Tutorial: Implement a protected endpoint to your API
In this tutorial, you learn how to protect an API endpoint by adding authentication elements to the source code. Protecting an API endpoint ensures that only authorized users are permitted access. You can test the API with an unauthenticated request to ensure that your API restricts access to unauthorized users. The Microsoft identity platform provides a way to protect API endpoints by using the Microsoft.Identity.Web NuGet package. In this article, you;
- Implement authentication elements to the source code
- Add weather information for the API to display
- Test the API with an unauthenticated GET request
Prerequisites
- Completion of the prerequisites and steps in Tutorial: Create and configure an ASP.NET Core project for authentication.
Implement authorization
Open the Program.cs file and replace the contents with the following snippet:
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authorization; using Microsoft.Identity.Web; var builder = WebApplication.CreateBuilder(args); builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(options => { builder.Configuration.Bind("AzureAd", options); options.TokenValidationParameters.NameClaimType = "name"; }, options => { builder.Configuration.Bind("AzureAd", options); }); builder.Services.AddAuthorization(config => { config.AddPolicy("AuthZPolicy", policyBuilder => policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" })); }); // Add services to the container. builder.Services.AddRazorPages(); var app = builder.Build(); app.UseAuthentication(); app.UseAuthorization(); var weatherSummaries = new[] { "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" }; app.MapGet("/weatherforecast", [Authorize(Policy = "AuthZPolicy")] () => { var forecast = Enumerable.Range(1, 5).Select(index => new WeatherForecast ( DateTime.Now.AddDays(index), Random.Shared.Next(-20, 55), weatherSummaries[Random.Shared.Next(weatherSummaries.Length)] )) .ToArray(); return forecast; }) .WithName("GetWeatherForecast"); // Configure the HTTP request pipeline. if (!app.Environment.IsDevelopment()) { app.UseExceptionHandler("/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts(); } app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseRouting(); app.UseAuthorization(); app.MapRazorPages(); app.Run(); record WeatherForecast(DateTime Date, int TemperatureC, string? Summary) { public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); }
Test the application
- In Visual Studio, select Start without debugging.
The web page http://localhost:{host}
displays an output similar to the following image. This is because the API is being called without authentication. In order to make an authorized call, refer to Next steps for how-to guides on how to access a protected web API.