Protect APIs with Azure API Management and Azure AD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] okay everyone it seems that we are live well this is quite a bit of a change of scenario i've decided to do an impromptu kind of a stream today because i've been playing around with api management and azure and dot net apis and obviously azraeli so i was thinking uh what is best other than actually so how i did it now in case you haven't used api management before it's a fantastic tool because it allows you to uh to go and build some security it allows you to do throttling and that allows you to do quite a few different things on your on your apis that you wouldn't be able to do otherwise so it is a fantastic tool if you haven't used before we can go and have a look at the api management box here so let's see azure api management it is a great tool i've used in the past it has evolved quite a bit in its capabilities and also in terms of costing because one of the issues that a lot of people had before with api management was the actual cost especially the the basic i used to be quite expensive and people would stay away from it now with with the consumption model you get a more lightweight faster deployment of api management and allows you to actually achieve quite a few things but there are certain limitations when you use the consumption model so be aware that if you are using that you're probably missing things like custom domain names azure active directory integration for the developer portal that's for the developer portal not for the actual api security and what have you so check make sure that you uh you use the right model if you are starting i would say start with the developer see what what's happening what you can do but be aware that there's no sla for the developer model so if you are going to go into production then you need to choose the right one this is also an isolated one for specific enterprises so uh quite a bit of a range of services there now because it takes quite a bit of time to actually deploy an api management uh i'm going to kick it off straight away so if we go into api management we'll add a new one uh it does actually take quite a bit of time to deploy maybe uh 30 to 20 to 30 minutes because deploys resources and stuff so just so you're aware we're gonna add a new one now and while we're talking and building our api the api management behind the scenes is going to deploy for us gk south i don't know why it defaults to the uk south i mean it used to be in the uk let's go west u.s resource name let's do cm stream api uh organization doesn't matter it's good microsoft and my email that is required because if you are setting your own account later or if you need to have an account that actually does everything for you this is required it will also send emails to your account uh like it's been set up or you're ready to go or there are some issues so make sure you use an actual administrator email account or a good one i'm going to use my work one and we can go with uh let's say basic see different slas obviously as i said developer does not have an sla and if we need to uh refer back to the functionality there is a small cost for the developer one but you get some basic things like casting scaling out we don't need that nusselt tricky isolation is private notice that the consumption is actually shared resources we don't have any uses limits and yeah i mean the developer one is okay we can start with that or yeah let's do developer you just let us know uh we don't need any monitoring but it ties nicely with application insights so up inside if you want to use that one project image super grainy oh no why damn it thank you h3tech i don't know why is it my upstream i don't know let's see is there anything i can change here to make it more uh quality wise am i even buffering both android tv and chromecast what about the youtube one this is still showing bad on youtube okay aka.ness yeah you might have to help thank comcast for that so let me see yeah you're right even on even on even on youtube screen isn't it sucks i i'm pretty sure that it has to do with my upload speeds hey cody was on good morning that should be slightly better now i think i can see better maybe my resolution was it was awful okay i'll try to stay zoomed in so you guys can see stuff anyway for those ones that joined this morning thanks for joining i am covering api management with azraeli and apis so we'll create a net core api we'll upload it to azure and then we're going to we're going to stick api management in front of that just to cover the scenarios where usually you have an older api that does not have security or it has you know bad security maybe and why you want to like use a username and password to authenticate right so in that instance you don't want to use that especially when you go public so api management is going to to solve that for us so the the front end is going to whatever the front end is if i i was thinking maybe building a a console so the front-end will authenticate with azure id will acquire the token and it will call the api management the api management will do the authentication for us and then it will pass the the request downstream to the api behind the scenes so that's the plan for today and i was just about to deploy the api management component so i will review and create and as i said it takes a significant amount of time to deploy uh to deploy an api management so if we see that it takes too long i already have one in place we can go and actually use that one so let me maximize this so we are the point that the api management is deploying we looked at the cost a little bit plus slas so if you've never worked with api management before just be aware that there are different tiers and there's a consumption one now that is faster to deploy but it doesn't have the same kind of functionality as everything else and we're using the developer one for now if you are going to production you don't want to use developer because there are no slas so it comes with significant risk and it's also cheaper so if you are a developer you want to play with things around you can actually use the the developer version and one of the things that i was looking at is also the estimated maximum throughput that's very important how long does it usually take to create one it takes about uh 20 to 30 minutes yeah i don't know why i was hoping that they would have fixed that and it would be easier and faster to deploy them maybe the consumption one is much faster but uh i haven't tried it so i don't know what the actual time is but yeah it's that it takes that long to deploy things so okay we have the api management deploying now we need an api to work with so for that we're going to do a file new project so let's open our terminal and then we will walk through the process of actually securing the the api management with azure ad so that's the the interesting bit we're going to create a damn or a non-intelligent non-secure api trying to uh to almost imitate the scenario where you have an older api that doesn't have any security and you want to secure with api management that's one of the main reasons that the api management is used other reasons are throughput monetization self-registration and what have you so we will do.net that's amazing i can build 20 vms plus network etc in less than 10 minutes i know i know um there are certain things on azure that take a significant amount of time i really don't know why it takes so long to spin up an api management but a few years ago i was working with a customer and they were gung-ho on using rpg which i think had just been acquired so maybe three years ago apigee is a google owned api management tool and this customer wanted to deploy rpg on azure and then secure apis behind that and it turns out that for apigee they needed something like 36 different vms for one plane so if you say i want a developer a qa in a production environment that's 36 vms times three yes i know and uh i was like why the hell are they going to use rpg uh that was a decision so i don't know if uh api management has a number of vms and configurations that happen behind the scenes um and i really haven't looked into that i don't really know the underlying technologies so it could be the case that we're spinning up i don't know maybe 10 vms uh one demands this databases and infrastructure it is a complex uh setup but to the front-end developer or the the admin of the app api management it shouldn't look that complex yeah uh for azure type just build aks behind the scenes much less time yeah i know you could use aks you could use other tools uh they could be using things like service fabric i guess because behind the scenes a lot of infrastructure and azure still relies on service fabric i don't know why but it does take a significant amount of time so ah there you go the deployment is in progress let's go and create our app so here i have my console so obviously i don't want the dotnet there i see the projects i think there you go and then here we can do dot net new api hope everybody can see that make it bigger api and then give it a name api demo so this is just going to create a very yeah even service fabric doesn't take 30 minutes to build i know i know uh let's let's i mean i haven't really spoken to the api management folks for some time now so i have no idea uh what happens with the product but it is one of these things i haven't touched in a while i don't know why it takes so long we can find out at some point i guess so we have our api let's uh let's change directly into that api demo and then here we're going to open it with code i'm going to make my code big so everybody can see it i don't know why it was green in the beginning i hope that it speaks for everyone i can see on the stream that it looks okay what do we have here we have our startup it's an api there's no security yeah okay so there's also this swagger which is nice uh yeah thanks for following daniel monetelli this morning we're building an api management and api and we're going to secure our access to the api via azure id the azure id is going to be configured on the api management bit so the api doesn't have to know about security whatsoever and there are different scenarios here as well i haven't covered them but um you could also have a pass-through authentication where the api management does some routing or some throttling or some caching and then it passes the authorization header downstream to the api so the api can do some clever manipulation or some authorization or some extra checks you can also do both you can have your api management validating the token and then also passing it down to the api to also validate the token so it's not a an or it's a it's an end and an or right you can have both so the this is just a standard api that we built here it doesn't have any security whatsoever it only has one controller which is the weather forecast controller super unintelligent it