How to protect APIs using the Microsoft identity platform
HTML-код
- Опубликовано: 7 сен 2024
- In this video, Matthijs Hoekstra explains how developers can use the Microsoft identity platform to implement authorization that protects APIs.
Code samples for Microsoft identity platform: aka.ms/DevTrai...
Documentation for Microsoft identity platform: aka.ms/DevTrai...
The basics of protecting an API 0:31
Using the Azure portal to setup protection of APIs - 3:42
Using and validating access tokens - 7:00
Enabling application permissions - 9:48
Demo: validating access tokens - 12:50
Why do you need custom validation behavior? - 19:06
Determining effective permissions in your code - 20:58
Example access tokens from different authentication scenarios - 25:55
APIs calling APIs: "on behalf of" flow - 29:26
Probably the best video about the subject I've ever watched
More videos from this person please !
Has anybody ACTUALLY managed to get this to work? I've been going in circles with crappy Microsoft documentation and lack of support for .NET 5.0 for days, all I want to do is validate a token: signature, audience, issuer and scopes. I don't get how this is so difficult.
I thought it would be as simple as having my appsettings file containing the tenant and client details, then adding Microsoft.Identity.Web middleware, but depending on how I add it in Startup it either doesn't validate the token at all or tells me to provide a ClientId, which I have. I dearly wish these things worked as easy as they always do in these demos.
I hear ya! I found that the we to understand all the Azure Identity platform documentation is to just read it all from top to bottom, then once I've spent days doing it, it starts to make sense.
I find the main problem being in how things are named on the Azure Portal.
Also, I find that outside of this video and a couple of other videos and docs, almost ALL of the videos and Docs are centered around MS Graph API, which leaves a lot out for me since I am developing my own API.
There are some samples you can use. I’m personally using angular with msal and it’s working well but it was a bit of hoops, well worth it though once you understand how everything fits together.
Did you ever get this to work? Right now I'm frustrated to the point of screaming and cursing and pounding my desk. (Good thing I work at home.)
Good way to explain the concepts
Awesome job, Matthijs. Thanks.
Nicely explained. Thanks for the video!!
I have a question for the OBO token flow. I have a middle tier application A which calls APIs of application B. I can generate encrypted tokens for A. For encryption A uses public/private key certificate. So when I want to generate the OBO token, should I be using the public certificate in the call? Or should it be a different one. Also does the OBO call need the token to be decrypted or would it work with encryption
Excellent!!
Great, thanks!!!!
Thanks a lots! it was clear and nicely explained...
Right around the 22:50 mark, he shows us a controller in his API. He has this User object from which he gets the oid and sub. Can anyone tell me what class that User object is? Also, what are all those URL strings? Where do we find them in our Azure app registration?
Question: How is it secure that the issuer of a token also supplies the public key, albeit through their own interface? To me the only thing securing this is that the URL to lookup the public key is hardcoded in my API application. Thanks for any comments.
So I understand correctly the Access token that the API(including custom API) gets, it's verified with Azure AD if it's the correct one ? Or ? Thank you.
How do you get keys for token validation in our app middleware?
Hello Sir,
I am able to do authentication and get access token with Angular application now when access token is passed in backend service that need to be validate in backend on java side. Right !
Please confirm.
Also what is the use of resourcesProtectionMap ?
Hi, i have an api with appRole created and a Daemon app without that permission assigned and i am able to get an access token for the api using daemon(clientCredentials). Why am i getting access token if the daemon app doesn't have the correct permissions assigned?
Is on behalf of flow supported with Azure B2C? We desperately need this feature.
Hey there Sahil. At this time B2C does not support on-behalf of flow. If this is something you'd like to suggest as a new feature, we recommend upvoting this feedback post here. msft.it/6059Ttx1h
Hi, @15:00, I do not see "role" in the token, only "scp" impersonation" was shown, is this right?
Yes that's correct. If you are using impersonation (user delegated permissions) the scopes get returned as scp claim, if you use app permissions they are returned as roles. It;s somewhat confusing to be honest :) but that's how it works,
Hi Mike! It depends on how you have authenticated. If you are authenticated via client credential flow there will be involvement of roles since in this flow "scp impersonation" only has default scope.
This is great, but boy, do I hate security. It's totally beyond me, but hopefully will get simpler in future iterations. Good job though - all going the right way.
Agreed. Implementing and managing security in applications should be someone's full time job. It feels like some never ending chore that seems to go even more complicated as time goes on.
@@akuskusit’s what I do as a full time job! 😂
Hi sir,
Is there any other way of Validating api without registering webapi in azure
Hello! Can you please clarify on what you mean by validating API? Is it validating a token from within an API per chance?
Can you please also clarify on your question with registering a web API in Azure? Did you mean deploying an Azure Web App or creating an Azure AD app registration? 🙂
@@MicrosoftAzure yeah sir, for protecting the webapi, I tried passing the access token. In webapi I'm validating it, it is working fine until the token expires but once the token expires all my api calls are failing. The acquiretokensilent method is not renewing the token, as i didn't register my webapi application in azure and I don't have the custom scopes. Can we protect webapi calls with out registering the webapi application in azure.
Thanks
Thank you for the additional information and context! If you are validating the access token, then you must have an Azure AD app registration. If this is correctly setup then yes, you can protect Web APIs, without deploying them in Azure. That can be done regardless of the hosting platform.
Here's a few references to assist.
Protected web AI Overview - msft.it/6059pPS0N
And for deploying them to various hosting platforms/environments using Visual Studio.
Visual Studio publish profiles - msft.it/6050pPS04
Deploy your Vistual Studio app to a folder, IIS, Azure or another destination - msft.it/6051pPS0f
Regarding the "acquiretokensilent" What is the exception you are currently getting?
@@MicrosoftAzure
Thank you so much for your reply. I have implemented a different way fir the api protection and it is working fine.
And regarding the msal acquiretokensilent method, it is throwing an error "client auth error : token renewal fail due to timeout" after the token expiration. In github few people suggested to use interactive pop-up acquiretokenpopup method instead of earlier method for renewing the token. Which is working fine but, I need the acquiretokensilent method to work. Any suggestions from your end on this.
Thanks in advance
Thanks again for the information. In this particular case we would need the MSAL version and if possible, the MSAL configuration. Can you please post the MSAL acquiretokensilent error, on the Microsoft Q&A page here? msft.it/6052pPFrQ
Once done, can you please link us to the question as well, so that we're able to forward it? We will ensure that your issue is addressed by another member of the team. 😀
Thanks!
Don't reguister. Register instead.