![Zoom Speaks Tech](/img/default-banner.jpg)
- 8
- 114 284
Zoom Speaks Tech
Registrace 24. 10. 2020
Hi there! My name is Hazem Elshabini. I'm a cloud architect, developer, evangelist, and speaker.
Simplifying API Authentication: Integration Scenarios Between Azure API Management and Azure AD B2C
In this video, we explore all the different scenarios for integrating Azure API Management with an OAuth2 IdP such as Azure AD B2C.
00:00 Introduction
06:18 Authenticate Developers by using Azure AD B2C
14:30 Authorize Developer Accounts using Azure AD B2C
22:18 Secure an API using Azure AD B2C
34:55 Using Azure AD B2C for Authorization between Gateway and Backend
52:26 Summary
GitHub Repository: github.com/helshabini/apim-b2c
Official documentation for the scenarios:
Scenario 1: Authenticate Developers by using Azure AD B2C
docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c
Scenario 2: Authorize Developer Accounts using Azure AD B2C
docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2
Scenario 3: Secure an API using Azure AD B2C
docs.microsoft.com/en-us/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga
Scenario 4: Using Azure AD B2C for Authorization between Gateway and Backend
docs.microsoft.com/en-us/azure/api-management/policies/use-oauth2-for-authorization
Attributions:
Background vector created by Harryarts - www.freepik.com/vectors/background
00:00 Introduction
06:18 Authenticate Developers by using Azure AD B2C
14:30 Authorize Developer Accounts using Azure AD B2C
22:18 Secure an API using Azure AD B2C
34:55 Using Azure AD B2C for Authorization between Gateway and Backend
52:26 Summary
GitHub Repository: github.com/helshabini/apim-b2c
Official documentation for the scenarios:
Scenario 1: Authenticate Developers by using Azure AD B2C
docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c
Scenario 2: Authorize Developer Accounts using Azure AD B2C
docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2
Scenario 3: Secure an API using Azure AD B2C
docs.microsoft.com/en-us/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga
Scenario 4: Using Azure AD B2C for Authorization between Gateway and Backend
docs.microsoft.com/en-us/azure/api-management/policies/use-oauth2-for-authorization
Attributions:
Background vector created by Harryarts - www.freepik.com/vectors/background
zhlédnutí: 5 958
Video
Customize Your Azure AD B2C Domain: Step-by-Step Guide
zhlédnutí 6KPřed 3 lety
In this video, we enable a custom domain for Azure AD B2C end-to-end. 00:00 Problem statement 01:31 Azure AD B2C Tenant creation 02:31 App registration 03:45 User flow creation 04:52 Testing SignUp/SignIn user flow 05:44 Adding a custom domain 06:53 Azure AD DNS verification 08:15 Front Door creation 10:15 Front Door DNS verification and TLS 13:13 Testing custom domain user flow 14:23 Additiona...
Optimizing Your DevOps Infrastructure: Configuring Azure DevOps VMSS Agent Pool
zhlédnutí 3,1KPřed 3 lety
In this video, we explore configuring the VMSS Agent Pools with required software to run your build pipeline using cloud-init. You can get the code from here: zoomspeaks.tech/configuring-azure-devops-vmss-agent-pool
Step-by-Step Guide: Publish AKS with Application Gateway Ingress Controller
zhlédnutí 33KPřed 3 lety
In this video, we take a look at the Azure Application Gateway Ingress Controller, and learn how to use it to securely publish AKS Services. The script and links for this article can be found here: zoomspeaks.tech/publishing-aks-with-agic 0:00 Problem description 4:43 How AGIC works 7:56 Creating the Application Gateway 9:52 Onboarding AGIC on an existing AKS Cluster 11:52 Deploying the Ingress
Protect Your Kubernetes Secrets: Securing with Azure Key Vault
zhlédnutí 15KPřed 3 lety
In this video, we take a look at the Azure Key Vault Provider for Secrets Store CSI Driver. This provider allows you to mount secrets from Azure Key Vault directly to your pods, eliminating the need to manage those secrets in your YAML files or in your deployment pipelines. Here is a link for the provider documentation: azure.github.io/secrets-store-csi-driver-provider-azure/ GitHub Repo: githu...
Streamline Your Package Management: Using Azure DevOps Artifacts with Java/Maven Projects
zhlédnutí 26KPřed 3 lety
In this video, we take a look at Azure Artifacts, and how it helps with package management specifically in Java/Maven projects. The concepts discussed in this video can be applied to any other language/tool.
Simplify Your Certificate Automation: Managing Azure Key Vault Certificates
zhlédnutí 12KPřed 3 lety
Protecting your web services using certificates nowadays is indispensable. It can also be automated, free, and very easy. There is virtually no excuse for not doing it. This video discuss how to: - 00:00 Using ACMEBot to Automate ACME certificates issuance and save them in Key Vault - 17:23 Integrating Key Vault certificates with Azure App Services - 23:38 Integrating Key Vault certificates wit...
