title | tags | keywords | contact | permalink | |
---|---|---|---|---|---|
.NET WebAPI with OpenID Connect |
|
OAUTH2, OpenIdConnect, Azure_Cloud_Security |
/pages/security/Authentication_Authorization/.NET/DOTNET-Tutorial-OIDC-WebAPI.html |
Repo for a sample WebAPI can be found here. Using Microsoft.Identity.Web
NuGet it is so easy to protect your WebApi so this guide will be very short.
- Fill TenantID and ClientID in appsettings.json
- Define Scope name in the WeatherForecastController.cs. This should be the same name as configured in the next step below - Azure AD Configuration.
- If you have role based access to you API, define roles in the Authorize attribute in the controller. Change
[Authorize]
to[Authorize(Roles = "appRoleValue")]
.
To make the sample in the repo above work we need to
- Make an App Registration in our Azure AD.
- The application then needs to expose an API which is done by navigating to the App Registration in going to Expose an API and Add a scope. Accept the suggested Application ID URI and add a scope following the instructions in the form fields.
- The application using this API needs to add this API to its API Permissions. For instructions on how to do that, go to the .NET Web App Tutorial.
If you want role based access control, i.e. to return different information to different groups of users, you need to define appRoles. This is also necessary if you want to use the API from another service, i.e. not delegated access from a user. Also in the App Registrion in Azure Portal, go to Manifest and look for the empty "appRoles" field.
Fill something similar to the following instead, with <yourRole> changed to the exact name of the role that should be granted access to your API and <guid> changed to a valid unique guid. You can create new GUIDs with powershell using New-Guid
or in unix terminals with uuidgen
. If it is another service that should have access on its own, change "allowedMemberTypes" to "Application".
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Apps that have this role have the ability to invoke my API",
"displayName": "WeatherForecastReader",
"id": "fc803414-3c61-4ebc-a5e5-cd1675c14bba",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "<yourRole>"
}
]
This user role has to be assigned to the User that will call the API. Do this by going to the overview page of the App Registration and among the Application ID etc go to the link below Managed application in local directory. There go to Users and Groups and Add User. The AppRoles that you defined in the manifest should be choosable when you have chosen a user or group.
When this is done, it is advisable to restrict all other users to acquiring any token to your app. In the same Enterprise Application view as you configured Users and Groups, go to Properties and switch User Assignment to on.
Read more about:
{% include tip.html content="Read more about Microsoft.Identity.Web
NuGet in the wiki and look at other samples in the Azure-Samples repo." %}