-
Notifications
You must be signed in to change notification settings - Fork 208
0.3.0 preview
Simple with the configuration
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();Simple with the configuration section
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();With the delegates:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(microsoftIdentityOptions=>
{
Configuration.Bind("AzureAd", microsoftIdentityOptions);
// do something
})
.EnableTokenAcquisitionToCallDownstreamApi(confidentialClientApplicationOptions=>
{
Configuration.Bind("AzureAd", confidentialClientApplicationOptions);
// do something
}
)
.AddInMemoryTokenCaches();Note that when you use the override of AddMicrosoftIdentityWebApp with delegates, the only the override of EnableTokenAcquisitionToCallDownstreamApi is the one with delegates (as the configuration is not known).
When you sue the override of AddMicrosoftIdentityWebApp with configuration, you can use either the overrides of EnableTokenAcquisitionToCallDownstreamApi with configuration (which does not need to be passed again, as it's known from AddMicrosoftIdentityWebApp , or with delegates for the ConfidentialClientApplicationOptions
This is similar as for Web apps
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();which is equivalent to:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
AddMicrosoftIdentityWebApi(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();which is really:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration,
jwtBearerScheme:JwtBearerDefaults.AuthenticationScheme,
configSectionName:"AzureAd")
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes: null)
.AddInMemoryTokenCaches();Then with the delegates:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(
options =>
{
Configuration.GetSection("AzureAd").Bind(options);
// Do something
},
options =>
{
Configuration.GetSection("AzureAd").Bind(options);
// Do something
})
.CallsWebApi(options =>
{
Configuration.GetSection("AzureAd").Bind(options);
// do something
} )
.AddInMemoryTokenCaches();which is really:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(
options =>
{
Configuration.GetSection("AzureAd").Bind(options);
// Do something
},
options =>
{
Configuration.GetSection("AzureAd").Bind(options);
// Do something
},
jwtBearerScheme: JwtBearerDefaults.AuthenticationScheme,
subscribeToJwtBearerMiddlewareDiagnosticsEvents:false)
.EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.GetSection("AzureAd").Bind(options),
initialScope=null)
.AddInMemoryTokenCaches();Note that EnableTokenAcquisitionToCallDownstreamApi really means: has the capability of calling a Web API (acquiring tokens), that is making the ITokenAcquisition service available.
From a web app, as from a web API, you can call either Microsoft Graph, or a downstream API
.EnableTokenAcquisitionToCallDownstreamApi
.AddMicrosoftGraph()
.AddDownstreamApi("MyApi", Configuration.GetSection("SectionForMyApi")
.AddInMemoryTokenCaches();AddMicrosoftGraph has three overrides:
.AddMicrosoftGraph(Configuration.GetSection("GraphBeta").AddMicrosoftGraph(options =>
{
options.BaseUrl = "https://graph.microsoft.com/beta";
options.Scopes = "mail.read mail.write";
});.AddMicrosoftGraph(;which uses the public cloud v1.0 Microsoft Graph API ("https://graph.microsoft.com/v1.0"), and "user.read" as scopes.
In the controllers/blazor pages /razor pages you can then inject GraphClientService and use it.
AddDownstreamApi has two overrides:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration, "AzureAd")
.EnableTokenAcquisitionToCallDownstreamApi()
.AddDownstreamWebApi("TodoList", Configuration.GetSection("TodoList"))
.AddInMemoryTokenCaches();and
.AddDownstreamApi("MyApi", options =>
{
options.BaseUrl = "https://myapi.mydomain.com";
options.Scopes = "api://guid/acces_as_user";
});It enables you to In the controllers/blazor pages/razor pages you can then inject IDownstreamApi and use it to call the web API directly. See for instance: https://github.com/AzureAD/microsoft-identity-web/blob/fe145b3fbe75960faead1476176f7c63b8afd976/tests/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs#L22-L38
public TodoListController(IDownstreamWebApi downstreamWebApi)
{
_downstreamWebApi = downstreamWebApi;
}
// GET: TodoList
public async Task<ActionResult> Index()
{
var value = await _downstreamWebApi.CallWebApiForUserAsync<object, IEnumerable<Todo>>(
ServiceName,
null,
options => { options.RelativePath = "api/todolist"; });
return View(value);
}
## Samples
- For a sample of a Web app calling Microsoft Graph, see https://github.com/AzureAD/microsoft-identity-web/tree/master/tests/WebAppCallsMicrosoftGraph
- For a sample of a Web app calling a downstream API, see https://github.com/AzureAD/microsoft-identity-web/tree/master/tests/WebAppCallsWebApiCallsGraph- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities