Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The demo project is out of date for decade, can we have the latest .NET 8 version? #165

Closed
winzuus opened this issue Mar 25, 2024 · 9 comments
Closed

The demo project is out of date for decade, can we have the latest .NET 8 version? #165

winzuus opened this issue Mar 25, 2024 · 9 comments

Comments

@winzuus
Copy link

winzuus commented Mar 25, 2024

Hi there,

I am trying to do exactly the same scenario as the demo project does.
I have a Asp.Net Core Web API (.NET 8) project (will be hosted on Azure when finished), I would like to use the Azure AD B2C to protect the endpoints in the Web Api project.
The front end Web App will be hosted on Azure as well.

I would like to use an access token in the Web App requests.

I followed the latest official document and found this Demo project which does exactly what I want.
But sadly, this demo project has been out of date, not even use .Net Core framework.

Could you please provide an update to date demo project which uses the latest .Net 8 version?
@jmprieur
Copy link
Contributor

jmprieur commented Mar 25, 2024
edited
Loading

@winzuus
the sample you are looking for is here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md and is fully functional and maintained.

This repo here is for OWIN, which is indeed old tech

@winzuus
Copy link
Author

winzuus commented Mar 26, 2024
edited
Loading

@winzuus the sample you are looking for is here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md and is fully functional and maintained.

This repo here is for OWIN, which is indeed old tech

Hi @jmprieur thank you so much for providing the up to date code sample and glad to see a contributor replying my issue :)

I have read the Sample Code and found it uses the OpenID Connect Flow, but I need to use the "Client Credential Flow".

The reason for this is I need to test my endpoint being protected without the user interactions. I will test it first with Postman, later I would like to do the auto testing in Unit tests, so a flow which requires user interactions does not fit my purpose.

Does Microsoft have code sample for this scenario? Appreciated if you could provide a link.

Many thanks,

Winston

@bgavrilMS
Copy link
Contributor

@winzuus - client credentials flow is for service principals not for users. If your web api acts on behalf of a user, then we recommend that you test with Username/Password flow:

https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/username-password-authentication

@winzuus
Copy link
Author

winzuus commented Mar 31, 2024

@winzuus - client credentials flow is for service principals not for users. If your web api acts on behalf of a user, then we recommend that you test with Username/Password flow:

https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/username-password-authentication

Hi @bgavrilMS thanks for your update.
No our API does not act behalf of a user.

I have found the Client Credential Flow is the most suitable flow for our case.

I have checked its official document but have not found a Github demo.
Appreciated if you could share the link of demo code for Client Credential Flow ( if there was one).

Thanks

@winzuus
Copy link
Author

winzuus commented Mar 31, 2024

@bgavrilMS @jmprieur
Also I have found a code example for Client Certificate Flow.

Is it the same flow as the Client Credential Flow?

@bgavrilMS
Copy link
Contributor

Yes @winzuus

The OAuth2 spec mentions the client_credentials grant. There are several variants of this:

  • based on a secret (we don't recommend this in production)
  • based on a certificate (you found the right sample)
  • based on a federated credential (I don't think this works for b2c)

@franva
Copy link

franva commented Apr 2, 2024

Yes @winzuus

The OAuth2 spec mentions the client_credentials grant. There are several variants of this:

* based on a secret (we don't recommend this in production)

* based on a certificate (you found the right sample)

* based on a federated credential (I don't think this works for b2c)

Hi @bgavrilMS
Thank you for your reply.

For the 1st option: based on a secret, what is the reason that it is not recommended in production?

@bgavrilMS
Copy link
Contributor

bgavrilMS commented Apr 2, 2024
edited
Loading

  1. Secrets should be rotated periodically and while the AAD portal helps you with that (e.g. you can set expiry on a secret), this is not enforced. Certificate expiration is something that is better handled - e.g. you can get KeyVault to rotate certs and your app just gets the latest cert from KV (by name). Just remember to update your app registration!

  2. Secrets are like passwords - vulnerable to brute force or spraying attacks. It's hard to enforce a 'strong' password. The private key of a certificate is much more complex and not vulnerable to these type of attacks.

@franva
Copy link

franva commented Apr 2, 2024

  1. Secrets should be rotated periodically and while the AAD portal helps you with that (e.g. you can set expiry on a secret), this is not enforced. Certificate expiration is something that is better handled - e.g. you can get KeyVault to rotate certs and your app just gets the latest cert from KV (by name). Just remember to update your app registration!
  2. Secrets are like passwords - vulnerable to brute force or spraying attacks. It's hard to enforce a 'strong' password. The private key of a certificate is much more complex and not vulnerable to these type of attacks.

Thank you all questions answered 😌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@franva @bgavrilMS @jmprieur @winzuus