Securely Host Your Web Applications: Securing Azure App Service Environment
zhlédnutí 13KPřed 3 lety
Internal App Service Environment can be great to securely and internally host your web applications on Azure. However, because ILB ASE is accessible only from within the VNet boundaries. It is a challenge to publish these apps externally, or deploy your code on them using DevOps as your pipelines cannot reach this secure environment. In this video, I will go through the process of: - Creating a...
Hi Would like to know if there is a way we can configure the Distingushed names as per the organization needs? Will the ACME bot be able to reconfigure that?
So this is Azure application gateway ingress controller with the k8s ingress controller:ngnix type? Dual ingress to cover all security ?
how do i do this process using YAML ?
Nice video!
My issue is: When I type mvn deploy, it does not look for the dependency in the .m2 local folder. Instead, it looks for the Azure's Artifacts. But Azure Artifacts right now has no JAR file. So it gives me an error saying that no dependency found.
where is your settings.xml located? Is it in the Azure Devops server?
You, sir, are a hidden treasure!
Brilliant
Hi Thanks for this great video it's really very useful. could you please also guide me how upload the maven artifacts of project1 into jFrog & download from it jFrog to build project2.
Great video, help me a lot!!!
Amazing explanation! Can I have multiple ingresses for two different webapps for the same AGIC? so eventually I would have one external IP which is the AppGW IP?
This videos is going to be a short one............ proceeds with half hour video 😂😂, but a great informative video.
😁 glad you liked it. You can also guess how most of meetings go 😂
Nice video, nice work. Thanks a lot!
nice one! thanks!
Awesome wording, scripts, content and pace.
Much appreciated!
Fantastic! Well done for this.
lol this is too clear than I👌 thought
hi very use full session which is so help to me.. And please let me know to we App gateway load balancer in ingress file using App service custom managed wildcard certificate purchased from Azure and i stored in Azure key vault . how we use that certificate in ingress file in aks cluster
Sure, here is a guide on how to do that: azure.github.io/application-gateway-kubernetes-ingress/features/appgw-ssl-certificate/
Video was super helpfull!💯
Excellent. You explained in a very simple language
Then its created an secrets in k8s cluster, then it's mean there is no encrypt here, because k8s secret just encode and decode using base64. Now there is no point to use this one, I'm guess.
I found this type of AKS setup unsatisfying. If you kill a pod and simulate some sort of application panic or crash the information about this is not transmitted to the app gateway instantly. It takes several seconds for the app gateway ingress controller to transfer this information over azure resource manger so it can reconfigure the app gateway to inform him that the pod is gone. During this time you will get many more 500 errors then you would with a standard ingress controller setup. Would love to hear your feedback on this.
Thanks for publishing this tutorial. I have configured it in the same way but somehow it's showing a bad gateway error. Could you please help me to fix it. Please share your email I will post you the issue.
Excellent work. I loved it.
Hello, Thank you for teh video. Could you please share the nginx and basic ingress yaml please
Link to blog post with all code snippets: zoomspeaks.tech/publishing-aks-with-agic
One of the best explanations I've seen on this topic, straight to the point. Many thanks
Excellent tutorials! Thanks for the efforts
This is very helpful. Thanks for your effort sharing your knowledge. I did notice that I didn't need to add CORS for custom domain for custom html page. It straightaway worked for me. Any suggestion of rewriting long url to some short one?
That is weird. CORS must be configured in case you are using custom html. Are you sure the policy you ran wasn't just using a default ui? What do you mean by rewriting url?
@@ZoomSpeaksTech I'm using custom policies and not user flows. From rewriting url means providing a short url which translates to original b2c url with policy name and other parameters. Maybe I'm thinking something wrong and which is not logically possible.
@@Anonymous-tk6pm Oh I got it. So you can use Front Door's Url Rewrite feature. That should work: learn.microsoft.com/en-us/azure/frontdoor/front-door-url-rewrite?pivots=front-door-standard-premium
Amazing tutorial
gosh kubernetes can be so verbose sometimes. this is neat, but everytime i have a new secret, i have to update: 1. the deployment, 2. the secretproviderclass parameters.objects, 3. the secretproviderclass secretobjects 😓
I agree. You can automate everything, but at some point it would be overkill to build something that serves no specific function other than to overcome verbosity. Which is why sometimes I prefer my apps to grab their own secrets whenever possible and absolve kubernetes of having to manage that. Keyvault integration can be easily done on most languages from the app code itself. The app merely needs a managed identity to be able to grab it.
How to connect maven repository with azure artifact feed, any suggestion please
جزاك الله خيرا يا اخي الكريم. لا توقف علشان نستفيد من خبرتك.
Well explained !
This vedio helped a lot to me! Great explanation , want more vedios from you.
