Brilliant as always and appreciate the time put into these videos! I realise you are essentially "buying into" a certain platform for your auth but then again I don't really want to try to roll my own auth! I still get this from time to time i.e. the vendor lock-in but come on! we are all "locking" ourselves to some framework/platform etc. :). Personally, I do like the feeling the auth is handled by people who know more about this stuff than I! I am still trying to wrap my head around integrating this type of auth and allowing users to sign up/pay for a SaaS/API access.. I did experiment with the older Azure AD B2C / API Gateway stuff... I should really spend some time reading the updated docs!! Anyway, thank you again for a great intro to this and sharing the code :)
I am in agreement, find a partner you trust (AWS, Azure, Okta, etc.) and you'll be close the the same implementation. Luckily if you change, it's just changing a little code on both sides, not re-engineering a complete login/security system.
Hi Shawn, great vid, this is not a straight forward concept to get your head around, great explanation and very nice clean code, love it! probably need to handle the access token expiry and a bit of a consideration for refresh tokens, maybe they can't be used with public clients.
Hey Shawn, fantastic video! I've searched around for a tutorial on this for ages and just couldn't understand any of them!! Is there a way to implement a navigation guard using this? I want my users to be automatically directed to a login page if they aren't already logged in.
Yes you can! The client-side Entra API has a simple call to see if the user is logged in. I didn't cover it here, but you'll want to use the client library (it works across frameworks in JS/TS).
Hi Shawn, As always, your videos are great and helpful! Thanks. Could you do me a favor and expand upon this topic? I would like to figure out how I can secure an API with bearer tokens (Entrar ID), but I would like to trigger the OAuth flow by hand (or by code). Could you show me how I can get that done? So the steps would be: Secure the API like in your video. Write a small C# program that does the OAuth 2 flow and gets the Bearer token. Get weather info and add the token from step 2. I'm mainly curious how you configure Azure.
You can revoke the user and the refresh token, but not the access token. The token should be short-lived to limit the amount of time. The token is proof that the user has access, and if it if went back to MS on every request, it would perform really badly. I hope that helps.
great tutorial. I must have missed something though as even when I log in and get the token, pass it to the web api I am getting a 401 error. I've gone over the code and tutorial and I'm not seeing my mistake. Any "usual suspects" for this issue? I am able to display my name once logged, it's just the call to the weatherforecast that is denied. truly appreciate any ideas.
Are you sure you have the middleware in the server app correctly setup with the same client/tenant ids and client secret? Are you sure you're setting the auth header correctly? Those are two places I'd start
@@swildermuth thanks so much for the reply, I'm not quite sure what you mean by client secret. I've checked the clientid/tenantid, authority, scopes and the "bearer " + token... all look good. I'll keep looking :)
If you go to your App Registration for your app and look at "Manage->Certificates and Secrets" - you'll need to create a new secret and pass it into the options.ClientSecret where you set the clientid and the tenant id.
Can you explain why Microsoft's tutorials tell us to create one Entra Application definition for the API and another definition for the client application? This demo appears to use the same application definition for both.
I wish I could. I think Microsoft is assuming you'll need to create several APIs to protect APIs in chunks, but with roles, that's unnecessary IMO. But maybe an Entra/security person can correct me.
You should use an app reg to represent each district app. The api is a standalone app, the client is standalone. You could have other apps, power apps , server apps etc. in a contrived example where it’s 1 logical app, it’s ok to use 1. I have an api layer and support multiple clients via their own app reg and my app reg.
Hi, Thank you for sharing. Can you create tutotiral design project apply clean architecture from basic to advanced? I couldn't find good videos with such content on youtube.I am new to this topic. Thank you for following my question.
