Brilliant as always and appreciate the time put into these videos! I realise you are essentially "buying into" a certain platform for your auth but then again I don't really want to try to roll my own auth! I still get this from time to time i.e. the vendor lock-in but come on! we are all "locking" ourselves to some framework/platform etc. :). Personally, I do like the feeling the auth is handled by people who know more about this stuff than I! I am still trying to wrap my head around integrating this type of auth and allowing users to sign up/pay for a SaaS/API access.. I did experiment with the older Azure AD B2C / API Gateway stuff... I should really spend some time reading the updated docs!! Anyway, thank you again for a great intro to this and sharing the code :)
I am in agreement, find a partner you trust (AWS, Azure, Okta, etc.) and you'll be close the the same implementation. Luckily if you change, it's just changing a little code on both sides, not re-engineering a complete login/security system.
Hi Shawn, great vid, this is not a straight forward concept to get your head around, great explanation and very nice clean code, love it! probably need to handle the access token expiry and a bit of a consideration for refresh tokens, maybe they can't be used with public clients.
Hey Shawn, fantastic video! I've searched around for a tutorial on this for ages and just couldn't understand any of them!! Is there a way to implement a navigation guard using this? I want my users to be automatically directed to a login page if they aren't already logged in.
Yes you can! The client-side Entra API has a simple call to see if the user is logged in. I didn't cover it here, but you'll want to use the client library (it works across frameworks in JS/TS).
You can revoke the user and the refresh token, but not the access token. The token should be short-lived to limit the amount of time. The token is proof that the user has access, and if it if went back to MS on every request, it would perform really badly. I hope that helps.
Can you explain why Microsoft's tutorials tell us to create one Entra Application definition for the API and another definition for the client application? This demo appears to use the same application definition for both.
I wish I could. I think Microsoft is assuming you'll need to create several APIs to protect APIs in chunks, but with roles, that's unnecessary IMO. But maybe an Entra/security person can correct me.
You should use an app reg to represent each district app. The api is a standalone app, the client is standalone. You could have other apps, power apps , server apps etc. in a contrived example where it’s 1 logical app, it’s ok to use 1. I have an api layer and support multiple clients via their own app reg and my app reg.
Hi Shawn, As always, your videos are great and helpful! Thanks. Could you do me a favor and expand upon this topic? I would like to figure out how I can secure an API with bearer tokens (Entrar ID), but I would like to trigger the OAuth flow by hand (or by code). Could you show me how I can get that done? So the steps would be: Secure the API like in your video. Write a small C# program that does the OAuth 2 flow and gets the Bearer token. Get weather info and add the token from step 2. I'm mainly curious how you configure Azure.
great tutorial. I must have missed something though as even when I log in and get the token, pass it to the web api I am getting a 401 error. I've gone over the code and tutorial and I'm not seeing my mistake. Any "usual suspects" for this issue? I am able to display my name once logged, it's just the call to the weatherforecast that is denied. truly appreciate any ideas.
Are you sure you have the middleware in the server app correctly setup with the same client/tenant ids and client secret? Are you sure you're setting the auth header correctly? Those are two places I'd start
@@swildermuth thanks so much for the reply, I'm not quite sure what you mean by client secret. I've checked the clientid/tenantid, authority, scopes and the "bearer " + token... all look good. I'll keep looking :)
If you go to your App Registration for your app and look at "Manage->Certificates and Secrets" - you'll need to create a new secret and pass it into the options.ClientSecret where you set the clientid and the tenant id.
@@arnjmllr Have you made it work? I'm having the same issue, still getting 401 although everything is the same as in the tutorial. Adding ClientSecret did not help.
@@ksalk91 sorry, no. I think Shawn's suggestion of the " client secret." may be the missing piece, but have not tried it, got busy with another project.
Hi, Thank you for sharing. Can you create tutotiral design project apply clean architecture from basic to advanced? I couldn't find good videos with such content on youtube.I am new to this topic. Thank you for following my question.
Brilliant as always and appreciate the time put into these videos! I realise you are essentially "buying into" a certain platform for your auth but then again I don't really want to try to roll my own auth! I still get this from time to time i.e. the vendor lock-in but come on! we are all "locking" ourselves to some framework/platform etc. :). Personally, I do like the feeling the auth is handled by people who know more about this stuff than I! I am still trying to wrap my head around integrating this type of auth and allowing users to sign up/pay for a SaaS/API access.. I did experiment with the older Azure AD B2C / API Gateway stuff... I should really spend some time reading the updated docs!! Anyway, thank you again for a great intro to this and sharing the code :)
I am in agreement, find a partner you trust (AWS, Azure, Okta, etc.) and you'll be close the the same implementation. Luckily if you change, it's just changing a little code on both sides, not re-engineering a complete login/security system.