also doesn't have anything other than a get method so if we were to run this one which we're gonna do in a second new terminal let's do dot net run so it's building and it's running the second there you go we're good to go it's listing at port 5001 and if i go to my browser i can say localhost 5001. i have it here and then it should be weather forecast uh and these points is a weather forecast what am i oops so it should be weather forecast api yeah that's a little one did i mistype it weather forecasts interesting because i was working on friday it should be just a get on the weather forecast maybe i mistake it it is definitely [Music] running localhost did not send in data that's interesting that is very interesting question what theme am i using for vs code yeah thanks uh let me sit back and go into my theme preferences and then i have an extension called bearded theme because of the beard see which is an extension you can install it and right now i think i'm using the black and amethyst theme it's not as good as my partner's jp who we stream usually on monday and friday so um the most people ask for his theme rather than my theme but thanks for asking i hope it helps now let's let's figure out why the api is not working should be absolutely fine there's nothing really interesting here to do other than hit the weather forecast controller there's no api event so let's just check the route so make sure that everything's okay so if i go back to my startup it's only when you stream that things don't work right yeah i mean there's no uh there's no path here everything should be working as expected place yes in the front just in case but i doubt that ah ah damn it okay so that explains it it was trying to go to uh http i thought they had to redirect to https but ah you know what it doesn't have very direct because there's no ui so uh it has acps you use https redirection but it did not redirect for me hey thanks for following uh paninger punisher panning gear sorry i don't know what the answer should be so panning panninger punisher okay so we have our api working we know it's working locally we can get the data from the endpoint make sure you use https in the front and we can get our data now the next step is to publish this api onto azure so we can actually protect it with the api management component obviously that is one way to do it you don't always have to deploy to azure this api can run anywhere it could be on premises and as long as it can be accessible via the internet we could secure it via api management it could be running on aws it could be running on google cloud it could be running on some other data center so technically we could spin up ngrok and have it run locally and it will still be protected or can be protected by uh by azure api management let's see how that is going by the way the deployment should be going strong let's see where we are deployment still going it started out let's see 909 and the time is we're 11 minutes in so we're going strong in the container yeah could be yeah it could be running in a container it could be running inside aks it could be running anywhere as long as it is accessible via um via the internet it can be protected so while we're doing that let's go and deploy our api management there are different ways to do that there are a lot of ways to do that obviously there's not just one way to do that so right now i'm going to use the azure extension inside vs code to deploy my api into an app service on azure and we can spin up a new one so you'll see uh oh he doesn't doesn't remember that i'm authenticated so let's authenticate again i will use my my proper microsoft account so it's going to deploy to the microsoft tenant and here we are quite a few services there i don't want to function and i'm going to use my cm internal notice i have another here so what we're going to do is say create a new web app i don't want any settings to be honest like i don't want anything uh anything special here what we're going to do is just do the default one so click right click create new web app it will ask us a few questions remember the name of the web app needs to be unique so cm stream api we'll say what kind of runtime do you want to use uh it's nice because uh in in the early days of.net like two months ago you had to actually go and spin up a dot net 5 website via the portal that's now not the case you can do it via the tooling as well and off it goes you can see down here can you see down here uh you can see yeah there you go you can see down here that is creating our um web app so that's spinning up the resources so i can go and deploy my api let's go and check our api management deployment which i'm pretty sure is still going strong there you go still deploying but it's fine we're not nervous because as soon as we deploy our app the next step will be to go to the docs and look at how we can add azure id authentication to our app it can be azure ad it can be b2c as well so it doesn't have to be just as ready but this in this instance we're using as ready the deployment is done oh check this out it says do you want to deploy your app that's so clever isn't it okay i want to play yet yes please uh it says which app do you want to use i want to use the current one but you can also choose a different one if you want to so you don't have to just select the current project maybe you have a required configuration deploy is missing it's guiding me through the process yes let's add the config and now it's running the deployment task you can see down here that it is doing it for us always deploy to this workspace yes why not i mean right click deploy should not be the way to go don't get me wrong but now that we are just testing things it's always nice to click click and move on the next task rather than setting up a pipeline i was i was checking the other day i think team hoyer from the dotnet team actually added a functionality to do net new deployment pipeline or something like that so you don't have to go and do it on github manually i have to look into that by the way because it would be nice to do it via the cli and not just the ui i can actually browse into it now so if i say take me to the website we're on the stream right so browse the website yes i want to open the page obviously it's not going to take us anywhere because there's no ui here but why are you not using chroma key i don't know i'm using restream so i'm not on my obs i know i know you can superimpose anything you want behind me i won't be offended i should be using chroma key does the stream provide chroma key i don't think it does i was looking at the settings i couldn't find anything so it has to go through obs and i couldn't be bothered because it's a new machine so at some point i will i will install obs i promise and i will make sure that i'm proper and i do my streams properly uh this is this was just a test to see if anybody will tune in and if i can actually stream by myself without jp on the other side of the window talking to me right we have the website running but thanks code code i know i know i'm not i'm not perfect i will i will get there eventually hopefully the content counts more than me being on an ice cream thanks for the encouragement i will take that back to my monitor all right okay so we have the website deployed obviously it's a web api it's a web api so it doesn't have a ui we need to hit it via the end point and if you remember the end point was weather forecast so if i say weather forecast and you can't see it because i'm pretty sure it's tiny boom right so that proves that the api is working and we got some data back look at that it's a beauty random temperatures what's that what's the weather like on your side did you hear it was snowing in texas this morning among other things that are happening in 2021 we are we are getting snow in texas i always thought texas was dry and hot anyway snow in seattle this morning the weather is slightly rainy cloudy and uh chilly but you know what uh it was i had a nice window of good weather yesterday i would say good it was freezing but it was nice and sunny yeah west texas is not surprising so it was freezing but it was dry so we took the christmas decorations down and by that i mean i had to go out in the front yard and take all the lights down and because they were wet my hands were frozen stiff because it was wet and cold and as i was touching things i also had i put some tape around the connecting cables what have you so i was trying to it was almost working with uh three layers of gloves trying to touch things and do stuff but anyway we took the christmas decorations down and i feel very proud about the fact that we did it in half a day we're getting better right our api is up and running oh don't remind me i have taken the decorations down yeah uh tick skin codes i think yeah ticks can code i feel your pain we were dreading about that but luckily we had our girls um help us so we have a nine year old and a six year old and we're super excited about helping out with the the whole endeavor so they went and took everything around the house and brought them in one place and my wife was putting them into the boxes and i was putting the boxes back in the cells so it was good snowing in dallas as well code with one saying yeah but i am getting snow not getting in snow four and a half hours north of dallas nice i mean you're not getting snow i don't know is it a good thing to have snow or bathing and i think the kids love it i love it as well but then after a few days it becomes a hustle or it used to anyway i don't go anywhere this day so you might as well snow i don't really care we don't commute to work anymore so i don't think that's a problem i hope you guys are not commuting and still staying safe with everything has anyone on the stream had the uh the job yet coved no do you know when you're getting it i have no idea you know it could be i'm thinking i'm thinking summer i think if we're lucky enough we'll get in the summer all right let's see api management snow is fine but it can cause road issues for those on the roads yeah oh your daughter is an emt yes that can be a challenge oh this is still defined deployment in process so that i i hit that one i was like oh it's done no it's not they would love our feedback so we say uh make it work faster we should do that right although i don't know if it's going to be good coming from me since i work in microsoft internal feedback is always more valued i suppose but let us know if you are using api management let us know if you like it if you don't like it and what the problems are right we have our um app up and running so before we get the there's the deployment cooking show demo for apim yes nice i'm curious now okay the api is up and running on azure we don't have the api management in place yet so while that's happening i thought it might be a good idea for us to go and look into yeah i have one read in advance i mean we could jump into that do you guys want to do