteria that azure needs to consider while generating the token. For example, In an organization, it can have 100s of apis. However, the client application (here angular app) may need to access only few apis. Based on the scope, azure will limit the scopes in the token generation. IF YOU DECODE THE TOKEN OF AZURE, you can easily understand what I mean. In this example, angular app is passing scopes of azure graph api and web api. so it passed two scopes. If this client app is authorized to access these two apis, Azure validates them and generates the token with a scope array of these two apis.
Here is the key thing is, most of the information that is needed is embedded inside the token itself. so once the token is generated and it will be returned to the client app and it stores the token in the local storage. Client app uses the token to call the downstream apis.
I know it is lengthy answer. There is more I can explain. Please let me know If you want me to make a video. Thanks
@@azureteachnet Thank you mate for this!! Now it's clear!
@@azureteachnetcan you plz shortly explain how to use that token to call an api?
How does the token interaction among the angular app and the API which a user has created?
Once the user logs in to the angular app using azure ad, azure returns the token. It will be preserved in browser cache. As we have mentioned the Web Api scope in app.module.ts , azure includes claims related to the api in token. When angular app send request to the api, MSAL interceptor (we have mentioned it in app.module.ts) includes the token in request header. As we have used azure AD at web api end too, it decodes the token and authenticates the user.
@@azureteachnet makes sense. Thanks a lot brother.
After implementing this I'm facing issue with "Provisional headers " issue on chrome as im sending bearer token with auth header. , tried all the ways to fix it, but could not able to.. please help.
Do you have any repo for the backend of this project with Typescript?
github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization
This is complete code of the video which has both backend and UI.
Please subscribe to the channel if you have not subscribed yet. Thanks
How to other IDP using MSAL library
Hello, if I start from the API towards the client APP (angular, react or other app), it's always needed to configure the client app with MSAL ?
yup. If you use Azure AD on API, you have to use MSAL on client side. You can write your own logic to call Azure AD authorize end point to get the token, however it is a kind of re-inventing the wheel.
Please subscribe to the channel, if you have not subscribed yet.
@@azureteachnet thank you
why all tutorials only using either .net5 or .net 3.1??? I'm looking for one for .net 6 and not minimal api.
could you please let me know what you are looking for in .net 6. I will create tutorial. I am creating tutorials on .net 5 or .net 3.1 because most of the big enterprises are still using it. 🙂
Great video! Can you do the same for quarkus instead of .NET? Quarkus API, angular frontend, both protected with azure AD.
I worked on Java for sometime but too less. I am primarily a dotnet developer/lead from past 11 years. If I have to create a video on quarkus, I need to spend time in learning the basics instead of directly creating a tutorial 😁
You dont have to learn quarkus 🙂 Angular part is enough for me to try Azure SSO.
Btw, is it possible to automatically redirect an unauthenticated user to the MS login page when a user visit the site (without clicking the login button)?
@@matjazhafner2000 yes. we can do that. In this video, in routes module, I did not add MSALGuard to Home route. so it is not redirecting to login. But If you add MSALGuard to any route, if somebody who is not logged and open the page, it will redirect to login page.
Thank you. I will try. I am choosing between MSAL and angular-oauth2-oidc library. I dont have much experiences with Azure SSO so I need to find a proper library which will suit my needs.
Is it possible to get the name of logged in user without calling the graph/me endpoint? I would like to display the name of logged in user in page header. What would be the best way to do that (another Subject like isUserloggedIn in app.component.ts)?
Can we also have a ReactJS version of these topics please?
sure
Hello my friend, have a problem, show error 'MsalModule' does not appear to be an NgModule class., and using Angular 16
what it is showing in console?
Can we use single azure ad app registration for (both backend and frontend ) ?
we can, but not recommended. Also, it depends on the way you are developing/configuring. App registrations are free and it is better to create an app registration for each app
@@azureteachnet quick response, thank you so much.
@@azureteachnet if I download your code from git repo and make necessary changes for app regis part, then it will work with single app regis ?
@@tipsandhacksbygaurav nope. It need two app registrations. Also , you have to configure app registrations with roles, authentication url etc. may I know what preventing you in creating a separate app registration for each app.
i don"t have a startup.cs file when i added it I think I forgot to add something, so I got an error and now it doesn't work anymore can I see your startup.cs file and program.cs file ?
Are you trying out this demo using regular .net or with .net core. If your project is not .net core, Startup.cs may not be there. Please check your project .net framework. In the video, the changes related to Startup.cs is there. I will add this project to Git by Monday and let you know.
Angular AD & B2C video please
Even I am thinking to create a video on that. Soon will upload. Please subscribe to the channel if you have not subscribed yet. Thanks.
@@azureteachnet subscribed
Sir, i've created SAP app with your code, first it was working fine . But now when i run the app it goes to Microsoft login without clicking Login button and localhost page is reloading again and again... please help
Clear the browser cache and try again. Also check, if you have added MSAL guard on the landing page.
Please add source code, it's very good article
Sure. By Monday, I will share the github link
Here is the source code - github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization
net Framework ?
.Net 5. you can use the same code in 6 as well.
I am getting 401 unauthorized error for profile pic API, any help there?
please check the configuration in app.module.ts. Did you add it in protected resource map. Please comapre with github code and let me know if you still face the issue.
@@azureteachnet All looks good, Infact the User Profile information is working and I am getting that data, but just the Profile Pic endpoint is erroring out with 401
@@naresh1253 are you using Azure AD B2C?