On .NET Live - Securing Web APIs with Microsoft.Identity.Web

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] do [Music] [Music] do [Music] so [Music] [Music] boom and we're live hi everyone thank you so much for joining us again this week for on.net live my name is cecil philip and today we got a topic that i'm really excited about one because i know nothing about it but two i also think it's a really important topic for a lot of folks to really take seriously and that happens to be security we learn how we can secure our web apis using a really interesting package called microsoft identity.web and today i have christos and kyle here who are both on the identity team they're going to help us kind of sort through some of this identity black magic and really understand like what it takes for us to secure web apis that we build with asp.net core so gentlemen why don't i have you all introduce yourselves really quickly so we can know who you are and what are you doing kyle how about we we start with you kyle you're on mute by the way is that better yes okay there we go my mic is getting fuzzy you're a little bit you're a little bit low just a little bit okay so uh hi everybody um yeah so my name's kyle i'm on the identity team uh and uh i work a lot with developers on how to best build and optimize for our platform i'm actually on our uh go to production team as part of our architecture group uh so i work a lot with both id pros as well as developers on identity questions nice crystals hey hey everyone what's up let's do this i work at the microsoft in the identity division i work as a developer advocate and i spend most of my time talking to developers and helping them build secure solutions using the microsoft identity platform and azure but not just azure not just uh you know not just uh net so we do quite a few things and it's exciting to be here awesome well hey gentlemen thank you again so much for being here and speaking of being here i'm looking in the chat really quickly and i'm seeing we have folks from all over the place that are joining us again thank you all for joining us i see we have some folks from iran here some folks from nicaragua you know i know we have some folks from south america and from all over the place again you know definitely shout out to you if you're joining us from from far away really appreciate it and and speaking of places that are far away i actually wanted to share my screen really quickly and talk about something that happened recently some of you may or may not have heard about this but um if you're familiar with the island of saint vincent say vincent actually just had a volcano erupts um just a few days ago and it's i don't know man like some of these pictures and stuff are crazy i'm going to kind of scrap you know scroll through a video super quick but you know if you look at some of these images this is this just happened just the other day right this is an active volcano it is still like spewing smoke and dust and ash and all these types of stuff um from the island of satan vince which is an island in the caribbean um and you know folks you know again folks didn't really die or need right now there needed to be evacuated you know there's a lot of you know humanitarian relief and a lot of efforts like that set up to help one get people off of the island and situate it somewhere else and also get them like food and supplies and things like that um and actually someone had asked me earlier oh if you know where is satan vincent exactly so i want to pull up a map really quickly uh yes i am using bing in case anyone uh but this is where st vincent is kind of located right so if we look at i'm going to zoom out a lot right so we're i'm in florida right so this is where i am you know here's south america and saint vincent i'm going to zoom in right so it's right here it's you know just to the the west's um you know it's just to the the right side over there of barbados um so i know folks are familiar with barbados as you can see exactly where that is but you know the all the smoke from this volcano is reaching out and you know affecting all these other islands and stuff so it's it's really crazy what's happening like i never thought i'd be in a moment where there's an active volcano kind of erupting so um yeah for all the folks that you know maybe you have caribbean family members or you know maybe you've been there before definitely you know they they really need our help right now um things are really serious over there so um if you can you know send them your thoughts and your prayers and you know if you could do a little bit more than that then i'm sure they'd appreciate that as well um but also another thing i wanted to do really quickly this week is actually ramadan or not this week but this month is ramadan so shout out to all our folks too that are um celebrating ramadan so ramadan is from april 12th to may 12th so you know you know i know a lot of our muslim friends that are watching from different parts of the world we definitely want to tell you you know happy ramadan and i hope you're all you and your family you know we all wish you all the best now that being said why don't we dive into some links and then you know i can stop talking and we can let the experts kind of dig into like the security stuff so first thing i wanted to shout out really quick in terms of links so just yesterday april 14th we had an event called learn together building apps with microsoft graph which is you know again microsoft graph is our apis that give you a lot of insight into what's going inside of your microsoft 365 account and you know this was live streamed yesterday and all the videos are already up so if you're interested in learning about microsoft graph i'll show you the link to this this is actually on channel 9 and you can kind of watch some of these videos and learn about you know using microsoft graph you know i think there's one some here about building bots and personal assistants um you know working with teams data and things of that nature which is really cool so definitely check that out um and another thing that i wanted to share with you which i thought was pretty relevant to what we're talking about today we actually have a beginner series to web apis so maybe some of you are just getting started with net maybe just getting started building web apis with dotnet we have again 100 freely available uh beginner series two web apis i think it's about 18 videos that covers things like you know routing and you know http requests and responses you know we don't cover security but you know maybe in part two we'll get to that you know i know chris is going to be mad at me for that i apologize so you know but again if you're just learning about web apis this is a really good course for you to check out and last but not least again another another resource that i think is very relevant to what we're going to talk about today and that's this on.net episode that actually christos and kyle did um just just just around december so not too long ago talking about msl and microsoft identity.web so again i'll show you these links in the chat um and you know you'll be able to find them and check them out if you're interested but again you know um i hope you you all take a look at some of these now i'm going to take my screen off because y'all have heard enough for me and this is not the celsius show anymore this is going to be like the kryptos and kyle show right that's that's what we're doing today so so general why don't we start talking about microsoft ed.web and i think a good place to start is well what is it and what you know why do we have it what is it for you know like what what exactly you know are we expecting developers to do with it sure um so it's as i look at asp.net and asp.net core right obviously core is the new the new wave here but for quite a while these platforms have had built into them some basic capabilities uh to for around the modern authentication and