that i'm more than happy to since i showed you how you deployed it's not really a lot of magic we can jump into the existing api management and do that right although i was going to set up azure ad and that's that has already been set up on the on the other one so that is a little bit of an issue if i want to demo it but since we have to look at the docs anyway i can do that i should have done it last night i was thinking maybe i should deploy that last night and then use that one lesson for next time okay let's go into the docs so um what i would be looking for and i don't know how you would do the search but it would be api management azure ad or secure api management without reading with audrey okay here we have a few hunters you can compare i don't want to compare uh secure an api management api by using azure active directory now you might think hey that sounds like the right one but if you open this it actually takes you to the btc settings which was super weird i mean i don't mind using btc but i would have expected that the azure id would be the first result to come back so um obviously in this instance we're not using b2c so we can skip that one but that was the first dock that came up and then right below that there is a protect api back-end in api management we could obviously go through the docs right so if you go to the api management documentation up here then there are concepts and ideas for security no you don't like you think it's security it's not security where is it tutorial samples we don't want these this for deploying and debugging and storing so it could be how-to guides and then we have secure your apis which is not the case again this is not where the docks are it's secure your back end weirdly enough and then it is protect your api with azurity so this is the actual dock that we need uh to work with uh as ready and what do we need for that we need an azure d tenant my camera has gone out of uh there you go um what do you need for that you need an azure id tenant very important uh if you are going to use an azure id tenant you need to use one that you have admin permissions because you need to consent to settings and you can do that if you use a corporate one that you don't have admin permissions to the consent so be aware use one that it does not require that and i have already one if you don't have one you can get i'll put the link it's aka.ms 45 so m365 free i think uh and we can always double check that let me uh let me take the link or you can always look for mt65 developer program but we have a link ready for you so you don't have to do the search four to five so i'm looking at the list of links that we have it's free m365 so see i was taking you down the wrong path free m365 free m365 and you can get a free mt65 developer account that allows you to go and set up your azure id tenant it allows you to get graph data onedrive data sample data accounts test accounts and you can use that to learn and get up to speed with a lot of things without requiring you to pin your admin every single time and say i need consent for this and you can send for that and what have you so we i already have an azure id tenant in the m365 developer account which we're going to be using today so the first thing that we need to do is look at the documentation and decide how this needs to be set up so first and foremost we need to register an application in the back end for the back end we need to register another application for the client app to represent the client application that needs to call the api uh you need to grant permissions that's the one i said you need to have permission so you can grant them now you need to configure the developer console to call the api using os2 user authentication and add the validity uh or validate the token right about the jwd policy to validate the oauth token for every incoming request so not only do you have a present jwt token but also we need to validate that i skipped that step the other day i did not do my validation okay so we can do today let's go go to the azure portal to the azure portal and back so for that because we're going to be doing things side by side i'm going to stick this in one side and i'm going to take another browser and go to how's our deployment going that's my old one isn't it king notifications deployment in progress still going strong see i told you it's going to take a while so in the meantime let's jump into my oz ready nope uh what are the ones i want oh yeah you know what we can do through here sorry i forgot about that we can switch to my testament and it is going to be white why did this expand to the full screen is it because i'm zoomed in there you go okay perfect so one side we have the instructions on the other side we have the setup so here we're going to our test and azure id and then we need to create a new operation go to the azure portal new registration let's do that app registration uh it will say let's turn up give it a name uh back and up and or like back and up and it can be and support types uh is can be any select an option that suits your scenario okay let's go new up registration it's going to say api stream backend i'm going to go with a town in my organization only coming in because it is creamy still grainy there you go that should be better now i'm not going to put a redirect uri down here for now leave the redirect uri section empty so register that and then it says on the overview page i get the client id and recorded for later so what i'm going to do is copy this one i open my notepad so we can take notes notepad onenote whatever works for you so we can say backhand jpi client id make it bigger then we need to uh get the parent id i'm pretty sure we'll need it for later uh and now we need to go and expose an api so that will be adding the necessary permissions that we need so in the exposure api down here uh it says add a scope page display the other scope so we need to set the application uri from step seven so let's set that up and then it says add scope create a new scope that is supported by the api for example file story it can be any scope and since we're not using graph or anything else we're just going to create a scope for the api itself so here i'm doing an add scope we'll name it access as user not plus it will be underscore access as user admins and users can consent access the api as a user let's do a copy pasta for the rest of the fields down here and then we want to be enabled and add the scope and with that i'm going to copy the scope into my onenote so it can be handy for us and use it in a bit so this is the information i have for now i'm going to use a document on the site and at some point i will take it away because we need to create a client secret um as well obviously i can roll the client secure so whatever is easier so let's do this we have everything we need we have the scope we added the scope and then the scopes are created making notes we've done that so that's our backend api operating station configured inside azure id next i'm going to create the application id to represent the client application okay let's do that back in the portal again we want to create a new operation how do we name this one we named it demo api what do we name it i remember what was the name of it you know what we can sort by update api stream back-end then we can do api stream clients and with that uh what do we index it says name supported account types select accounts in any organization i don't know that's a little bit weird like should we i thought we're on doing accounts in my organization so i wonder if the client api needs to be a multi-tenant up which is the inverse of what it should be so i'm going to keep it as accounts in my organization if it's wrong then we can come back and fix it later but for now it's there so it says that in the redirect uri select web but leave the url field empty for now so we're not going to change anything here select register we're doing that so that's the client registration let's copy the information so we need a client api id with a client id for that uh client threads client id i'm just typing into my plastic window then we need uh let's say select that add a secret now for that you go into your certification secrets i'm going to move it away because i don't want you to see it but it's as simple as just clicking on the client sticker down here so let me just come here click on the client secret it will ask you for how long do you want it let's say and one year please avoid using never it's very bad practice and if you do one year then you need to take a note that this application this client secret will expire because you can come across issues where the seeker has expired you're getting errors and before i press add i'm just going to take it away and hide it so you guys don't see that you don't see my secrets and i'm going to copy my secret and client secrets i don't want to dodge myself right is that the expression that's expression and i just talked myself it's fine i'm going to delete that one and create a new one because i am not careful yes delete that one and get a new one client secret one year i'm not going to move my my notepad onto the screen again promise okay we got that one what's next grant permissions in azure id ah okay that's interesting now we need to go back into our overview so let me just bring my browser back into view uh it says in the azure portal choose the client app and then go to the api permissions so we were already there let's uh let's go there again api stream back-end api stream client and then in the api permissions you notice remember we configured it does notify at least subscription owner of the soon to expire secret yes but you as a developer you're right son but as a developer you may not uh see that so uh just be aware like if you're doing demos or if you're creating code or whatever you created that but i agree you should get notification uh so what we have here we have api permissions and we need to to add a new one so add the permission and for that uh we're going to go to my api so this is down here select an api in my api and then down here we have api stream backend that's the one that we need yes we want to select the access as user under the delegated permissions and add the permission at this point you do need to add or grant admin consent so if you don't do that then it's not going to work it's going to fail we are done okay that is done let's see where our api management is sitting at did we get uh i need another window now don't i yes i do i need to be here now my api management is sitting under my microsoft tenant but my azure id is sitting on a different tenant my own tenant is my api management ready yet oh it is oh it's still activating come on yeah almost there what is it saying activating might take a couple more seconds for that to work but does not stop us from actually configuring our api management that's great so we can go ahead and do it so the next thing that we have