Authentication demo by @svrooij
This project is to show how easy it is to enable JWT authentication on your api, with tokens from Entra ID.
The swagger ui for this demo api if available here.
This project uses CodeTour in Visual Studio Code to describe how stuff works. If you want a detailed explanation on how JWT authentication works, I suggest to install this extension and follow the tour.
I blog a lot on security stuff, check it out svrooij.io
Now that you have your api protected with a Entra ID, you can easily access it with a managed identity.
- Grant access to your api using this post.
- Add code to get the token.
using Azure.Identity;
...
var credentials = new ManagedIdentityCredential();
// Replace the api://.../.default with `{appIDUri}/.default` (so your Application ID URI, with /.default suffix)
var tokenResult = await credentials.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "api://0a2dc1ae-040c-4228-9edf-f9e074127323/.default" }));
// the access token is in tokenResult.TokenI've created some sample http requests you can use to call the api from VSCode as well.
Even though this demo api would allow you to use a secret for client credentials, I'm strongly advising against that. Please use a managed identity and if that is not an option, please use a certificate securely stored in the KeyVault (and accessed with a managed identity).
In protection against certificate extraction I'll explain you all about the risks in someone extracting a secret or certificate.
During development, if you followed the tour, you have three options.
- Automatically get a token using the built-in Token client in the swagger api.
- Use my Azure KeyVault Proxy to get a token with your developer credentials, while the certificate is stored in the Key Vault without a way to extract it.
- Build a small console app that just creates a token for you using the msal client library, and set that in a variable to use during testing.