authorization so this token-based process uh to authenticate a user and to authorize an api so at the heart of these these platforms there is for example an open id connect uh capability uh there is a capability to to to use jot bearer tokens for authorizations for apis um so that's built into to.net core where it becomes interesting is what do i need specifically to start doing things that optimize those two components uh to use uh azure active directory or microsoft identities as the as the actual identity provider there so microsoft identity.web makes it very easy for you to go ahead and use microsoft identity in order to be that identity provider across uh your applications and and apis so it actually it it's a way of of making the the core capabilities of net core a lot easier and more efficient for you to use as a developer okay and that makes sense and one of the things that i always think is every time someone says easy insecurity i always get really scared because in my head i'm like secured and easy aren't always synonymous but i really feel you know like the this particular nuget package is really helping us go in that way of really you know making security something that all developers could do in a very comfortable way without having to pull out their hair and stress out too much now one thing i want to ask you too again before we really dive into the demos how much do i need to know about security protocols to use identity.web so i know there's you know open id and i know there's oauth 1 2 2.1 you know stuff right you know there's jot tokens and bearer tokens and all kinds of stuff if i just want to secure my api my web api like do how much of that do i really need to know well if you're talking about the web api itself almost nothing what happens for a web api for when we protect an api what happens regardless of how i might have acquired the token so we've got protocols of how the application is going to acquire a token for a web api it's actually a very straightforward thing you're going to get an authorization header and a bearer token uh and that's really what hap what's lands on your doorstep someone makes a call to your web api your api says i need authorization in order to call my api i need to know that the who the user is in context i i need to know that the user has allowed your application access to my resource to my api and it does that by presenting a token now once that api gets the token it doesn't need to go off and call microsoft identity for anything it doesn't authenticate it doesn't go through a user flow or or anything like that it inspects the token and as as you mentioned we use a json web token or jot token which have a have a way of doing validation of the token without always calling back to the identity provider you do need to call to get our key signing our signing keys and cache those but generally you don't call us very often and then you simply go through the process the steps that that uh their that microsoft identity.web and asp.net core build in for you of is this token valid meaning has it been tampered with did it and then i did check to make sure it's coming from someone i trust it needs to be targeted at me and so on so i look at the information that's contained in this token we call those things claims a name attribute pair we just refer to as claims your application your api rather inspects these claims to determine how the application will work or how the api rather will work in this case so i don't need to know open id connect or or oauth2 or anything yes i'm the ultimate beneficiary of that as an api implement implementation but i don't actually have to know those protocols at all and so i'm guessing assuming that we're using the identity platform right which everyone should be using um i'm guessing that i could just rely on that thing to do its job right like we're going to rely on that thing to issue the tokens and you know handle our registrations and our client registrations and our app registrations and on my site i can just work with identity web the package and the collection of libraries that's associated with that and i can just focus on business logic more so than like you know the right flow and the right responses to these security claims that's absolutely absolutely our desire we we don't want to see developers digging into the protocol there's nothing wrong with rolling up your sleeves and doing the protocol but you have to be aware of what you're investing in these protocols are under constant surveillance if you will and if a if a vulnerability were to determine there'll be a mitigation that's uh that's that's also determined and therefore it will be on you to go in and implement that mitigation if something were to come up so these protocols are are constant under evaluation so today for example we have oauth 2.0 but oauth 2.1 is already in the wings and being worked on and it's changing things right it's saying oh this part this this practice is no longer allowed uh so for example implicit flow uh one of the the new details of these protocols today it used to be recommended and now we're not recommending it anymore come off 2.1 we'll say you can't use it anymore and all of that would be work you would have to keep up with if you did a protocol level implementation when you use microsoft identity web and your asp. in your.net core you can do things like i'm using it on the client side to acquire the tokens i don't need to go and learn protocols i can just say here's what i need to do you do that by something called a scope my intention is to read data my intention is to write data once you ask for a token that authorizes your application to access that resource then you go ahead and pass that token off to the api so with microsoft identity web we want to make it a lot more straightforward so you focus on well what's the right thing to request am i reading am i writing do i need something else uh and then making sure that you provide that and everyone can simply work off those tokens being exchanged awesome well that sounds like a really good introduction how about we dive into some code and take a look at the demo we can see how to how we can start plugging some of these things together okay so actually maybe maybe while kyle is doing that there are a couple of questions that we could answer one of them is what is their relationship between microsoft end.web and emsel right so microsoft the identity web is built on top of msl and even though you're not interacting directly with amstel anymore it uses amsoil behind the scenes to acquire tokens for you uh it's also uh free so microsoft web is a free package that you get via nuget and you need an azure active directory or a b2c to authenticate somewhere it doesn't work with other providers at this time the team has big plans but i can't promise anything but yeah this is this is the question we had live so i thought we might want to answer it because other people may be looking into this and have some questions yeah for sure okay so actually your screen up um so yeah let's why don't we dive into it okay so actually i want to start uh before coding unfortunately sorry about that folks but i would like to think about some design questions that i want to have in mind and to think about as i create my api so the first thing i'm first decision if you will is i'm going to protect my api with microsoft identity so having made that decision i have to do something and specifically i have to go and create an app registration so let's do that and in this case we're going to create a new app registration uh this is so that i can declare if you will to to azure ad or microsoft identity that uh um sorry that that i want to delegate this this capability this this functionality off to to microsoft identity and azure id so uh so that's the the create this this uh the.net live api now this uh is just a display name so i i don't have to have uh you know underscores or anything i can make it nice and readable for my user