to do now that we have the azure ad component done we need to go and configure our api management to actually use azure id for authentication so let's snap them again to the side i don't know how that's going to work [Music] okay what do i do enable os2 user authentication in the developer console at this point you have created the applications in the azure id grant permissions the developer comes from in is the client app ah you know what first we need to add the api we haven't done that yet so apis click on that that's not the steps service is getting ready oh come on come on you can do it come on you know what we could actually jump into my demo and then we can use that one just a note the ms docs are so much better these days i know they are a lot better i have to agree although i did found a couple of gaps in the documentation also correct me if i'm wrong and tell me what you think but i would have loved to have some images here that guide you through the experience in other docs we do have that so when you create app registrations there's either a script or an image that shows you where you need to go uh yeah 99 is fantastic but there's always a space for improvement right there's always scope for improvement so if you find anything that is not right remember that you can always always contribute the docs up here you can go edit and then if you decide to edit then it will actually spin up a new github repo for you and you can go and contribute if you want to contribute to open source that's a great way to do it just add some docs so we are down here we are in the space where we need to configure our oauth2 in the portal let's give it one more attempt to see it's still activating ah god right well done sean um code was on saying he has already edited a few pages last year that's brilliant we definitely value support and you know as a developer if you have stuff to contribute and it makes it so much easier because you know exactly what's missing or what you want sometimes our docs team does not have a really good understanding of what developers want just other pcs that helped me become an mp ooh nice when did you become an mp this year last year so we have apis here now we need to add our api and for that we don't need to be on split screen and i can probably minimize a little bit here last july ah so you're halfway through great i was an mvp once for two months the shortest lived mvp in the uk apparently because i became an mvp in june in january first that was my birthday present and then in uh at the end of february i got hired by microsoft so i was only an mvp for two months i can say i gotta take it off my uh uh my bucket list right okay okay now we do have an api as you can see there's different options here to uh to add apis you can have a wisdol definition you have a waddle definition so waddle is the open api you also have open api you have whistle is the old wcf stuff if you're still doubling with that you can also add logic apps so if your logic apps are exposing http endpoints you can add them here and as you can see app service and function apps are our first class so you don't really have to define uh an open api even even our even though our api itself the dotnet code the net core code comes with the swagger definition we don't need to use that one we can directly point to an app service and um you will be intelligent enough to work it out so app service then here it says select the app service let's browse to that we already have the one for the stream from today use this display name yeah we can keep it as stream api same name here url prefix we don't need a prefix we're good there and let's go and create that so before we even add uh one more fields what url suffix there is that enough cannot create at the same path as crystal's apia unless oh fine i'll delete my previous one damn it or change the path for this one yeah let's change the path for this one front end is it front end if i remember correctly no no this card what do we change settings okay it's under settings so here the suffix needs to be i don't know that's the test okay so that means that if i if i go back to add my api's we have the same path uh yeah let's select it again stream api that's the one we're doing today leave everything default will it uh like it or it will say you're missing a suffix you liked it this time ah you know what i didn't like it before because it was the same path as the previous one oh check this out we have everything we need now let's we put it to the test get we need to do again so the get doesn't do anything other than we need to settings by the way i've noticed that if you so test i did notice in the past because i had the star web service url should be fine here but i did notice that in the get yeah we need to remove the star from here otherwise it fails on its space so now we should be able to test it test here and say oh we need to change the back end settings it's been a while be patient uh web service url i think it is weather forecast save didn't like that one save didn't like this one either how do we set this one up this card let me go the back one right crystals api no settings there design change that one subscription key weather api yes for the auth uh mvps thanks for following oh cesar freeze is following me yeah man following us it's a 45 so thanks for joining us uh jeff today we're doing api management with azure id and dotnet core api so we're at the point that we have our api management almost set up we have our api deployed to an azure web app and we have we're configuring the api management now to be able to hit the back end api and then on once we do that we can go and configure just not here yet so oh what do you mean he's not here yet maybe he followed without really joining this thing doesn't have to be here remember or maybe he is behind the scenes other than alias i don't know um so this is where we are right now i just need to remember oh god she's afraid is rating us with 113 people thanks for joining us man that's a massive raid welcome everyone it's awesome to have you here uh what have you been working on damn yes to sign my id yeah thanks for joining us everyone uh it is fantastic to have here we are working on api management and azure id so securing or protecting your apis using uh api management if you haven't used it before then you join at the right point oh we were writing azure functions with service pass damn that is good i love me some other functions it's usually my go-to for creating things so you don't always have to they're very powerful service paths though i haven't done service pass in a very long time so uh man i missed that one thanks for joining us i might have to go and check your uh your stream later on to see what you guys build so thanks for joining us we're just at the point where we're configuring our api to work and we have our api management setup almost let's see is it set up api management services uh still activating so we spun up one this morning what time nine nine 909 and then it's still deploying so uh it is a little bit slow to deploy if you're doing it from scratch uh and right now we already have one that we can work with so uh cm demo apim that's the one that we deployed before and we're configuring our back-end api so we can actually go and hit it before we add any security and thanks for everyone for following marquez nl thanks for following uh it's awesome to have you here so uh let's go and see our apis let's see where we are we have three apis the echo api is just a demo one with only that one the cm stream api is the one that we configured today so here we are uh i can't remember i think i need to set something up because otherwise it will not work but we can always test it okay uh now the thing is that the front end is going to redirect to the back end but the back end is not at the root so the api is forward slash weather forecast and i need to work out where i need to add this one so i need to remember where that needs to be set up so we are inside the actual let's go the design here front and back end you know what it's in the back end i think so let me uh let me bring it here and i think there's a way to edit that yes the back end is here ah yes uh or is us resource uh and i think here we need to override the thing and then have weather forecasts it says resolution to fit the stream or zoom in the stream looks a bit pixelated i know i know i don't know why i think it's my upload uh my upload stream my upload quality i only have 35 uh megabits upload so hopefully now you guys can see what i'm doing yeah i agree it's pixelated i hate comcast uh in other news because coming from the uk i was super happy um upload is fine it's the downscaling to 1080 source oh maybe watch they have selected a different um resolution for the downscaling you think or oh it's gained because downscaling okay so i think it's super here it's weather forecast we'll find out very very soon by the way next time next time yes right okay i'm thinking in fact that you have a contrast issue because the staff with a black background is super clear oh could be interesting thanks dear flux you're right it does look better when i have the black background damn i don't want it to be super grainy i want it to be super sharp for you guys so i think it's weather forecast we can save it and test it and see what happens uh maybe this stuff is a bit shaky the black background is still working uh invalid service url so is it this one then invalid service url doesn't need the full http the full endpoint maybe let's give it a full endpoint and we do have that one if we go into our is it on the other browser it could be on this browser over here there you go that's the weather forecast i'll select this one and see what happens as i said i haven't used so let's save it okay now i think we have everything we need to run it uh so i install the dark thing yeah everybody loves dark team i mean i love dark thing but sometimes sometimes you have to uh to go with what the the tools are giving you so right here i don't even have a choice my my portal is dark theme but api management has some screens that are white so with that it means that if i go and test my api on the get i'm just uh zooming out a little bit so you can see what i'm doing and then i'm going to send it send right it's working we know that it is working we get some data back super grainy data i get it super green but it is working so that's brilliant we have our temperature data coming from the api which is awesome with a little bit of uh configuring there i can remember what i need to set up so that is working there next step is going back into our docs to see what we need to do to configure the uh the security so it says if you want to use azure id with api management you need to enable oauth2 in the developer console we are in the developer console uh over here so you notice that down here there's an oauth 2 setting an apologies for the grainy who hit the way okay so let's