diff --git a/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1 b/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1 index e3be9ce0..28f20244 100644 --- a/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1 +++ b/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1 @@ -170,6 +170,8 @@ Function CreateOptionalClaim([string] $name) Function ConfigureApplications { + $isOpenSSl = 'N' #temporary disable open certificate creation + <#.Description This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the configuration files in the client and service project of the visual studio solution (App.Config and Web.Config) diff --git a/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json b/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json index 916857b8..052c7b73 100644 --- a/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json +++ b/4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json @@ -7,7 +7,7 @@ "Service": "ASP.NET Core Web API", "RepositoryUrl": "active-directory-aspnetcore-webapp-openidconnect-v2", "Endpoint": "AAD v2.0", - "Description": "This sample demonstrates a ASP.NET Core Web App signing-in a user and calling a ASP.NET Core Web API that is secured with Azure AD.", + "Description": "This sample demonstrates an ASP.NET Core Web App signing-in a user and calling an ASP.NET Core Web API that is secured with Azure AD.", "Languages": [ "csharp" ], "Products": [ "aspnet-core", "azure-active-directory" ] }, diff --git a/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md b/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md index 6a5c21da..9f91fd69 100644 --- a/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md +++ b/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md @@ -28,7 +28,7 @@ This sample was configured to use a client secret, but have an option to use a c ] ``` -1. While inside '4-1-MyOrg' folder, open a Powershell terminal +1. While inside the sample folder, open a Powershell terminal 1. Set next execution policy @@ -76,7 +76,7 @@ AppCreationScripts-withCert/Configure.ps1 ] ``` -1. While inside '4-1-MyOrg' folder, open a Powershell terminal +1. While inside the sample folder, open a Powershell terminal 1. Set next execution policy diff --git a/4-WebApp-your-API/4-1-MyOrg/README.md b/4-WebApp-your-API/4-1-MyOrg/README.md index fee81991..0d53cd79 100644 --- a/4-WebApp-your-API/4-1-MyOrg/README.md +++ b/4-WebApp-your-API/4-1-MyOrg/README.md @@ -9,7 +9,7 @@ products: - aspnet-core - azure-active-directory urlFragment: active-directory-aspnetcore-webapp-openidconnect-v2 -description: This sample demonstrates an ASP.NET Core client Web App calling an ASP.NET Core Web API that is secured using Azure AD. +description: This sample demonstrates an ASP.NET Core Web App signing-in a user and calling an ASP.NET Core Web API that is secured with Azure AD. --- # How to secure an ASP.NET Core Web API with the Microsoft identity platform @@ -38,8 +38,8 @@ This sample demonstrates a ASP.NET Core Web App calling a ASP.NET Core Web API t This sample demonstrates an ASP.NET Core client Web App calling an ASP.NET Core Web API that is secured using Azure AD. - 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in a user and obtain a JWT [Access Token](https://aka.ms/access-tokens) from **Azure AD** for the web API. - 2. The service app uses the the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to protect the Web api, and validate Access tokens. + 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in a user and obtain a JWT [Id Token](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) from **Azure AD**. + 2. The service again uses the the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to protect the Web api, and validate tokens. ![Scenario Image](./ReadmeFiles/topology.png) @@ -193,13 +193,13 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi 1. Select one of the available key durations (**6 months**, **12 months** or **Custom**) as per your security posture. 1. The generated key value will be displayed when you select the **Add** button. Copy and save the generated value for use in later steps. 1. You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade. - > :bulb: For enhanced security, instead of using client secrets, consider [using certificates](./README-use-certificate.md) and [Azure KeyVault](https://azure.microsoft.com/services/key-vault/#product-overview). -1. Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is required by apps signing-in users. + > :bulb: For enhanced security, instead of using client secrets, consider [using certificates](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/certificate-credentials.md) and [Azure KeyVault](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/key-vault-managed-identity.md).1. Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is required by apps signing-in users. 1. In the app's registration screen, select the **API permissions** blade in the left to open the page where we add access to the APIs that your application needs: 1. Select the **Add a permission** button and then, 1. Ensure that the **My APIs** tab is selected. 1. In the list of APIs, select the API `TodoListService-aspnetcore-webapi`. - 1. In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.ReadWrite** in the list. Use the search box if necessary. + * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users. + 1. In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.ReadWrite** in the list. Use the search box if necessary. 1. Select the **Add permissions** button at the bottom. ##### Configure the client app (TodoListClient-aspnetcore-webapi) to use your app registration @@ -306,19 +306,19 @@ To provide a recommendation, visit the following [User Voice page](https://feedb AcceptedScope = new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }, AcceptedAppPermission = new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" } )] - public IEnumerable Get() - { + public IEnumerable Get() + { if (!IsAppOnlyToken()) - { - // this is a request for all ToDo list items of a certain user. - return TodoStore.Values.Where(x => x.Owner == _currentLoggedUser); - } - else - { - // Its an app calling with app permissions, so return all items across all users - return TodoStore.Values; - } - } + { + // this is a request for all ToDo list items of a certain user. + return TodoStore.Values.Where(x => x.Owner == _currentLoggedUser); + } + else + { + // Its an app calling with app permissions, so return all items across all users + return TodoStore.Values; + } + } ``` The code above demonstrates that to be able to reach a GET REST operation, the access token should contain AT LEAST ONE of the scopes (delegated permissions) listed inside parameter of [RequiredScopeOrAppPermission](https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#checking-for-scopes-or-app-permissions=) attribute @@ -333,8 +333,8 @@ To provide a recommendation, visit the following [User Voice page](https://feedb [RequiredScopeOrAppPermission( AcceptedScope = new string[] { "ToDoList.ReadWrite" }, AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })] - public void Delete(int id) - { + public void Delete(int id) + { if (!IsAppOnlyToken()) { // only delete if the ToDo list item belonged to this user @@ -347,7 +347,7 @@ To provide a recommendation, visit the following [User Voice page](https://feedb { TodoStore.Remove(id); } - } + } ``` The above code demonstrates that to be able to execute the DELETE REST operation, the access token MUST contain the `ToDoList.ReadWrite` scope. Note that the called is not allowed to access this operation with just `ToDoList.Read` scope only. @@ -379,6 +379,7 @@ services.AddMicrosoftIdentityWebAppAuthentication(Configuration) + ## How the code was created