and now i do have to make my first decision which is where will my users come from if i'm writing a line of business api maybe i only want people to be able to use this api if they're from the tenant in which i'm registering this this api so in other words in my company i'm creating an api only for my company's use so i'll restrict it to only my company's users but i could ask for users from other other providers like anyone with an azure active directory identity and so on so i'll go ahead and use this as a multi-tenant api uh it's a it's a choice and one of the nice things about microsoft identity.web is will will help you specifically deal with the nuances that a multi-tenant api in microsoft identity is basically under the covers there's going to be lots of different issuers and that's a big hassle too if i was just using the the asp.net core it's kind of a hassle to set all that up microsoft identity handles that entirely for me so it's much easier for me to create a multi-tenant api in other words i will allow people to use this application for many different companies or this api so is is that it like are you done registered i'm not done yet i'm not done so far i have an app registration so i'm going to do a couple of things here first off i want to do a little uh cleanup i'm going to go to the api permissions so this would be the apis that this api is asking to call and i don't need any of these because i'm an api myself and i'm not planning to call yet any other api so i don't need that i don't need so i'll just clean that up the key part here is i need to say i'm going to expose an api so i'm declaring now that my application is exposing an api so the first thing i'll do now we have two different kinds of of what we call scopes or permissions uh that that i would deal with as an api designer i have to think what do i want my api clients the people calling me api what do i want them to be able to use on behalf of a user so i want to have an api that lets me read mail on read the user's email or or read the user's data so that's one tier acting on behalf of a user i might also as an api designer think hey i want to have it so that somebody could write a background process or a service of some description where the user isn't there but it needs to work across different users and without a user present in that case i would i'm going to create a application permission let's start with just a delegated permission a scope where i'm only going to work on behalf of the user now the first thing i actually have to do is set my application id uri i can either do it here or if i try to get away without doing it we're going to make somebody do this step first which is this is basically the identifier of your api we need to have a unique identifier across the the the scope here across the the enterprise here to make sure that you know if you're not asking for a scope maybe we all want to name a scope read and obviously i need to know whose read scope is being referred to here so we need a unique uh unique identifier which is why we just pop up our first suggestion is hey you can use the api uh model and simply will use your your app id which is the unique identifier for your api i could if i wanted to say i have a a a an api i'm going to be publishing maybe i'll i'll use an http address that's okay we will give you some hints about what's not allowed i think if i type in enough wrong characters here it'll it'll tell me but uh i can go ahead and and type in a few different different uh i can use an api i can use an https address we will start checking if you're a multi-tenant api and you say you want to use an http address it has to be an http address that's registered to your tenant so you can't say i'm exposing some other uh an api for some other entity so i will this is really just the identifier uh and it doesn't mean that you have anything implemented there obviously i don't have anything implemented at api colon uh but it is a way for me to uniquely identify my api when someone says hey i want a token to use this this api there's my identifier so we'll start just just a just a recap really quickly so all that you've done so far you've gone into the azure portal right you've gone into your active directory application listing app registrations created a new app registration and this app registration is going to represent the api that you haven't deployed yet but you will at some point and then now the things that you're thinking about is well how do i want people to interact with this api like who's going to use it what types of processes or or clients are going to be able to interact with this thing and request security credentials right and now i'm starting to think about what what are the functions i'm going to have in my api do i can i provide what we call a least privileged model what we want is we want a developer to be able to say my application is only going to be used to read data and therefore the tokens we issue to that application will only allow reading data and that way should there ever be a compromise of the token or the application it can't be misused to write data instead right so we want to make sure that an application developer can effectively declare his intent i intend to just read this data or i intend to update the data and we provide the capability only to do what the developer claimed they wanted to do right so what i want to do is we could have a one scope for the whole api like access as user but that doesn't allow me to have a more sophisticated model going forward like hey you know what i've got a new api and it resets say the data for the user therefore i should only have some applications be allowed to do that i need to make sure that that application was implemented correctly or done uh it's coded correctly so as an api designer i'm deciding now what levels can i provide i can have a read scope and maybe a right scope maybe i have a special one for delete it all depends on what the what i expect the shape of my api to be so here i'll just declare a read scope my next decision is who would allow to consent and this is as an api designer this is my suggestion to you to to both the developers who are using my my api as well as the the it pros who are approving in lots of enterprises who gets to use this whether this app is allowed to access this resource this is my way of saying how sensitive is this permission so if i say admins and users can consent to this i'm saying it's okay for a regular user to say i want to use this the an app that uses this api if it's a so for example in our microsoft graph api user.read is that uh we think it's okay for a user to say i'd like to sign into this app i could say that only admins are allowed to uh grant this permission meaning an admin should have a solid look at this application to determine if it really is trustworthy enough to have access to that information so we have a user.read.all consent or scope that only admins can approve because there's a lot of sensitive information in reading the full user profile of everyone in the enterprise i would know for example who reports to who and if i'm going to target a phishing attack that's a great bit of information to know so we want to make sure that we can fully trust an app that would get that con that scope so for read we'll go ahead here and pick uh my users and admins and here i can say uh read your data so this is the message that's going to go to the user uh when they see the the prompt hey this application would like to read so i can say read your data here that's just the display name i can give a little bit more uh description here that's what the user sees now if i have an admin consent item or or one that has both i also have an option here of giving sorry this sorry this was the first one was the the admin i have this option of saying the admin can can do it so i would say read the user's data and here i would have uh more information sorry i got these in the wrong order uh i can