do it we have our operating stations by the way so for those of you that have just joined us there's a requirement further up in the docks that requires you to set up two different um settings uh one so two different operating stations one is for the api management itself and then there's another one for the client and we have register both we took the information from the uh from the azure id and then um we're in the process right now that we are going to add an information into the api management so this is the stage that we are just now uh an hour into the stream out of curiosity these are still activating okay is it sunday morning and nobody wants to activate my api management i don't know yeah it is working i know it's working but we'll we'll use the one that i had from before and lesson for the next theme if you have resources that are going to take for a very long time to deploy deploy them beforehand um no i could have done it last night but i wanted to show you how you said it so uh d flax k is having issues with a blazer project right sunday morning yeah 7 p.m oh 7 p.m yeah sorry i mean monday morning for the the west coast east coast west coast west coast of the us pacific northwest refresh the browser it could be let's reverse the browser now it was not a caching issue or whatsoever it's still activating but it's fine i mean we already have an api management to work with it's just a bummer that we don't have a brand new one that we can work on so let's see we have the uh os2 that we need to go and configure on the portal itself monday morning here malaysia good morning one one man i'm awful with names yeah don't distract him i'm not being distracted i like being distracted chicken no control oh control f5 control f5 you won't do a hard reset yeah welcome to those formulas that's amazing as reasonably you know what maybe uh like google we have to unionize and get our resources on azure to unionize so we can uh we can see what they do i'll do a controller f5 just to prove the point there yeah still activating but it's fine as i said we do have an api to work with it just means that i have to reconfigure rather than configure for the first time you notice that i already have a configuration so uh but doesn't matter we can actually configure multiple uh authentications okay there's an option for an open id connect but in this systems we are using os2 because we're grabbing tokens we're not getting an access token an id token so whether what i say here give it a name and there's report will go to us to display name and description display name would be stream off i'm so unimaginative with names uh this one will use azure a b open id connect is great never done anything with it unfortunately uh well open id connect is great you're absolute right it does sit on top of or is an extension to always too so if you are using.net whether it's with blazer or asp.net in effect you are using open id connect and os2 behind the scenes with microsoft end.web which went uh ga back in september all that um ugliness or configuration settings or whatever you have to deal with it's hidden away uh behind the scenes so you're still working with them under underneath the uh the surface but you're not directly working with them because the the library is taking care of them so microsoft end.web we haven't used that before uh it's the new way to do authentication and token management in asp.net 31 and above so have a look at that and unless you actually have to roll out your own open ad connect library which i wouldn't recommend then uh this is yeah or microsoft attended web let me put it on the link microsoft.identity.web like if you search for that on github in the docs you'll find all the information you need anything that is runs until anything that runs on top of asp.net core can benefit from that that is you know web apps apis grpc blazer blazer wasm blazer server [Music] anything you want it's there for you have fun uh we're not using any authentication library today for our api because we want our api management to take care of that so what are we going to do here obviously we have the first bit we've done the description id and name in the client registration uh page url enter a placeholder okay let's put the placeholder http i think creates away that yes well you know what you could do uh azure dbc and use twitch as your authentication provider it's acv as it should be acp asp localhost it's a placeholder only i think we need that one to allow us to move on to the next step it's not actually going to be used for authorization grant types we want to use authorization code which is the one that we currently have selected specify the authorization endpoint url and token endpoint urls right so that we need to go and grab from our other browser somewhere around here we have another browser we do indeed but i don't think i have my oh there you go perfect so if you want to find information about authorization endpoints and token endpoints the easiest way to do it is go into your operation and then hit the endpoints at the top and here you get both and since we're using authorization and point b2 we're going to grab that and go back to our other window and put it here don't have to worry about that and then it says grab the it needs to be a post step seven and for step eight copy the token end point let's go and grab that one as well talking to point b two we're using the v2 endpoint so down here adding that if you are using the va1 endpoints add a body parameter named resource we're not using a v1 endpoint we're using v2 endpoint nice i'm reading to the messages from cesar devops jeff did it with his uh login perfect he was like five minutes from zero to hero nice see if he was using much of the web it's awesome if you're using b2c it is also awesome to integrate you don't want to roll out your own authentication i mean you could i don't know why you want to do that and yeah you can replace any provider it can be tweets or anything else uh by the way zven vanden brand vandenbrunt i think i pronounced that okay sven banner thanks for following my friend we are building api management with azure id and back-end api so we're at the point that we're actually configuring the os 2 the authentication on the api management so let's see how that goes uh okay if you are using v2 endpoints use the scope you created in the backend api as the default scope where are scopes scopes scopes ah default scope remember we store that information when we're creating the scope so here in a separate screen i have my endpoints the default scope is this one now if you're if you forget to take note of that or you have no idea how to do it if we go back into our api management sorry if we go back to the azure d space and if i go into my uh api permissions uh you notice that we have the the the actual permission for the api operating system we configured before and if i click on that it actually opens and i can just copy that one which i had already done and by copying that i can go and paste it back into our api management so we are where are we here here okay we've done that what's next uh ooh access token accepted version make sure to set the value for access token accepted version property to two in your application manifest that is very important you don't want to miss this one so how do we configure this in your api in your app registration under manifest there's an access token accepted version uh hey bsd guy thanks for joining us this morning and you're welcome thanks for uh tuning in on a sunday morning afternoon or monday morning whatever your time zone is you can catch the the offline content if you have to go and drop off everything will be on youtube so you can catch it there right back to our tokens by default right now which really annoys me the manifest or the app registration manifest will be set to null which is the same as saying i'm going to be using the v1 tokens so we don't want d1 tokens 1v2 and tokens so we'll change that to 2. let's save that and we also need to go and change the api stream api or the back end let's change the back end which i think uh i should come down here again the manifest it's also new change that to be accessed i can accept it save done and done right so let's go back to our api management client credentials important next specify the client credentials these are the credentials for the client up that is correct we have a client up so here i am going to paste my client id and then i'm going to take the screen offline so i can paste the client secret so i do not talk to myself uh you know what i think i can paste that without compromising myself can i yes thank you api management okay we have the sticker i'm not going to press so authorization code flows we have this here we are using the authorization code flow not the implicit ground flow for now uh resource owner password credentials we don't need these uh client id client secret we've done this uh url make sure to note this url oh we need to know them oh yes we do need to know that because we need to go back to our operating station and fix it so it says make note of that i'll put it on my trusty notepads onenote whatever you want to use and uh select create oh there you go we're creating that stream off that's the one with a nice description now i have to go back to the client app christopher's mind if i pause the link to the user group meeting you and jp are speaking out this thursday yeah man absolutely we are joining you this thursday right really looking forward to it uh feel free to share that and uh we look forward to you actually join you right we are at the point that we have configured the os2 we need to go back into our app registration and fix the last setting uh okie dokie so that is back into our browser here uh i need to go back to the client app not the api uh registration but the client at the front end and here under authentication remember we left the url empty it does remember so it needs to be a web under platform select web and then in the redirect uri put the one that we just copied from uh this so what this one will do is say when the request comes in the response from azure id needs to go somewhere the response is that endpoint that we just put here so the request comes in as radio authenticates that azraeli is happy with it now it needs to send back the tokens so here that's the url that we need to use let's save this one say configure so it says now that you have configured os2 the the developer console can obtain access tokens from azure id nice the next step is to enable oauth to use authentication for your api that is correct we've configured the authentication we haven't added to our api yet so let's go back to our portal to do that you need to browse to your apis back to our apis we have the stream api and we have the chris api we're going to be using this one uh you need to uh let's say select echo api we could do that echo api but we're going to use the echo api just to prove that things are