Hi
I have created an App Registration on Azure, following this i created a Client Secret, App Role and Scope setting permission under API Authorisation.
The purpose here is to have a WebApi core using .Net 6 so i can exchange data securely.
In order to get the token I send a request to
https://login.microsoftonline.com/tenat_id/oauth2/v2.0/token
with
grant_type : client_credentials
client_id : myAppClientId
client_secret : myClientValue
scope : https://domain.onmicrosoft.com/ClientId/.default
This works and i retrieve a JSON token which i can decode at jwt.io
I now have the below code in .Net 6 WebCore API
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddEndpointsApiExplorer();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
//app.UseSwagger();
//app.UseSwaggerUI();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
appSettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "myAppClientId",
"ClientSecret": "ClientValue",
"Domain": "myTenantId",
"TenantId": "myTenantId",
"Audience": "https://domain.onmicrosoft.com/myAppClientId"
}
My Controller is decorated with [Authorize]
at the top, if i call https://localhost/weatherforecast i need to make a new request passing in the Token from above and retrieve the data with bearer.
- What would be the correct process to retrieve a token from my WebAPI? Do i create a new controller with full access and a new method to call the same service in this method (sending a request to https://login.microsoftonline.com/tenat_id/oauth2/v2.0/token) and passing in the values supplied? If so what values should i be providing end consumers for using this service as some would be sensitive to our Azure account?
- I dont fully understand the difference between
scope
and audience
(you will notice in my code the JSON uses Audience
but when i sent the request to get the token i passed in Scope?