daohualiuxiang
/
dotnet-podcasts
mirror of https://github.com/microsoft/dotnet-podcasts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
dotnet-podcasts/docs/demos/authentication/README.md

114 lines
5.8 KiB
Markdown
Raw Permalink Blame History

# Authentication
The .NET Podcast can be configured to use authentication from an OAuth provider. The `feeds` route has been configured to allow updates and deletions only from authenticated clients. This guide assumes that Azure Active Directory will be used as the authentication provider.
## Prerequisites
- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
- Deploy the dotnet-podcasts application. Follow the detailed guidelines [here](../../deploy-websites-services.md).
- Azure Active Directory has been configured for a domain. Follow the [Create and configure an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/azure/active-directory-domain-services/tutorial-create-instance) tutorial, if you do not currently have domain services configured.
- The .NET CLI will need to be installed and configured. See the [.NET CLI overview](https://learn.microsoft.com/dotnet/core/tools/) for more information and how to install the .NET SDK.
## Configure Azure Active Directory
1. Sign in to the [Azure Portal](https://portal.azure.com)
1. Select the `Azure Active Directory` option from the side menu
![select active directory](images/select-active-directory.png)
1. Select the `App registrations` option from the Azure Active Directory side menu.
![select app registrations](images/select-app-registrations.png)
1. Select the `New registration` option from the Azure Active Directory top menu.
![select new registration](images/select-new-registration.png)
1. On the `Register an application` page, provide a name for the application and select `Register`.
![provide application name and select register](images/provide-application-name.png)
1. On the app registration overview page, take note of the `Application (client) ID` and `Directory (tenant) ID` as we will need this information for a later step.
1. Select the `Manage > App Roles` side menu option from the app registration management page.
![select manage > app roles](images/select-app-roles.png)
1. Select the `Create app role` option from the App roles top menu.
![create app role](images/select-create-app-role.png)
1. Configure the app role with the following information and select `Apply`.
![create app role](images/create-app-role.png)
| Configuration | Value |
| ------------------------------------ | ------------------------------------ |
| Display Name | `API Access` |
| Allowed member types | `Both (Users/Groups + Applications)` |
| Value | `API.Access` |
| Description | `Allows a user to edit in the api.` |
| Do you want to enable this app role? | `Enabled` |
## Enable Authentication in the Podcast.API
1. In the `Podcast.API` project, open the `appsettings.json` (or environment specific file such as `appsettings.Development.json`).
1. Add a new top-level property of `AzureAd` with the following configurations. The `{DOMAIN}`, `{AZURE_AD_TENANT_ID}`, and `{AZURE_AD_CLIENT_ID}` will need to be replaced with values captured earlier when configuring your app registration.
```json
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"ConnectionStrings": {
"PodcastDb": "Server=localhost, 5433;Database=Podcast;User Id=sa;Password=Pass@word;Encrypt=False",
"FeedQueue": "UseDevelopmentStorage=true"
},
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "{DOMAIN}",
"TenantId": "{AZURE_AD_TENANT_ID}",
"ClientId": "{AZURE_AD_CLIENT_ID}"
},
"Authentication": {
"Schemes": {
"Bearer": {
"ValidAudiences": ["1ba2c41d-3a54-414a-9700-1f9393cfafca"],
"ValidIssuer": "dotnet-user-jwts"
}
}
}
}
```
1. Uncomment the following line from the `Program.cs` file.
```csharp
builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration);
```
1. Start debugging or deploying your application.
### Testing Configurations
1. Using a terminal with .NET CLI available, navigate to the folder that contains the `Podcast.API` project and execute the following command. The `{TENANT_ID}` parameter will need to be replaced with the tenant id captured earlier when configuring your app registration.
```dotnetcli
dotnet user-jwts create --audience 1ba2c41d-3a54-414a-9700-1f9393cfafca --claim "scp=API.Access" --claim "tid={TENANT_ID}"
```
1. When this executes, it will generate a new `Token`. Select the token value for later use.
![select generated token](images/generated-token.png)
1. Navigate to the `Podcast.API` swagger page. If debugging it may be `https://localhost:5001/swagger/index.html`.
1. Select the `Authorize` button, add the `Token` value generated previously, select `Authorize`, and select `Close`.
![select authorize in swagger](images/authorize-swagger.png)
![add swagger authorization](images/add-swagger-authorization.png)
1. Using the swagger UI, expand the `Get /feeds` option and `Execute`. From the response body, select the `id` value from one of the returned feed items.
![select get /feeds](images/get-feeds.png)
1. Using the swagger UI, expand the `Delete /feeds` option, select the `try it out` option, paste the `id` copied from the previous step into the `id` field, and `Execute`. If everything is authenticated successfully, you will receive a `204` code.
![delete /feed item](images/delete-feed.png)
Reference in New Issue View Git Blame Copy Permalink