working right and then we're going to to go into the other one go to settings and then under here you'll notice that there's a section for security you'll notice that it already says oauth2 that's because i've used it before or i configured it before but uh in this instance uh if you were doing it from scratch or if it was the first time it would say none so we need to change it to oauth2 and then from here it says what kind of authentication do you want select remember you we can have multiple we have an all of 2 we have some custom one so since in this system we have already configured it let's go and add the stream off that's from today and under security settings security os2 and save save it says successfully call the api from the developer portal this section does not apply to consumption tier because the developer portal does not have an endpoint okay so what is the developer portal the developer portal is here so api management comes with a a developer portal as well that allows you to configure things it actually sets up a whole new website maybe that's why it's taking forever to deploy i don't know maybe it's setting up sharepoint behind the scenes uh please don't take my word for that and the developer portal uh opens uh it's it's almost like a it's like a website that you can log in you can provide that website to your customers as well so they can come and register themselves and be able to access that it's a whole beast there so you can definitely go and configure things you can change the look and feel you can customize it to be totally branded to your enterprise as i said is very very powerful what is really annoying is that when you browse to the developer portal if you come from a azure id sorry if you come from the azure portal to the api management portal it actually thinks that you are an admin and wants you to edit the page and i have no idea how to come out from this one honestly it was a pain in the backside so the only way i found that you can i use it as a user is to open it in uh in a private window so let's open that and probably it's private here signing in i need to sign in anyway so you'll see that it's not it's not interactive anymore right so i don't i can't change anything i need to sign in ah signing it's been a pain right uh last week when i was looking to that apparently there's a way to enable azure id authentication to the the portal so you could have internal users signing in with their azure account but what i found out is that it doesn't really work for some weird reason it fails to authenticate me so let's try it today if it doesn't work we have a backup account and i will show you how to say it up so see crystals maybe i know why i can't but give me a second maybe i was being a muppet the other day microsoft.com so i try to sign in here i will use my tests my passwords contact you oh you know what it's not i need to open my password monitor because i don't remember it so it should be please use your password managers sign in will it sign me now oh i'm getting a two-factor authentication i'm going to uh get it on my phone has arrived four five nine five one zero authentication failed hey thank you for following the written uh let me try with my domain account i wonder if uh you hit our limit okay try something shortly more information no i don't want that cancel use another account i use my corporate account i don't know if that's the case excellent next uh other ways to sign in is my password it's using hello hello hello yes so it's interesting that it doesn't let me do that so for some weird reason the azure id authentication for the developer portal does not work and since it doesn't work i have a fallback i went back into my portal here there is a users section and you can configure users so you know that the administrator is the one that we added when we're deploying the app registration and i'm going to use my backup account which is also an admin i think to the uh or a developer so let's go back here no not that one let's go back to our portal and i will use this and then my password we're in what are we testing here we need to go to our apis and from here we can test the echo api the nice thing is that it will prompt me for an authentication when i need to call it so i don't have to uh yeah thanks on woods it's been a round trip i need to really find out why the azure id authentication does not work for the developer portal if i'm doing something wrong or if this there's a back but that was a little bit annoying and then i want to do a get and for that to work i need to probably maximize that so everybody can see it oh that's not the one this is the one right here make it big there's a try button try it let's try it try the first thing that you must oh subscription key yes uh on top of everything else the api management also requires a subscription key assuming that giving access to people means that they need to be part of the the product or set of products and for that to work they need to somehow identify which tier of your apis that you're using that's why we said this monetization it's great but it also means that i nobody can use it unless they have a subscription key which is great because api management is a public endpoint so you don't want anybody to come and hit and hammer your api so by providing a subscription key it means that i can secure things even further so let's see uh let me go and grab the subscription key which is on the portal itself so here under subscriptions there are keys and from here i want to grab them so i don't want you to see them don't give you my keys and there's a way to show them so hide keys yes and then i can copy them i can actually maybe show you how that works in case you're wondering without really doxing myself so if i bring it back here in this page i have my keys you can see them all but if you go all the way the side there's the ellipses and under the ellipse you can do so hide keys that allows you to grab the information for your keys and that's what i'm doing just now i think i grabbed it it has a primary and secondary keys and can roll your keys anytime you want just be aware that this will break things for you there it doesn't have everything you probably saw that i will have to roll the key anyway i couldn't avoid it i think i can do a sand uh [Music] it did work did we not have authentication here uh we did add authentication to the get anyway that's interesting because you should have asked me for uh authentication when i was testing it let me go back to my api management make sure that we added the right thing and we saved it as well maybe i did the changes and i didn't save it okay it's fine i'll roll the keys later on so look at them as much as you want uh let's go apis it was in the apis then under echo api we did configure the security right it was down here subscription key oauth three month overhead scope and save interesting i don't know why did not prompt me for security let's go stream api i'll do the same here as well i see you might not want to use a subscription so that was optional let's let's leave it there for now uh all let's do let's select the stream off and save that that should be all we need so if we go back into our test portal let's select a different api ah you know what we need to add it yes so we have added the api in the portal we haven't added to the products to in order for the api to be exposed to our end users they need to be part of a product family and there are predefined products and by product i mean it is a it's a way to package the api so you can expose it so somebody might say you know what i want to subscribe to product x which is a test and then i can only get five queries a day but my as a test or let's say 100 queries a day but when they're happy with the api and the usage they can say i want to upgrade to the business tier and that allows you to start monetizing and what have you so there is a notion of products in api management and right now we have a starter and unlimited and i can uh is it under apis or do i do it here starter starter no i don't want to do that i think i need to add it to the products so it should be under apis maybe so my stream api and this yes i think down here we need to add the product there you go so for it to be exposed we need to under the products let's add it to both and let's save again so with this information we should have the the authentication configure we should have the uh the products configured and we need to require subscription key and also for for authentication against our stream auth that we just configured okay let's go back to the developer portal and see what we what we get so we need to refresh probably to get all the apis see echo ah there you go there it is hey thanks for following gromit i hope you're having a great day we're doing api management with azure id and and dot net core apis stream api get will this work let's find out subscription key i think i still have it pasted there there you go 200 okay we got the response back interesting you should have prompted me for authentication let me check the uh the one i was working last time don't i want to get try it but god damn it forgot about that yeah let's go back right chris it's i know it's early in the morning but you need to get up you need to wake up right the reason why oh oh authorization subscription key only yeah what did i miss i think i missed something here i think i missed something here we did set up the authentication right because if you notice the one i was playing last time says what do you want to do i want to try it and then when i try to use it it prompts me for it says what kind of authentication do you want to use uh i sorry it's definitely something in the settings that i missed [Music] we have security and uh i am a little bit surprised now because it should require authentication and we'll talk about policies in a bit but for now i am surprised that even though we have authorization here subscription required and user authentication here authorization is here why let's go back to docs maybe i missed something in the docs and i don't realize that but uh let's go here enable all so select all two no sorry let me just put this in the side uh client registration we've done that let's see the settings stream off display name we have it client registration you url it's fine we don't need that it's going to be a placeholder authorization grant types can be that hey stuart writer thanks for joining us this morning thanks for the follow really appreciate that we're doing api management with azure id today uh authorization endpoint we have that uh browser station select endpoints we have that one next we need oauth2 authorization endpoint which we put there we also put post which we have that all was to token endpoint we have that one as well all configured then we don't have we have the v2 endpoints which we configured as well we added the scope we added the client credentials we added the redirect uri to our to