• Why use Microsoft.Identity.Web in web APIs?
• Protected web APIs - Startup.cs
• What if the App ID URI of your application is not api://{ClientID}
• Case of a B2C Web API
• Verification of scopes or app roles in the controller actions
• Verify scopes in Web APIs called on behalf of users
• Using the RequiredScopes attribute
• Using the VerifyUserHasAnyAcceptedScope extension method on the HttpContext.
• Web APIs called by daemon apps (using client credential flow)
• Verification of app roles
• Checking for scopes or app permissions
• To support ACL-based authorization
• Encrypted tokens
• Protected web APIs that call downstream APIs on behalf of a user (AAD)
• Startup.cs
• Web API controller
• Handle conditional access
• Web APIs that acquire tokens on their own behalf (daemon scenarios, client credential flow)
• Azure AD B2C
• Using multiple authentication schemes
• Other forms of web APIs -gRPC services and Azure functions
• More information about the scenarios
• Microsoft Identity Web and Protocols
• OAuth 2.0 protocols used in web apps.
• See also