Brilliant as always and appreciate the time put into these videos! I realise you are essentially "buying into" a certain platform for your auth but then again I don't really want to try to roll my own auth! I still get this from time to time i.e. the vendor lock-in but come on! we are all "locking" ourselves to some framework/platform etc. :). Personally, I do like the feeling the auth is handled by people who know more about this stuff than I! I am still trying to wrap my head around integrating this type of auth and allowing users to sign up/pay for a SaaS/API access.. I did experiment with the older Azure AD B2C / API Gateway stuff... I should really spend some time reading the updated docs!! Anyway, thank you again for a great intro to this and sharing the code :)
I am in agreement, find a partner you trust (AWS, Azure, Okta, etc.) and you'll be close the the same implementation. Luckily if you change, it's just changing a little code on both sides, not re-engineering a complete login/security system.
Hi Shawn, great vid, this is not a straight forward concept to get your head around, great explanation and very nice clean code, love it! probably need to handle the access token expiry and a bit of a consideration for refresh tokens, maybe they can't be used with public clients.
Thanks!
Great tutorial. Which font are you using in visual studio? Seems pretty good
Source Code Pro
@@swildermuth Thanks!
Hey Shawn, fantastic video! I've searched around for a tutorial on this for ages and just couldn't understand any of them!!
Is there a way to implement a navigation guard using this? I want my users to be automatically directed to a login page if they aren't already logged in.
Yes you can! The client-side Entra API has a simple call to see if the user is logged in. I didn't cover it here, but you'll want to use the client library (it works across frameworks in JS/TS).
Hi Shawn,
As always, your videos are great and helpful! Thanks.
Could you do me a favor and expand upon this topic? I would like to figure out how I can secure an API with bearer tokens (Entrar ID), but I would like to trigger the OAuth flow by hand (or by code).
Could you show me how I can get that done?
So the steps would be:
Secure the API like in your video.
Write a small C# program that does the OAuth 2 flow and gets the Bearer token.
Get weather info and add the token from step 2.
I'm mainly curious how you configure Azure.
What if I want to have a custom login page, and also a .net api with a custom IdentityUser?
Then you probably want to use Azure B2C or ASP.NET Identy
Thank you for sharing ! How is this token working? Is it possible to revoke a token for a consumer in case the person had to token stolen?
You can revoke the user and the refresh token, but not the access token. The token should be short-lived to limit the amount of time. The token is proof that the user has access, and if it if went back to MS on every request, it would perform really badly. I hope that helps.
great tutorial. I must have missed something though as even when I log in and get the token, pass it to the web api I am getting a 401 error. I've gone over the code and tutorial and I'm not seeing my mistake. Any "usual suspects" for this issue? I am able to display my name once logged, it's just the call to the weatherforecast that is denied. truly appreciate any ideas.
Are you sure you have the middleware in the server app correctly setup with the same client/tenant ids and client secret? Are you sure you're setting the auth header correctly? Those are two places I'd start
@@swildermuth thanks so much for the reply, I'm not quite sure what you mean by client secret. I've checked the clientid/tenantid, authority, scopes and the "bearer " + token... all look good. I'll keep looking :)
If you go to your App Registration for your app and look at "Manage->Certificates and Secrets" - you'll need to create a new secret and pass it into the options.ClientSecret where you set the clientid and the tenant id.
Can you explain why Microsoft's tutorials tell us to create one Entra Application definition for the API and another definition for the client application? This demo appears to use the same application definition for both.
I wish I could. I think Microsoft is assuming you'll need to create several APIs to protect APIs in chunks, but with roles, that's unnecessary IMO. But maybe an Entra/security person can correct me.
You should use an app reg to represent each district app. The api is a standalone app, the client is standalone. You could have other apps, power apps , server apps etc. in a contrived example where it’s 1 logical app, it’s ok to use 1. I have an api layer and support multiple clients via their own app reg and my app reg.
Do u know if the login modal can be customized? maybe branded to my website?
I'm azure you can add your own branding
😂😂😂@@swildermuth
Hi, Thank you for sharing. Can you create tutotiral design project apply clean architecture from basic to advanced?
I couldn't find good videos with such content on youtube.I am new to this topic.
Thank you for following my question.
These are short tutorials, I don't create full courses on CZcams
But Shawn has some great courses on Pluralsight :) as well as own courses on website I think?