our app registration and yes now they have configured that next step enable all to authorization for your api okay so we have that one we've done this for api management the roots we're going to show here oh god it's still activating the other one still activating that's insane thank god we had a backup to work with otherwise you would be hating me this morning it would be a us talking about api management as a theoretical exercise so let's go to our api management select the api you want to protect browse the api management go to apis okay apis good select the let's say the stream api that we just configured or just got access to go into settings and under security subscription and then security use authorization user oauth2 and click save that's the one all server we selected the right one which should be this and save that's super weird okay let's go back to our developer portal i am surprised by that almost feels like i missed something because in the authorization for api you know we have different apis we have the echo api if we say try it see that this one doesn't even give us almost like the uh the one that we configured is not activated or something you know the authentication that we configured is not activated i wonder if we change it back to the portal for the echo api if we it will change anything so if i say apis and then what about if i change this to say weather api and refresh refresh the whole thing and then come to the stream api and then try it huh i think i miss a set somewhere but doesn't matter because they're both configured to work as expected and they're both pointing to the same api and the same as ready so what you see here we have no auth i want to select auth ah check that out it already knows i'll authenticate it so it will try to prompt me to [Music] add my key so 5 3 4 9 0 8. verify that yes i'm using my test and as you can see up here and i know it's grainy god damn i don't know why it's so grainy at the high resolution so now i am authenticated subscription key we need to provide that and since i already seen it i can go back and roll the keys later on but under subscriptions i need to show my key kind of doesn't scroll that far down so hide keys i'll grab this key i'll come back here see that we are doing a get right we're on that i don't want to delete i don't want to delete i want to get right because we only have a get on our api so if i do a delete you didn't set up your green screen i know frank i'm using uh restream and i don't think that i can configure that on restream io i have not set up my obs yet i promise for the next stream it will be all said and done but thanks for joining us this morning we're just the point that we're testing our our codes to see that it's working so here we are doing gets because we only have a get on our api remember that we are using authorization code and i want to paste my subscription key what happens is when you pass the request or when the request goes down it will pass the subscription key as that header so that's a custom header that we need to pass in uh i need to check stream yard you're right maybe you should say it's extreme yards so main tools string here obs ninja restream obs so many tools ah i want something that just works you can feel free to superimpose anything behind me if you want to just have fun later on please keep it safe for work right so hopefully fingers crossed this is going to work send it did work nice there's one more step that we need to do because right now we are uh authenticating yes ready but we're not validating the tokens so there's a there's another step that we go back and fix but what we achieved so far is an api written in dotnet core published into azure web apps uh with no security being fronted by an api management with azure ad doing the authentication and then we're using the developer portal to test it i do have a console app that i published on friday i think that can be used to test as well so if i go to my github repo github.com i'm using my private that's why it doesn't know who i am this is not my private so let's go to github one more step we'll go and do that how are you frank this morning what are you up to and under my repose apim test client with auth i did write a console app that takes some settings it is frank yeah it is frank frank is here and this one will allow us to authenticate or go and grab the authentication using a client id and a client ticket since we're using a console app we don't have a user interaction there so it needs to be a client secret or a certificate ideally you want to use a certificate i do have a blog post on how to set up that certificate for your consoles so if you're going to my website my blog my all blog because these days were on dev.t.o a app ah they go create a dotnet core app daemon that uses certificates i will put a link here if you want to see how the user certificate with uh amsoil you call in to us ready there you go and uh with this code you can also run the client so that's a client you just need to add two settings if i take you the setting states there's a an app settings file that i expects either city well in this instance i'm using a client secret so boo chris you don't reach where you talk or you don't you don't do what you preach right so there's a client secret you can add it as a dotnet secret and a user secret add and then add it so you don't have to compromise your source code and then the apim key needs to match the api key that we have here so you need to provide at least one subscription key that is valid for your apis and with that you can run the application and obviously you need to change the endpoint right now i'm using my own endpoints here but once you acquire your token which this is what it's doing it gets it gets the access token and creates the client credential auth provider and it gets the access token which puts it into a local static property and then we make a request and in the request all we do is create a new sdp client set up the authorization headers we also set up a custom header for that ocp apim subscription key which it grabs from the configuration file and then we pass the uri this can be any url you want as long as it matches your configuration inside api management now now let's go back we have one more step to do successfully call the api we've done that and we can prove that it's working which is great configure jwt validation policy to pre-authorize requests it says at this point the user tries to make a call from the developer console the user is prompted to sign in which we saw that right i got prompted it gets the access token and then it includes the token into the api request but it does not protect you from passing any random token right so it says what if someone calls your api without a token or with an invalid token for example you can go without the authorization header or you can pass any random noise into the authorization header and it might work so we need to use the validate jwt policy to pre-authorize the request in the api management uh the following policy into the inbound policy section let's go and do that [Music] okay all right we need to change a few things here we need to do that so what this one will do is we'll pre-authorize or validate the token as it comes in the couple things that we need to change is the azure id tenant we can pass the uh either the well-known name or the i think you pass the tenant id as well and down here you need to have the application id of the back-end api oh sorry the back-end app registration so let's grab that one let's put into let's do a new file i mean we could name it quality.json right uh let's change the azure id tenant and to find that information we need to go into here in the ah that's the yeah it's working uh so much guys we need to go to the back end uh end points i don't think that would give us the right endpoint i don't want that i want to be in the overview overview and the tenant name is there oh we can use the tenant id as i said but let's let's use that one for now see if that works and then we can go and change it [Music] in fact we can always go and check and the app registration endpoints that's the one she remember how i said you can also use the uh tent id let's use that one and i think that does that matches the url right so log in microsoft a well-known endpoint and then open id configuration let's make sure that this is the same it is the same so uh you can find it here as well uh let's go back to our no no different window oh it's actually here i'm just going to apologize for that but both should work so let's add the that id and then down here we need the application id of the back-end api i already have that stored in my notepad i'm going to copy that and put it here and again you can find your client id from the azure dependent so if you're going to as ready i can go back into my app registrations close this one down and i can go into my the one i created today the back end it's edc which is the one i copied across so we can copy that one now and then following the instructions we need to go to our api m put it here going to our api itself here's my api apis and then here in our cm stream api we need to create an inbound processing policy at the base right set backend server add policy let me see what that this one does i haven't been here in a while i wish the zooming did not mess things up so badly local surgeon oh validate jwt there you go it's ready there oh i wonder if i can discard this one inbound no this car i want to do add policy and then i want to say uh other policies this card doesn't let me do that hey i need to take a very very quick break how do the hell do i take break on restroom now that's weird ah i haven't done brakes on restream can you do a brakes don't they can do brakes fine i will battle through this let's see we might have to go manual i suppose so we might need to header name authorized data audience add open id url request claims failed authentication so is there a way to edit the json here hmm learn more about validate is there a way to mesh with the json because it will be easier to just paste adjacent now right policies ah there you go there you go how badly can i break it inbound said back-end okay and then what do i just paste this here jwt and then that should work okay i think i said so right we can uh we can easily find out hey if the app is running in a deployment slot do i need to create another ad operating station for it nope you don't need to you totally don't need to they can all use the same app registration unless you want to test something different but they can all use the same operation um like you can have a mobile app and uh and a web app and a console app all using the same operator station for the front end and uh ideally you don't want to do that you want to separate them but if it's just a web app and you have two different instances one running on the main slot and the other one running on the uh on the deployment slot it's