have more description here and then i might say what would the user see if they weren't an admin and see this i i so i have this option of customizing the consent experience based again on describing what it is they're allowing an application to have access to if you say that your at the application in question gets read permission what does that mean right so this is your opportunity to make a case if you will to both the user and to the it pro if they're managing this as to why an apple what exactly is the uh the the the result of someone uh getting you granting that consent to an application that requests it so we'll go ahead and add that scope i would then go ahead and add another scope uh which we won't do right now but i but to to do least privilege i have read maybe i only have reading in my api but then i would want to write uh for example i probably want to have a write that goes along with that because this is uh you know that allows this least privileged model i'll just fill them all in the same but in this case since it's right i'll say this requires admin consent uh and now i have an opportunity to have a lease privilege model for the client apis that are going to call my app so that's how i define a delegated permission or a scope so that an application can now come and say i would like to to be authorized to call your api's read capabilities or maybe the read capabilities and the right capabilities i can i can design what these scopes look like and the shape of the consent model around my api by how i define these scopes got it that makes sense now there's one other type of permission so let's go ahead here and uh i'll start a quick application uh that might be using this uh uh this api so i'll start a quick app registration here uh and we'll make this a multi-tenant app as well although we could be single tenant they're not associated here they're not necessarily linked any application could be calling this api in this case of course we will be declaring an api permission um so let me go ahead and add here so i go to api permissions i've declared that this app exists now i want to say this app is going to call our.net live api so i'll go to add a permission we try to make it a little easier for folks to find the permissions so first off we we list all of the apis from microsoft that are actually protected with microsoft identity we also show all of the apis that are already available in your enterprise and this might be short or long depending upon how many capabilities are using your enterprise to shortcut this a little bit more since i registered the applica the uh the the api i can find all of the apis that i own or registered uh here and here i see that i have a delegated permission uh defined i can't do anything about application permissions yet but there's my delegated permission and i can pick which one i want to have my application use and notice here when i look here so you have two registrations you have one for the api itself and now you have to have another one for the client that's going to call the api right so if if person x third party person x wanted to build an app i don't know maybe you know kyle and christos is amazingcompany.com right has an api you know they'll have to they'll have to have some kind of way to create a registration for that api before they could start making calls to it they would only register the client part the one we just did now they wouldn't register the api because we've already done that but they would register like this another app that wants to call this api got it and i think that was important to say because we have someone in the chat from youtube and edward's asking you know um could this be integrated with a xamarin app so you know just like you created a client registration you would have to create a registration for that xamarin app itself and then very similar type of steps you'd have to follow right now right and and you do an app registration for the clients who will call this api and certainly uh these apps can run anywhere uh they can run uh you know we have microsoft authentication libraries the msol libraries for a lot of environments there's a lot of open source uh open id connect certified libraries that you could also use from just about anywhere so uh really you can run the so far we haven't done anything that's that's tied to anything it's not tied to azure it's not tied to any of our libraries but certainly we provide lots of great tools if you want to use those so i'm going to do one quick more thing before we pass up to krista so i can show you a cool demo i'm going to also want to expose an application permission so what i've done here is allowed an application with a user sitting in front of it then whenever a user sits in front of an application you always want to do these on behalf of delegated scopes because the application should be bound to only what the user is allowed to do what we don't want is an application that's allowed to read everybody and then somehow the user or a bad actor finds a way to to compromise the app and expose information that that user should not have been able to see so what we want to do is make sure that whenever a user is in front of an app we always do a delegated permission the app is only allowed to act on behalf of the user but there are lots of things that don't have users in front of them i have a background task that goes through and and archives the data every night or analyzes the data for this that and the other thing as well so how do i make it so that those developers can also use my api first off i have to think what capabilities will i provide to these user to these apis i might have a slightly different set of api here so for example i might be able to say you know data.read or data read for uh for my user delegated permission but i might need to say well read this specific user's data for my application permission because the application was the only one who could tell me which data users data to interact with because i don't the this identity system doesn't know who the user is there is no user so if i want to expose an api that capability i actually have to do something slightly different instead of exposing another scope i'm going to expose something called an app role so we use app roles because what we're really going to do is create the the api designer is going to create a role and then we're going to assign that role to the application itself in order to to call our api as an application instead of a user so i'll go ahead here and create an application role so in this case let's say let's call this one read write i would probably want something similar in terms of least privilege that i did on this on the user ones i'd want probably a read and maybe a read write but i want to to provide a lease privilege option for my developers in this case our user allowed member types here is going to be an application meaning i want to assign an application to this role so that becomes this app permission i use a similar construct these app role if i wanted to assign roles for my api to individual users or groups so i could have an api in my enterprise and say well if a user from this group is using this api they get admin capabilities but if you if the user isn't from that group or isn't assigned the admin role they get a different set of capabilities so i can actually assign a declare that i want roles from my api that are assigned to users and groups in this case we'll go ahead and just ask for applications but it's possible even to do both so again i have uh the the display name let's make this a little bit nicer we'll say it's read and write because this is a human readable section the value that my application will get in a role claim is what i'll write here so that's what i'm going to look for in my role claim and then i have a description again that that will be shown to the admin uh when they grant this permission so i've defined that uh so now i have an application permission