Hi Shawn, great vid, this is not a straight forward concept to get your head around, great explanation and very nice clean code, love it! probably need to handle the access token expiry and a bit of a consideration for refresh tokens, maybe they can't be used with public clients.
Thanks!
Great tutorial. Which font are you using in visual studio? Seems pretty good
Source Code Pro
@@swildermuth Thanks!
Very good. But for the front end, how about Blazor wasm? Can you give me where i can get the information?
thanks for sharing
Would this work with .NET YARP Gateway? SPA Style? Great video thanks
Should. I've seen it done.
Hey Shawn, fantastic video! I've searched around for a tutorial on this for ages and just couldn't understand any of them!!
Is there a way to implement a navigation guard using this? I want my users to be automatically directed to a login page if they aren't already logged in.
Yes you can! The client-side Entra API has a simple call to see if the user is logged in. I didn't cover it here, but you'll want to use the client library (it works across frameworks in JS/TS).
Thank you for sharing ! How is this token working? Is it possible to revoke a token for a consumer in case the person had to token stolen?
You can revoke the user and the refresh token, but not the access token. The token should be short-lived to limit the amount of time. The token is proof that the user has access, and if it if went back to MS on every request, it would perform really badly. I hope that helps.
What if I want to have a custom login page, and also a .net api with a custom IdentityUser?
Then you probably want to use Azure B2C or ASP.NET Identy
Can you explain why Microsoft's tutorials tell us to create one Entra Application definition for the API and another definition for the client application? This demo appears to use the same application definition for both.
I wish I could. I think Microsoft is assuming you'll need to create several APIs to protect APIs in chunks, but with roles, that's unnecessary IMO. But maybe an Entra/security person can correct me.
You should use an app reg to represent each district app. The api is a standalone app, the client is standalone. You could have other apps, power apps , server apps etc. in a contrived example where it’s 1 logical app, it’s ok to use 1. I have an api layer and support multiple clients via their own app reg and my app reg.
Hi Shawn,
As always, your videos are great and helpful! Thanks.
Could you do me a favor and expand upon this topic? I would like to figure out how I can secure an API with bearer tokens (Entrar ID), but I would like to trigger the OAuth flow by hand (or by code).
Could you show me how I can get that done?
So the steps would be:
Secure the API like in your video.
Write a small C# program that does the OAuth 2 flow and gets the Bearer token.
Get weather info and add the token from step 2.
I'm mainly curious how you configure Azure.
Do u know if the login modal can be customized? maybe branded to my website?
I'm azure you can add your own branding
😂😂😂@@swildermuth
@@swildermuth He is an Azure computer!
Azure EntraId on-premis also works basically the same way? Great video thank yoU!
I haven't dealt with on-prem, but I believe it is.
@swildermuth ok thane
great tutorial. I must have missed something though as even when I log in and get the token, pass it to the web api I am getting a 401 error. I've gone over the code and tutorial and I'm not seeing my mistake. Any "usual suspects" for this issue? I am able to display my name once logged, it's just the call to the weatherforecast that is denied. truly appreciate any ideas.
Are you sure you have the middleware in the server app correctly setup with the same client/tenant ids and client secret? Are you sure you're setting the auth header correctly? Those are two places I'd start
@@swildermuth thanks so much for the reply, I'm not quite sure what you mean by client secret. I've checked the clientid/tenantid, authority, scopes and the "bearer " + token... all look good. I'll keep looking :)
If you go to your App Registration for your app and look at "Manage->Certificates and Secrets" - you'll need to create a new secret and pass it into the options.ClientSecret where you set the clientid and the tenant id.
@@arnjmllr Have you made it work? I'm having the same issue, still getting 401 although everything is the same as in the tutorial. Adding ClientSecret did not help.
@@ksalk91 sorry, no. I think Shawn's suggestion of the " client secret." may be the missing piece, but have not tried it, got busy with another project.
Hi, Thank you for sharing. Can you create tutotiral design project apply clean architecture from basic to advanced?
I couldn't find good videos with such content on youtube.I am new to this topic.
Thank you for following my question.
These are short tutorials, I don't create full courses on UA-cam
But Shawn has some great courses on Pluralsight :) as well as own courses on website I think?