absolutely fine it will work out of the box you don't have to worry about that and it's fine unrelated questions are also good i think that's all we need to do for the inbound one i wonder how badly we'll break things so we have the cm stream we have the policies here for the impound you see we have the validate jwt token and the the setting up the back end so uh let's see what else the dog say do we do anything else there or are we done with that setup ah there you go that's all we need to do so technically now uh if i call it again from the developer portal it will just work uh yeah we're here so here let's do a refresh and we're on the same stream we're going to do a get we're going to try it we're going to say i want off you remember my credentials so don't have to do sign in that's awesome and i need a subscription key which i definitely don't remember i need to go back and get it please somebody ping me after the show to remind me to roll the keys or i will do it as we uh as we come off the stream in a few minutes but uh let's see we are in the api there we need to go and grab the the keys from the subscription again again and again i'm just going to take it aside sorry no doxing so hide keys i'm going to copy the key which i think it's going to be there anyway so it's great i will need to roll it uh there we got the bearer authorization and now i'll check this out paste the key there is it going to work unauthorized access token is missing or is invalid that's interesting now this is coming from the inbound from the inbound validation right talking validation so why is not liking it it says unauthorized but why why would it be authorized so it's the application id of the back end that's what we did and there this open id configuration response to v1 point for the v2 endpoint use the following url uh you know what maybe i just use the read the instructions chris so down here let's see here what do we do we were in the apis yes in the apis again further up and then in here under cm stream we have our i hate the fight i'm zooming in it means that it breaks everything so here there you go we have the when it changes that to be the one that the box say that we need to use okay so let's see maybe that was it maybe that's all we needed to hey thanks for following sblu1977 really appreciate the uh this morning uh coming and following us and watching what we're doing so with that information i don't think we need to save anything that's all done let's go back to developer portal and test it i will refresh for good measure we're in the get we'll do a try i need to paste that key somewhere dammit keep on forgetting i will be regenerating both primary secondary keys by the way after the show because i've definitely doxed myself quite a bit but it's the way to show you how it's done right so we have that we need auth authorization code it did flash a little bit and then it came back so that means that we are authenticating and we have the bearer token and down here you can see the authorization header so let's see oh damn it what did we do wrong i get yeah one note works too what are we doing wrong it says access talking is missing or invalid no it's not missing it is there so it is invalid but y is invalid i have nine minutes can we fix it in nine minutes uh so jwp.ms let's go and check our token and see what we see because i'm curious to see what's happening now invalid preferred access as user we have the right scope the audience is our what is the audience where is that coming from oh is this because no it should be fine so that's from the uh so this is this does not match the latest one because remember the latest one did not not what i'm saying is that as i was playing around we were unable to set the right auth to um to our api so our api right now for the same stream is using the settings it's using the [Music] it's using the weather api auth which is not the one that we configured this morning because this one for some reason doesn't get um doesn't get set correctly now i'm curious why is our cm stream in this design why does it not like our settings oh i think i know why it's because we're using the wrong uh we're using the wrong um opera illustration because remember we're using the different auth that i set up in the past so that's the the difference of the wind setup this morning and that was set against two different operations and the audience does not match the right audience that we have configured here so this one needs to change because if i go back to there it's 6 bc whereas here we have edc easy to fix so all we need to do is go back into the operation uh go here find the api app so 6d cce copy that i mean i could have copied it from the from the actual token right but uh copy that and then go back to our api management so many windows i'm getting lost here save that and now i think it's going to work hey thanks for following ancient coder really appreciate uh joining and tuning in this morning we're just at the point that we're uh configuring the token validation for api management so we have authentication working we just need to do the token validation and with our rule uh we should all be good let's see back to the developer portal before i do that uh i need that i i lost it again so here i'm going to paste it somewhere because i'm getting fed that now ah they can't use that one i'm pressing into my actually one notes or notepads i think there's a notepad this morning so apologies where's my developer portal is it here it is here okay good f5 this one uh brand new request let's try that off we want authorization code so remember us that's good paste in the subscription key and now send send what right uh we are done uh it is working end-to-end it is working definitely into end so what we have here is an api which we deployed to azure app services let's go and see that we have our what are the components we have our which one did we deploy app services then we have the cm stream api that is just a dam api that does not have any authentication and we wanted to protect this api using api management so rather me rewriting any code to go and change the existing api to do the token validation we're using api m in the front as a proxy to our api to to secure it and then we went into the api management portal we're using the cm demo apim because our the one that we spun up this morning took forever to deploy so we did that in the apis we added our new api the system api which is the one we deployed to azure app services and from there we configured authentication which for some which for some reason did not let's see this one i wonder what the difference between this one and the other one is did i i think i misconfigured something here and for that reason it thinks that it's not active or whatever because they should be exactly the same there there client id client id client secret of secret they should be the same they should be the same i don't know what's changed sing to myself now they are the same i like the only thing different is the description and in the api itself in the api definition we decided to use the authentication and in order to do that you go into the settings and down here you say i want to use authentication always too now if i use stream auth for some reason it just doesn't like it so if i go back to developer portal that's something i need to look into like why is it inconsistent when they're both configured exactly the same way i wonder if it is because uh they're both point the same thing although i would expect that that shouldn't matter and then if i open the developer portal which is where we have a playground to work with um let me just control this one we come here and if i try it see there's no authorization for some very weird reason it just doesn't show up but if i go back to my api management and change the that to be the weather api auth which was the one i configured before using the exact same steps that i used before and save then if i go back to my developer portal and do a try we notice that now i'm prompted prompted for the authorization here so we've done that we authorized we get the token uh we added to the headers and then we can call our api it's not going to call it because i'm missing the subscription key do i have the subscription okay perfect is that there you go so uh it is working our api is protected using api management and azure id we found two things that are not working today one is the brand new configuration for auth that we did this morning even though we follow the exact same steps it does not seem to light up and the second one is if i come here can i sign up from somewhere i think there's a close this one if i sign out and if i try to sign in back in again if i try to sign in with my azure active directory you can also enable azure active directory for the developer portal this is the portal that you can and play around with apis for your api management this does not work so i have two follow-ups to do this week with the api management team and work it out but i hope that you found something useful let me know if you want anything else for us to cover as part of the the streams i'll be doing more impromptu streams like that with proper setup not with the stupid green screen behind me uh thanks everyone for joining this morning thanks for the raid from from fritz and uh i appreciate that we'll put everything on youtube so it will be available for you later this week and i will put a blog post together to show you how to do it end to end thanks uh thanks everyone for the kind comments and for the support this was the first one i did solo so it was fun to see how it would go and stay tuned because we have a super exciting week tomorrow at 8 a.m pacific time in the morning we're actually doing terraform uh with uh azure and i think azure devops or github actions we haven't decided yet we have somebody from the go team that and the terraform team uh from microsoft coming on to uh thanks for reminding me i need to rate somebody yeah so we'll have somebody from the the terraform team at microsoft that also does go to join us uh for um for the morning and then i don't know if we're doing anything else uh so i think then we have uh that tesla tulsa tulsa tulsa um user group on thursday you can come and join us there i'll be there with jp to talk about microsoft identity and then on friday we have some more exciting guests coming up i need to check the calendar because we have so many people and with that i'm going to raid uh michael crumb who is also live right now and he's also doing something in this thing usually he does stuff with security so if you want to stick around i appreciate everyone for coming and i will see you all this week thanks everyone you

Info

Channel: 425show

Views: 1,249

Rating: undefined out of 5

Keywords: Twitch, Azure AD, Microsoft Identity, API Management, AAD, Security, API, CloudDev

Id: 0vjX5tJZOzE

Channel Id: undefined

Length: 121min 11sec (7271 seconds)

Published: Mon Jan 11 2021