so if i show so how an application might declare this now i would never want to declare an application that both had application permissions and uh delegated permissions because that leaves a security hole where the affirmation could be compromised but let me go ahead here oops i'm in the wrong tab let's go back to our client i'll go ahead here oh i declared that client i'm sorry i declared that on the app on the on the uh the client not the api but it's the same steps for the api uh and if i went to the application permission here uh and were to to add declare one you'll see that because i've declared in this case it went on the client um because i did the app role the app permission tab is now turned on ah got it okay right so i apologize i put it on the wrong client the reason we allow that by the way is there's nothing preventing an application from both being an app and exposing an api right depending upon how the infrastructure of your how your application is developed both are possible so uh it is a it is a valid thing um it's just that uh uh that wasn't intending for this app to expose a nature and that would be a situation where you wanted to have an api call another api for instance and so you might want to give that api particular role or something yes yes exactly when i when i if i had a that i would do that so at this point in time i'll hand it over to kristoff so we can actually see this in action nice let's do it so what's the action so i'm going to switch over to christos screen there we go yep and your screen's up perfect okay looking now uh we're gonna take what uh kyle has said and we're gonna use it actually to i know it's a sensitive subject but we have a volcano api which i was not planning for this show so timing is weird but uh if you search for cosmos db data uh one of the samples that we provide you it's a volcano dataset so i loaded that on cosmos because usually apis are not terminators they will be the gateway to your data it could be another api it could be a third party api it could be our first party apis like graph a sharepoint and what have you and it can also be data you could be accessing data and you know lots of apps are doing crowd so an api approach is perfect because you have a mobile app that calls your api we can also have a web app you can have a desktop app therefore most of the logic goes into the functionality someone's asking about the theme my theme is a bearded uh theme it's the builder thing because it needs to go with my beard so you uh yeah if you go for theme here then there you go it's called bearded it's a it's fantastic to download it although today github released some fantastic themes as well so go and have a look at them um i heard i haven't tested them out so yeah that is a really nice theme that is really nice name i know it's nice and mellow not too bright video on graphql you know what uh we take that request and we'll put on on uh our 45 so in fact we were going to collaborate with asura because they have azure id integration so we can authenticate users with azure id and then use azure id to authenticate back to asura for graphql and i suspect there are other graphql solutions there but for now we're going to use cosmos db and i want to use cosmos db because there's an exciting announcement about cosmos two weeks ago we did announce a ga support for our back permissions to cosmos which means that we can now use azure ad and rvac to not only authenticate users to cosmos but also restrict their access using our back permissions and also use managed identities so unlike in the past where you had to provide a cosmos key to authenticate to your cosmos client and call the data now we can do all that without using any passwords or any secrets or anything else so my api here does two things one is integrating with microsoft ident.web so we have a front-end right now we're going to use postman for the sample but you could be using anything in fact the the github repo iseart has a xamarin app that calls into these and gets the data and displays it nicely and so we're using on line 24 with a single line of code i'm switching on authentication i mean it can get easier than that i know we eliminate code all together i don't know and then it's just one line of code and i'm guessing that configuration is maintenance it's uh there's nothing sensitive here because remember what i said sorry up here remember i said i don't have any client secrets and the api is uh is not uh is not doing and on behalf of it it's not trying to get any tokens so it's the azure identity that actually does that for us therefore um i don't have to have a client secret i'll talk about that in a second because that's a great segue to something i won't talk about but what this api is doing currently it's accepting an access token it makes sure that the token is valid it will check for signatures you will take for expiration date and everything else and then in my controller this fantastic controller over here um it doesn't do much it just says go and get me the data it's a read only permission so if i wanted to write to my cosmos it will fail miserably obviously the scope is not named accurately so i named this code access cosmos data i should say read cosmos data probably or read only cosmos data it would probably be more appropriate but i only have one permission and then so someone's asking about our buck so our back is resource based access control so not a r b u ck if cecil can send a link to that it means that you can actually use resource based access control to finely tune the permissions to your resource you can create custom ones or you can create uh you can use the built-in ones for cosmos and azure id you need to use a custom policy right now but they have fantastic documentation on how to achieve this and i'll be putting a blog post as well very very soon so you can follow along now in in here the magic happens on line 21. in this line we actually get a token so we make sure that the uh the access uh to this controller is authorized so you need to have a valid token here otherwise you get a 401 but if you come into this action on the get and you don't have the right scope in your token so not just any token it needs to have the right scope then this one will blow away and it will return a 403 and we'll say you're not authorized so you're authenticated but you're not authorized to access the data because you're missing the scopes and in the past i don't know if you ever had to do this yourself you know artisan code but before microsoft entered web we had to write 25 30 lines of code to look into the token make sure that it has the right claims and do all that we do that for you in single line of code and once you pass that then we call into line 21. yes and then we call into the data service now the data service is where the other magic happens and we don't get to talk about manas identities that frequently because um it's it's another fantastic thing uh if you're running on azure then uh identity web underpins a lot of resources with manus identities so your front-end can have a manus identity and within that context that your application is running you can also configure the back-end to be aware of that managed identity and allow you to securely access that data without having to authenticate the authentication happens behind the scenes for you and what you see here on line 13 is me instantiating a token credential using the azure identity library and i say i want to be very explicit about that i say you can authenticate on the local machine it's going to use my azure cli credential and then on the on when it's running in production it's going to use the managed identity credentials because on the local machine it no it's not running on azure so i can't have a minus identity but i don't have to change my code this code can run locally and in production without changing a single line of code and i don't have to authenticate and then further down i'm just saying create a cosmos client