Please continue to do vedios on azure devops regarding yaml pipeline for java code
Hello Sir, i created a nuget.config file in azuredevops pipeline and the packages are getting downloaded , but with that same nuget.config file the Developers also need to use to Download the Pacakges in VIsual Studio, how can i achive this. Presently i have given accces to download the packages by Creating a group and given permission as a contributor in AZURE ARTIFACTS, so thats how they are able to download the packages.
Apologies Raghu, I haven’t actually done this with nuget before.
@@ZoomSpeaksTech ok fine.. just i came to know that with Azure Artifacts Credentials we can do it.. like we can give access to the Developers of the Private Artifact Feeds, but getting confused with that , how to implement.
and any idea how to Send Test Results EMail Notification to a Developer via Send Grid. Thanks for the Reply
@@raghur5678 you can use this task: marketplace.visualstudio.com/items?itemName=kasunkodagoda.sendgrid-email Another alternative is to talk to the SendGrid API directly via an API call
@@ZoomSpeaksTech but i couldnt find how to send TEST report results via mail through send Grid.. :( or URL
How to upgrade tls/ssl version in azure cosmos DB I.e i have present tls1. 0..,I need tls 1.2
it is a good one, really enjoyed the explanations, keep going!!!
Make me ur deciple
I've just found this - its great. I don't suppose you have one on how to set the JRE if you require one that isn't on the agent already, do you?
I suppose you can run whatever commands u need to setup the JRE as you want it prior compilation. That could be anything including uninstalling/installing a specific JRE version and setting up whatever settings u need. All the tasks are going to run on the same disposable agent. Or you can use a pre-setup agent using ur own machines or vmss. I have posted another video on this topic.
Amazing video tks a lot !
Great tutorial. Thank you
jwt token giving invalid token error on deploying to azure web app but not working on localhost? what might be the reason
Hi Kaunain, can you please be a little more specific? Which scenario are you trying to accomplish?
@@ZoomSpeaksTech It validated jwt token in weatherforecast with postman with localhost but when i uploaded the same weatherforecast app in azure and replaced the azure web app url with localhost it give 401 unauthorized error
In all of the various options we still end up with a credential on disk/mount in clear or Base 64 encoded form. There is no protection of the secret if the container is breached. All that we have done is cleaned up the code and pipelines from being littered with secrets.
That’s true. And there is no way around it except if you take the time/effort to write code in your application to try and grab its own secrets from Key Vault using its managed identity.
How Artifacts choose which dependencies cached from maven central?, because you have many dependencies but just a few are cached (like junit and hamcrest Minute: 29), for example, If we have Az DevOps Server and just Artifacts has permissions to go out to Maven central, and our clients just use Azure Artifacts not directly internet, we need to cache all the dependencies from Maven Central in Azure Artifacts
I think your agents will still require internet access or at least proxy access to the Azure Artifacts. I do not think there is a mechanism which allows you to cache them locally. Maybe Azure DevOps Server (the on-prem version of ADO) will allow you to do so but I am not an expert on it.
i have a small issue i found the feed is empty is that related to maven token definition ?
i am using the serviceproviderclass as per the directions , its creating the secertproviderclass but its not creating the secret , when i query for kubectl get secrets i dont dind them there , could you please let me know what could be wrong or is there any additional step i need to follow , int his example you create the secrets in prior should we do the same ???
No, the secret should be created for you. If it is not then there is probably a permission issue somewhere. Check the logs of the secrets provider containers and it might point you somewhere.
Hi Sir, good morning, would like to check if we can also use the cert-manager in this method, maybe you have some simple flow that we can replicate. thanks :)
I do not have any experience with cert-manager yet. I am not sure whether it supports key-vault.
If the secret volumes are still mounted inside the container. Does it mean that password would still be in clear text and we can simply read the password file?
Yes indeed, if you want an additional layer of security then you can encrypt it and decrypt it using your app.
@@ZoomSpeaksTech would other solutions like hashicorp vault do the same thing like mount secret volumes with password in plain text or they will at least automatically encrypt it?
They work exactly the same. If this bothers you, the other option is to write code to extract secrets from a secure vault like Azure Key Vault in your app.
Hi bro , i have a question , why we have not specified redirect uri for backend api in app registration , how token end point gonna recognize where to pass the token if redirect uri is not there for backend api? You have put client id in backen api code that looks good but is that enough?
Timestamp?
@@ZoomSpeaksTech this is a question i have , like why you have not specified redirect uri in app register for api in azure ad , is this not necessary
I did later on here: czcams.com/video/JTKpunPpYi8/video.htmlm47s and here: czcams.com/video/JTKpunPpYi8/video.htmlm55s Depending on the scenario you set the proper redirect uri. Client Credentials workflow however does not need a redirect url, as it is just a request/response to the token endpoint.
@@ZoomSpeaksTech yup bro you have the redirect uri for APIM app ,but i have seen articles as well where no one is putting redirect uri for API , everyone one puttinh redirect uri for APIM
APIs generally validate tokens, not issue them. There need not be a redirect uri for that.