Share via

How to know the authentication flow used by the Microsoft.Identity.Web Package

Newbie Dev 156 Reputation points
2021-12-12T01:32:18.493+00:00

Hi,

My current project is a .netcore API (.net 6). I am trying out Microsoft.Identity.Web package in it to add Azure Ad On Behalf Of Flow and call Graph API.

So the sample project shows it is as simple as adding some code in the Startup.cs

 public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"))
                    .EnableTokenAcquisitionToCallDownstreamApi()
                        .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
                        .AddInMemoryTokenCaches();

            services.AddControllers();

        }

In the controller

private readonly GraphServiceClient _graphServiceClient;

 public async Task<IEnumerable<string>> TestAsync()
        {
            var user = await _graphServiceClient.Me.Request().GetAsync();
return user.Id;
}

How do I know what flow is being used here?

Is it OBO or Client credential or any other?

In the appsettings of the API I can also see the client secret, is that for calling Graph API?

Thanks in advance

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2021-12-12T17:10:58.22+00:00

    Hi @Newbie Dev ,

    Microsoft.Identity.Web package support application for below scenarios
    • Web app that signs in users
    • Web app that signs in users and calls a web API on their behalf
    • Protected web API that only authenticated users can access
    • Protected web API that calls another (downstream) web API on behalf of the signed-in user

    Microsoft.Identity.Web abstract the whole sign in process to get access token and further call WebAPI for us. It is doing authentication of user so that the authenticated user of the web application has access to the web API which leads to On behalf of flow . 

      .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"))

    in startup.cs adding the Microsoft.Identity.Web functionality to the middleware. This is using the AzureAd section from appsettings.json to authenticate the user details and the [Authorize] in controller will verify the user is authenticated and has the proper scope in the access token.

    Refer blog for details understanding : https://codemilltech.com/web-api-authentication-with-microsoft-identity-web/

    Also, here in startup.cs 

    .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches();

    WebApp/API is calling downstream Graph API which is also called confidential client application.

    Confidential Client Application are applications that uses secret or certificate to call Azure AD to get the access tokens and run-on servers (webapps, webAPI apps, daemon apps).

    Hope this helps.

    Thanks,
    Shweta

    ---------------------------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.