Quote of the Day

more Quotes

Categories

Recent Posts

Top Posts

Get notified of new posts

Buy me coffee

Audit your web application with Google Lighthouse.

Published November 1, 2019 in Uncategorized - 0 Comments

Today, my coworker showed us Lighthouse, a cool feature that is available in Google Chrome to quickly evaluate a performance of a website. I thought the name is pretty cool; it reminds me of the book I read before, “The Lights Between Oceans”. I just learned about Lighthouse even though the tool has been around since 2017. You specify the URL of the website you want Lighthouse to evaluate, the tool then runs a series of tests and in about thirty seconds or less, you get a report. In the report, you can see scores for: performance, accessibility, best practices, SEO and PWA. Besides showing the score, the tool also offers suggestions to address some of the issues it found. For instance, one of the angular web application I have is running with a development, non-optimized build. When I ran Lighthouse against the app, the tool showed me a low performance score of 0 as well as suggesting a couple fixes including minifying JavaScript, enabling text compression, adjusting image sizes …

Now that I know about the tool, I definitely use it when working on a web application to ensure we address issues that could degrade the user’s experiences sooner rather than later.

You can find the tool in Chrome’s Developer tools, under Audits. For more information, checkout the document.

Tags: audit web application , Lighthouse , performance test web application

Pass user’s identity and authorization from a client application to a web API to another web API using OAuth 2.0 On-Behalf-Of flow.

Published October 20, 2019 in Angular , ASP.NET core , Azure , Azure Active Directory , OAuth2 , OpenID Connect , security - 7 Comments

A few months ago, I gave an overview of the libraries I use to implement OpenID Connect implicit flow in an angular app, and On-Behalf-Of (OBO) flow in ASP.NET core backend APIs. You can checkout this post for more info. In that post, I talk about the security flow from the angular app to the downstream APIs. The angular app communicates only with a single backend API which acts as a gateway that forwards the requests from to other downstream APIs.

Obtaining access token from angular app to gateway via implicit flow to downstream API via on-behalf-of flow

In this post, I go over the details of obtaining an access token via the OBO flow to call protected endpoints from a web API (which I refer to as the gateway in this post) to another web API .

Continue reading

Tags: api gateway , implicit flow , Microsoft Identity Platform , on-behalf-of flow , web api security

Using azure devops File Transform to deploy a same angular build to multiple environments.

Published September 30, 2019 in Angular , Azure , Devops - 4 Comments

For an angular application, at build time, if you pass in a configuration name, then the webpack build tool replaces the content of the environment.ts file with the content of the environment. For instance, if you run the command ng build --prod, angular replaces the content of environment.ts with that of the environment.prod.ts. Similarly, if you run ng build --staging, angular replaces environment.ts with environment.staging.ts, provided the file exists. This approach works but it requires building multiple times for different environments. In this post, I show you the approach I learn from my coworker to build one time and deploy to multiple environments, using angular APP_INITIALIZER and the File Transform task in azure devops.

You can find complete source code for this post on my github.

Continue reading

Tags: APP_INITIALIZER , Azure Devops , build once deploy many , File Transform task

Access azure key vault from an ASP.NET core app on IIS using X.509 certificate

Published August 31, 2019 in .NET core , ASP.NET core , Azure , Azure Active Directory , IIS - 0 Comments

In this post, I go over in more details the steps of retrieving secrets from an azure key vault using client id and secret. This approach is one of the three ways to authenticate a Windows virtual machine against azure key vault. It is suitable if your app runs on a virtual machine which is not an azure resource and so cannot use azure managed identity.

At the high level, the process involves these steps:

  • Register the application in azure.
  • Generate and add a X.509 certificate into a certificate store.
  • Grant IIS_IUSRS user permission to access the private key of the certificate.
  • Upload the public key of the certificate to the app’s registration.
  • Grant the app access to the key vault.
  • Add codes to Startup file to authenticate against AD using the certificate.

You can find the sample project for this post here.

Continue reading

Tags: Azure Key Vault , GetPrivateKey , New-SelfSignedCertificate , ssl , X.509 certificate

Build and deploy an ASP.NET core app running on IIS using Azure pipelines

Published August 15, 2019 in ASP.NET core , Azure , Devops , IIS - 1 Comment

This is part III of the series in which I cover how to build and deploy an ASP.NET core app to IIS running on a Windows VM. In part I, I cover how to build and publish an artifact using visual studio. In part II, I cover how to manually deploy the artifact to IIS and go over some of the concepts such as bindings, app pools and website.

In this tutorial, I walks you through the steps to automate the build and deployment process using azure pipelines.

Continue reading

Tags: Azure Devops , build pipeline , continuous deployment , continuous integration , deployment group , deployment pool , release pipeline

Using oidc-client-js to obtain tokens from Azure AD (v1.0) or Microsoft identity platform (v2.0) .

Published August 14, 2019 in Angular , OAuth2 , OpenID Connect , security - 1 Comment

In my previous post, I mention using MSAL for angular to implement implicit flow in angular application. However, MSAL is still in preview and I could not get it to work in IE 11. In addition, I could not find a way to obtain both access and id tokens in a single call. I have switched to oidc-client-js. Besides adding the polyfills for IE, I did not have to do much for oidc-client-js to run in IE11. The library also allows me to configure response_type parameter of a request to the authorization endpoint to obtain both id and access tokens in one call. Overall, I have found the library to be more stable than MSAL for angular. In this post, I share how I configure oidc-client-js in an angular application to obtain tokens from Azure Active Directory (v1.0 endpoint) as well as some of the lessons I have learned.

Continue reading

Tags: azure ad , implicit flow , Microsoft Identity Platform , MSAL for angular , oidc-client-js

OIDC implicit flow in angular with MSAL for angular, Microsoft Identity Platform (v2.0) and Azure AD.

Published July 13, 2019 in Angular , Azure , Azure Active Directory , OAuth2 , OpenID Connect , security - 0 Comments

In this post, I share my experience about doing OpenID Connect (OIDC) implicit flow using Microsoft Authentication library (MSAL) for Angular, Microsoft Identity Platform (v2.0), and Azure AD. This post is part of the blog post series in which I cover implementing OIDC flows to protect as system that consists of an angular front-end application and asp.net core web apis. In the previous post, I give a high level overview of the technologies involved in protecting such a system.

Continue reading

Tags: angular , authorization server , implicit flow , Microsoft Identity Platform , MSAL , OpenID Connect , public client
1 6 7 8 9 10 11