with this token credential and it is provided for me and i don't have to do anything so let's see it in action because i've been talking a lot and i haven't had a chance to run it uh and then we do have a couple questions too couple questions from the chat so first one is when you're showing that change credential i think sometimes some folks have seen the default user credentials what's the difference between what you did and using like the default one well i don't like the default one because it will bring anything in the sync right it will say yeah it will sequentially try everything we'll say do i have anything in the environment or variables no do i have anything in visual studio no do i have anything in visual code no so we'll try all the permutations and because i want to be explicit about how we authenticate users i tend to either say uh chain token credential or just provide it to you i think the chained one is the best because you can explicitly or fine-tune the the providers but there's no difference you can use the default if you want and go with the simplicity but i like to know where the credentials are coming so if it fails on my local machine i know that my other cli credentials have expired or i need to be authenticated or something is wrong and the way i would usually do it is probably set up a service principle on my azure cli so i'm signing in on my local machine with a service principal account that has a lot less permissions than me running uh god permissions on my subscription because a lot of damage can happen as we all know i've done my first set of damage there so now the api is running right so the api is now running and it's expecting a token to be passed so let's see i'm going to use postman for this i think i have deleted my key my token so it doesn't have a token down here we should get a 401 or oh no you know what i haven't deleted my talk and that's right so let's go and remove the token from here let's let's give a broken token right i've deleted okay from an old demo so i'm guessing you'd have to get a new token yeah so this one you see it says 401 here it failed miserably because i had i don't have a token so let's go and grab a token this one is using client credentials but one thing you can see here is that i have the scope so i'm authenticating and i'm also requesting a token an access token for my api uh and down here i'm going to get a new access token it may or may not prompt me for authentication it's prompting me now it doesn't i'm already authenticated with that account so it knows the authentication succeeded let's say let's use this token and now if i call that same endpoint the 5001 volcano it runs and we go back to volcanoes the same application exactly the same application is running in production so right now it's using my azure cli credentials but if i go into my production environment let's switch to that it's running here under my cm api uh demo i have an identity configure so this identity that my demo is running under is is configured to be able to speak to cosmos if i didn't do that then it wouldn't be able to access the code and i haven't changed anything here in terms of secrets in terms of anything else the exact same code has been passed um to production so i deployed in fact that we deployed while we're doing the demo this morning so uh that was exciting um what i want to say here is if i we go back to the code because in some cases you may want to access secrets that are not part of your resources let's say an api key for a third-party provider that's not stored anywhere um net can also or or asp.net has a fantastic segue into working with i'm in the wrong place here i need to go into program to bootstrap your config files uh with secrets that are pulled directly from keyboard so if you haven't seen this one again this is manas identities all working behind the scenes to make it for you so uh if i jump to my app settings you'll see i have a some config value that comes from key vault right and that means that if i were to uh right now it's empty but when my application bootstraps in program it will go and find all the secrets i have in key vault and i will try to map them to my config right and then i can populate these config values on the fly as the application is running this is uh not directly associated with microsoft identity web so i see we're slightly diverting from that but i'll do a full circle and come back because as of yesterday we released microsoft identity web yes brand new it's brand new and if you see down here it says it adds support for azure sdks which means that now we can authenticate the user grab an access token and then do an on behalf of the user call to resources so in this instance it's using the storage account and what you see here is there's a call that comes in here in the blob then it actually gets uh a scope for that it's using the italkin acquisition to uh go and grab the token and then passes it back to the the blob client and then within the block line we can actually create a new blob so in the past you had to use azure identity and it wasn't very clear you had to create a custom amp cell provider but now it's built in so they work very very well so the example i showed you there if you go back into the api permissions for example let's go here that's not the right one we're here let's see if i can find the right one there and then in api permissions i don't i don't think we have one for cosmos but let's see you know oh we do have one check this out so now i can i can create a permission here i can say uh user impersonation and i can use the exact same code instead of saying create blob we can say uh that's that would be our storage account that is awesome i i didn't even know i just found out like an hour before we went live on the street just two seconds ago right so it's uh it's fully end-to-end and it's uh it's working great it protects you from doing silly things it we've made the experience a lot smoother from implementing it to getting tokens to securing access to other resources and uh i i love it like max of the dental web is my favorite toy i can imagine so we got a whole bunch of questions i want to make sure we take some time to like go through some of these um so the first one this one's coming in from youtube um this person is asking so i'm rather needy.net so will this enable me to stop using jwt as a way to secure my apis so i always love when you folks answer questions i always want to make sure we give them a moment and acknowledge them so you know kyle you or christos whoever understands you want to take this sure under the covers we'd use jwt tokens so it takes away you having to deal think about them like you know as you can see we have apis that that are handling it for you but under the covers the the scope that this that was checking for in the code we looked at earlier that was passed to the api with a jwt token so it doesn't remove them it just makes them a whole lot easier to work with nice and then uh next question we have also from youtube this person is saying i'm guessing this has to do with the api you actually the api code you showed christos do we have to call verify a user has any accepted scope in every action or can this be moved into a class like a filter or some sort you you could but then again the the point here is that different actions will probably have different scopes right and therefore like there might be a get access so get all the volcanoes but then there could be another endpoint or another action there that says right volcano and then another one for delete and the expectation there is that users should either have the right scope there or pass the right scope and i would probably avoid giving a blank scope to everyone like kyle showed before we have an admin only scope that people can go and manage the data and then a user and admin scope which is for reading data i mean it depends on how you put your actions maybe i don't know but you could probably have a