dotnet-podcasts/docs/demos/authentication/README.md

# Authentication

The .NET Podcast can be configured to use authentication from an OAuth provider. The `feeds` route has been configured to allow updates and deletions only from authenticated clients. This guide assumes that Azure Active Directory will be used as the authentication provider.

## Prerequisites

- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

- Deploy the dotnet-podcasts application. Follow the detailed guidelines [here](../../deploy-websites-services.md).

- Azure Active Directory has been configured for a domain. Follow the [Create and configure an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/azure/active-directory-domain-services/tutorial-create-instance) tutorial, if you do not currently have domain services configured.

- The .NET CLI will need to be installed and configured. See the [.NET CLI overview](https://learn.microsoft.com/dotnet/core/tools/) for more information and how to install the .NET SDK.

## Configure Azure Active Directory

1. Sign in to the [Azure Portal](https://portal.azure.com)
1. Select the `Azure Active Directory` option from the side menu

   ![select active directory](images/select-active-directory.png)
1. Select the `App registrations` option from the Azure Active Directory side menu.
   
   ![select app registrations](images/select-app-registrations.png)
1. Select the `New registration` option from the Azure Active Directory top menu.
   
   ![select new registration](images/select-new-registration.png)
1. On the `Register an application` page, provide a name for the application and select `Register`.
   
   ![provide application name and select register](images/provide-application-name.png)
1. On the app registration overview page, take note of the `Application (client) ID` and `Directory (tenant) ID` as we will need this information for a later step.
1. Select the `Manage > App Roles` side menu option from the app registration management page.
   
   ![select manage > app roles](images/select-app-roles.png)
1. Select the `Create app role` option from the App roles top menu.
   
   ![create app role](images/select-create-app-role.png)
1. Configure the app role with the following information and select `Apply`.
   
   ![create app role](images/create-app-role.png)

   | Configuration                        | Value                                |
   | ------------------------------------ | ------------------------------------ |
   | Display Name                         | `API Access`                         |
   | Allowed member types                 | `Both (Users/Groups + Applications)` |
   | Value                                | `API.Access`                         |
   | Description                          | `Allows a user to edit in the api.`  |
   | Do you want to enable this app role? | `Enabled`                            |

## Enable Authentication in the Podcast.API

1. In the `Podcast.API` project, open the `appsettings.json` (or environment specific file such as `appsettings.Development.json`).
1. Add a new top-level property of `AzureAd` with the following configurations. The `{DOMAIN}`, `{AZURE_AD_TENANT_ID}`, and `{AZURE_AD_CLIENT_ID}` will need to be replaced with values captured earlier when configuring your app registration.

   ```json
   {
     "Logging": {
       "LogLevel": {
         "Default": "Information",
         "Microsoft": "Warning",
         "Microsoft.Hosting.Lifetime": "Information"
       }
     },
     "ConnectionStrings": {
       "PodcastDb": "Server=localhost, 5433;Database=Podcast;User Id=sa;Password=Pass@word;Encrypt=False",
       "FeedQueue": "UseDevelopmentStorage=true"
     },
     "AzureAd": {
       "Instance": "https://login.microsoftonline.com/",
       "Domain": "{DOMAIN}",
       "TenantId": "{AZURE_AD_TENANT_ID}",
       "ClientId": "{AZURE_AD_CLIENT_ID}"
     },
     "Authentication": {
       "Schemes": {
         "Bearer": {
           "ValidAudiences": ["1ba2c41d-3a54-414a-9700-1f9393cfafca"],
           "ValidIssuer": "dotnet-user-jwts"
         }
       }
     }
   }
   ```

1. Uncomment the following line from the `Program.cs` file.

   ```csharp
   builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration);
   ```

1. Start debugging or deploying your application.

### Testing Configurations

1. Using a terminal with .NET CLI available, navigate to the folder that contains the `Podcast.API` project and execute the following command. The `{TENANT_ID}` parameter will need to be replaced with the tenant id captured earlier when configuring your app registration.

   ```dotnetcli
   dotnet user-jwts create --audience 1ba2c41d-3a54-414a-9700-1f9393cfafca --claim "scp=API.Access" --claim "tid={TENANT_ID}"
   ```

1. When this executes, it will generate a new `Token`. Select the token value for later use.

   ![select generated token](images/generated-token.png)
1. Navigate to the `Podcast.API` swagger page. If debugging it may be `https://localhost:5001/swagger/index.html`.
1. Select the `Authorize` button, add the `Token` value generated previously, select `Authorize`, and select `Close`.
   
   ![select authorize in swagger](images/authorize-swagger.png)
   
   ![add swagger authorization](images/add-swagger-authorization.png)
1. Using the swagger UI, expand the `Get /feeds` option and `Execute`. From the response body, select the `id` value from one of the returned feed items.
   ![select get /feeds](images/get-feeds.png)
1. Using the swagger UI, expand the `Delete /feeds` option, select the `try it out` option, paste the `id` copied from the previous step into the `id` field, and `Execute`. If everything is authenticated successfully, you will receive a `204` code.
   
   ![delete /feed item](images/delete-feed.png)