- Home>
- Azure Active Directory
All posts in "Azure Active Directory"
Obtain access token via authorization code grant with PKCE in angular using oidc-client-js and Microsoft Identity Platform.
Published April 13, 2020
in Angular
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
- 2 Comments
Recently, I learned about why implicit flow is not secure because of exposing the access token in the browser. Authorization code grant with PKCE is more secure and should be preferred over implicit flow for protecting a public application which cannot keep the client secret secure. The good new is if you already use oidc-client-js and get tokens from azure ad via implicit flow, the changes you have to make to use authorization code flow with PKCE are minimal. In this post, I show what you need to change to use authorization code grant with PKCE.
How to authenticate user against Azure ADB2C from Angular app using oidc-client-js.
Published February 17, 2020
in Azure
, Azure Active Directory
, Azure ADB2C
, OpenID Connect
, security
- 3 Comments
In this post, I show you how to authenticate your user against azure adb2c to obtain an id and access token. Specifically, we’ll discuss the following:
- Create azure adb2c directory
- Register applications in b2c tenant.
- Define scopes and setup permissions.
- Setup sign up and sign in user flow.
- Authentication service.
- Response to authentication events in component.
Please checkout the latest codes for this post here.
Also, check out the follow-up posts relating to using oidc-client-js to interact with Azure ADB2C:
Implement OAuth2 Client-Credentials flow with Azure AD and Microsoft Identity Platform.
Published December 16, 2019
in ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
- 5 Comments
OAuth2 Client Credentials flow is a protocol to allow secure communication between two web APIs. Specifically, the protocol specifies the flow of obtaining authorization for a client to access protected endpoints of a resource server with no user interaction involved. With Microsoft Identity Platform, Azure portal, Microsoft Authentication Library (MSAL), and .NET core security middleware, you can implement the OAuth2 client credentials flow without much difficulty. In this post, I go over how to leverage those technologies to protect your ASP.NET core web APIs.
Connect to azure key vault from an ASP.NET core app using azure managed identity
Of the three different ways to access an azure key vault from an ASP.NET core application, if your app runs on an azure resource, the best option is using azure managed identities for simplicity and the highest security. In this post, I go over how I configure the application and azure sides to leverage azure managed identities when accessing the key vault.
Configure OAuth2 implicit flow for Swagger UI
Published November 8, 2019
in ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, security
- 1 Comment
In this post, I share some example codes of how to enable OAuth2 implicit flow within Swagger UI to obtain an access token from Microsoft Identity Framework (v2.0 endpoint).
Pass user’s identity and authorization from a client application to a web API to another web API using OAuth 2.0 On-Behalf-Of flow.
Published October 20, 2019
in Angular
, ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
- 7 Comments
A few months ago, I gave an overview of the libraries I use to implement OpenID Connect implicit flow in an angular app, and On-Behalf-Of (OBO) flow in ASP.NET core backend APIs. You can checkout this post for more info. In that post, I talk about the security flow from the angular app to the downstream APIs. The angular app communicates only with a single backend API which acts as a gateway that forwards the requests from to other downstream APIs.
In this post, I go over the details of obtaining an access token via the OBO flow to call protected endpoints from a web API (which I refer to as the gateway in this post) to another web API .
Access azure key vault from an ASP.NET core app on IIS using X.509 certificate
In this post, I go over in more details the steps of retrieving secrets from an azure key vault using client id and secret. This approach is one of the three ways to authenticate a Windows virtual machine against azure key vault. It is suitable if your app runs on a virtual machine which is not an azure resource and so cannot use azure managed identity.
At the high level, the process involves these steps:
- Register the application in azure.
- Generate and add a X.509 certificate into a certificate store.
- Grant IIS_IUSRS user permission to access the private key of the certificate.
- Upload the public key of the certificate to the app’s registration.
- Grant the app access to the key vault.
- Add codes to Startup file to authenticate against AD using the certificate.
You can find the sample project for this post here.
OIDC implicit flow in angular with MSAL for angular, Microsoft Identity Platform (v2.0) and Azure AD.
Published July 13, 2019
in Angular
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
In this post, I share my experience about doing OpenID Connect (OIDC) implicit flow using Microsoft Authentication library (MSAL) for Angular, Microsoft Identity Platform (v2.0), and Azure AD. This post is part of the blog post series in which I cover implementing OIDC flows to protect as system that consists of an angular front-end application and asp.net core web apis. In the previous post, I give a high level overview of the technologies involved in protecting such a system.