global filter for that specific controller and then you can have another scope and a filter for that for another controller so it definitely depends on your api design but it is possible you don't have uh you don't have to call it but best practice would be to always check for the right scope sure yeah and i i believe we agree with that that makes a lot of sense um also coming in from youtube this person is saying so how does microsoft identity identity.web i'm guessing handle token renewal so on the if you're implementing an api there is no token renewal because it's a receiver of tokens um therefore you just get the token it's either valid at that instant or it's not and you proceed um on the client side so if i have the app that's calling my api um we handle token renewal uh under the covers with respect to like one of the things we we provide uh is uh microsoft identity.web uh it works with our msol library to handle all of the caching uh of the tokens so that when you just ask for a scope i need a token for this scope we make sure we get the right token for you now that might mean that under the covers we have to go and refresh the token which would happen uh in something like an asp.net uh core or web app uh would happen using the auth code flow and refresh tokens and and a bunch of stuff at the protocol level um that i don't really need to worry about because our ms we handle reacquiring this token for you automatically got it yep yep here's a question and there's casting by the way right we have built-in casting with a single line of code so you don't have to implement your own casting on top of that yeah i forgot to mention that okay uh here's a question that i know you all get probably pretty often i know i get get it randomly as well um this person says i'm currently using identity server 4. can you migrate to this easily and i guess what it means migrate to this means migrate to the identity platform easily and how would you do that migration if that's possible uh well if you want to migrate usually it uh involves checking out a lot of old codes and uh bringing uh the you know the few lines of code for microsoft.web and the new library uh obviously i i don't know what the code of this person looks like and there might be some complex logic i mean identity server can achieve a lot of things and do a lot of stuff so there might be some configuration settings that also need to happen on the iad side of things so it's not just the code changes but also ad changes and kyle may have more experience on that than me yeah the the first thing is that when you use something like identity server you're really abstracting a way you're having a directory and a solution specifically for your solution um our offering in that space is really more azure active directory b2c which allows me to have a directory for my solution that isn't necessarily relying on a particular enterprise a particular azure id instrumentation so slightly different now if i'm today using i'm selling primarily to azure ad customers maybe i'll use microsoft identity of the install web microsoft identity.web etc but if i have an application today that's backed by identity server i could look at are there settings as christoph mentioned are there settings and configurations i need on azure active directory b2c and then from there i'm going to still use openid connect which is what identity server uses out of the out of the bucket out of the box but uh i will have to make some adjustments to working in our b2c world where we have different things like sign up flows and so on uh so there's a there is a bit of work at the conceptual level they're very similar but the devil is in the details here yep yep um now i know a lot of folks usually ask like how do i choose between b2c and azure 80 you know um could you could you very briefly give folks like the feature set difference or you know when would i do one versus the other well for me it comes down to what we were just saying the i use azure adb to see if i'm looking for a directory and authentication for my solution specifically uh we call it business to customers because we allow customers to bring their own identities uh not just uh corporate identities you can federate with an azure id or a saml or an openid connect provider but also consumer grade identities like facebook and twitter and and and so on uh where i can bring those identities but the directory if you will the list of users and the profiles of those users is stored within the azure ad b2c tenant so i'm effectively providing uh that resource to my solution when i build a multi-tenant app for azure ad i'm saying i'm going to use the infrastructure that's been provided by my customer so i could use that approach and build an open id connect client so lots of people build those kinds of applications lots of people have built in the past saml based applications that can just be configured to call to an identity provider like microsoft identity or azure id that supports say open id connect so i could build a generic client that understood how to call open id connect and that would work on the infrastructure of my of who i'm providing the solution to whether my own business or someone i'm selling the software to so that is it fair for me to say then that azure 80 b2c is more for publicly facing applications you know public web applications things that um anybody could kind of sign into you know facebook twitter github accounts those types of things sure so some of go ahead okay and then azure ad is more so like internal applications like you know my my company is my customer you know what i mean and so we're all under the same tenant and so now you know i'm going to expect you to use like that company tenants to to off yeah either that or i'm selling my software to businesses who want to sign in with their corporate identities if i'm selling software and i don't want to say oh you have to set up an account to use my app it's like no i'm using my corporate app that i have i have users here they're going to use their corporate identity so if i'm using that then i'm i'm using azure id if i want to reach out directly publicly facing so some of our examples for example the folks at subway sell their sandwiches using azure ad b2c fifa organizes their world cup uh attendance and and and notifications and such uh you know and so on so those are the people who are reaching directly to their cu their customers that public-facing view as you mentioned cecil and and azure adbc is a great choice for that awesome plus it gives you 50 000 free users per month right so that's a fantastic active users yes activities is fine unlimited sign-ins for 50 000 active users there you go yeah that's awesome all right so looks like we covered most of the questions in the chat so far um if you all have any more questions for christos and cal please feel free to go ahead and drop them in the chat we are looking at them across youtube and twitch so wherever you're watching we are gonna try and service your questions um one thing that i want to ask the both of you now so we've we've seen how to do the app registration you know we've seen how to kind of plug in our app using like that nuget package you know what what are some of the things that you know we can expect for upcoming versions of identity.web you know you know whether it be new templates or you know visual studio experiences maybe you know different application models like serverless and things of that nature like is there anything else that's interesting that we could you know see coming in the future i have one really big one kristoff could you scroll down there a little bit on your window enable support for continuous access evaluation yes this is a huge new feature of microsoft identity in general so what's going to happen here is we now have a way to revoke a token so i give you an access token today is to say microsoft graph and it's it's good for an hour and now if something happens to the user during that hour we kind of have to wait for the token to expire at the end of its hour before it stops being able to be used but now with continuous access evaluation we can revoke that token in moments so within minutes the user can no longer access something so i've got a stolen device i go i revoke those that user sessions and instead of being able to use it for the remainder of whatever his token life space is for an hour boom it's it's it's invalidated in moments and that that is much more secure on top of that for your application since we can revoke the token we'll give you a token with a much much longer life span so instead of an hour it'll be a day maybe a day something like that right and what's really cool is under certain some conditions and this is this is regular for us we can instruct our amsoil libraries or microsoft.web in this case to refresh the tokens well before the end of their lifespan so i give you a token for 24 hours i say to the to our microsoft identity web you can refresh that that token in 12 hours so now i've got 12 hours to reacquire a token before i need it that means if the internet goes down between me and my and microsoft identity or any other interruption of any description i can survive that as long as it's less than 12 hours nice so now the resiliency of my application has increased dramatically the security of my application has increased dramatically and this is just but it does require cooperation from developers because what's going to happen is we're going to give you a 401 on an api call to say microsoft graph which is in preview today when and that's what's going to tell you you need to go get a new token so we do have a doc up on our documentation that tells you how to do this because what you have to do is you have to watch the graph api calls and when we give you a 401 with something called the claims challenge you'll say oh i need to take that claims challenge and go back and get a token so the fact that we have built this into our latest microsoft identity.web release is a real big deal that's awesome and then quick question from daryl coming in from youtube um about that revocation you spoke about he's asking is the replication claim-based or is it achieved through reference tokens uh neither the it's it's achieved by the fact of you attempting to use the token to the api because where the actual listening is happening is between microsoft identity and the api implementation so we set up a push channel so that we can push revocation events directly to the api and then when you use the api which is what you were going to do anyway we can tell you they revoke the token so the api isn't calling us all the time to say is the token okay is the token okay is the token okay yeah and neither is your client right we just push the notification out if you will done it we push the event out to the api and say the next time that that app presents a token say it's no good and tell them to come back and talk to us that's awesome it's almost like when we we used to talk about like long polling with real time events yeah it's always better to get tolls versus like continue asking are we there yet are we there yet are we there yet okay we're here now you can stop asking me exactly yeah cae is fantastic i i can't wait to start demoing and working with it it's still in preview so it's early days the the the standard has not been ratified but we are working towards um making it happen i do have a demo about a but we're out of time but uh but sure it is it is turned on for microsoft graph and in preview mode yeah you can start develop as your test apps and working on your development you can go and try that right now nice all right um i think the only other question we had in the chat really quick we'll have it on twitter muhammad was asking you know can we use it for uh api gateway uh i'm guessing it means api management yeah thanks for the btc stuff that we're talking earlier on uh which is fine yeah if you are if you have apis and you need to uh you know or proxy apis then you need to authenticate then you can use b2c as well for that there are certain limitations that we currently have with uh b2c uh which can cover at a different time but let's say you have a multiple front-ends that need to call an api or an api getaway you can authenticate with b2c and api management also supports jwt token validation with b2c as well awesome awesome yeah all right gentlemen so like like cal said we are running low on time but before we go um why don't you tell us what are some of the places that we could continue to learn about security maybe you have docs i hear there's a live stream show that happens in another channel that that might be interesting to go check out from time to time like where are some great places that i could continue to learn about identity.web and and interact some more with like the identity team kali you go first and i'll go second okay um so uh we do have our uh a couple of things we we have a space on microsoft q a i should have had the links available i'm sorry we'll have to post them later um it is a great place for us to do question and answer our primary documentation if you go to dot m s slash a a d dev one word aadev you'll get to our primary documentations we actually have links there now to lots of videos and and uh additional information on on this the on uh um and then of course uh we have christoph and his efforts not just me it's a team effort as uh oh that's true as uh kyle's saying me and jp do have a stream that happens every tuesday and friday at 8 a.m pacific time everything ends up on youtube as well so if you can watch it live you can always watch it on the side we're on instagram and we're even on tick tock i'm not i'm not promising any dancing there but you can reach out to us discord is also very important we have a fantastic and vibrant community there you can reach out to us on discord and obviously twitter that's one of the places that we interact with a lot of identity friends and folks so let us know if you have any questions if you stumble across if you want to know more stuff we can help you out obviously the official forum is is there and in many cases we direct people to the official support q a because that's where people can get answers and build knowledge bases but in the meantime we appreciate uh your help and your feedback and we'll try to make a better more secure community here so thank you cecil for having us sure sure and i just shared the link to the photo five show as well in the chat so if anyone again wants to go ahead and check out um the show um how often how often do you guys know you guys around a couple times a week i feel like every time i come on twitch you're on it's tuesday and now we have a wednesday show that is dedicated to it pros like yesterday we did a passwordless session using ub keys and switching that on for all the developers that want to build secure apps but usually it's tuesday and friday unless we decide to do impromptu things the discord is four to five so slash discords last join i'll send a link on the top okay great awesome all right well gentlemen again thank you all so much for coming on i feel a lot more comfortable now diving into and like adding security to my apis after we get off the show and after i finish working out i might come and try um and put something together just to kind of see how it feels so definitely thank you for sharing this with me and like the rest of our guests and maybe we'll have you come back on in a couple of months so we could see um some of that um you know some of those clamped um capabilities and stuff look like after they're ready to go yeah all right well thanks everybody see you and we'll be back next week so make sure you come back next week okay that's it bye [Music] do [Music] [Music] you

Info

Channel: dotNET

Views: 9,733

Rating: undefined out of 5

Keywords:

Id: P25SIYLsH-g

Channel Id: undefined

Length: 70min 57sec (4257 seconds)

Published: Thu Apr 15 2021