Building micro services through Event Driven Architecture part18 : Securing Query HTTP API using Azure Active Directory B2C

Building micro services through Event Driven Architecture part18 : Securing Query HTTP API using Azure Active Directory B2C

This tutorial is the 18th part of a series : Building microservices through Event Driven Architecture.

The previous step is about Building micro services through Event Driven Architecture part17 : Securing Command HTTP API using Azure Active Directory B2C. 

If you have followed the previous tutorial , you can skip this one or use it as an exercice  because the process is identical 

In this tutorial, I will show how to use an identity provider to secure the query http api microservice by enabling Oauth2 and OpenId Connect using  Azure AD B2C.

Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.

Learn more about Azure AD B2C  in What is Azure Active Directory B2C?

Azure Active Directory B2C 

To setup Azure AD B2C as an identity provider , I need to create a B2C tenant wich is different from a Azure AD tenant 

Azure AD B2C is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose – to allow businesses build customer facing application and then allow anyone to sign up into those applications with no restrictions on user account.

Learn more about Azure AD  in What is Azure Active Directory?

Securing Query HTTP API

To protect the query HTTP API microservice, I need to register an application in the azure AD B2C tenant, expose the API, define  scopes , configure the web api to use Azure AD authentication and finally enable SwaggerSecurityDefinition

Azure AD B2C Application Registration

Go to the tenant and  click app registration and fill in the form accordingly : provide an application name, the supported account types. Here I do not need a redirect URI because it is a web api.

Click on Expose an api and set the application ID URI (in my case https://workshopb2clogcorner.onmicrosoft.com/query/api)

Add the API scope Speech.List to enable users to grant consent.  users should consent these scope to be allowed to list the speeches. 

So click on Add a scope and provide the scope name , display name and description

Configure Query HTTP API

Open the startup.cs class and add the following to register services required by authentication services and protects the web API with Microsoft identity platform

Open appsettings.Development.json and add the folllowing 

Replace [ClientID]  with the identifier of the application you registered ealier  and [TenantName] with the name of your tenant in my case workshopb2clogcorner.

Registers services required by authentication services and protects the web API with Microsoft identity platform

The user flows B2C_1_SignUpIn, B2C_1_PasswordReset and B2C_1_ProfileEdit was configured in the step 16 Building micro services through Event Driven Architecture part16 : Azure Active Directory B2C : https://logcorner.com/building-micro-services-through-event-driven-architecture-part16-azure-active-directory-b2c/

OpenAPI Specification : Enable Swagger  

To test , document and use the api in real life , I’m going to use the open api swagger  specification.  for more information about swagger, I siggest you to follow this link https://swagger.io/resources/open-api/.

I have first to register the swagger web appliction in azure AD B2C tenant. just open your azure AD tenant , click on app registration as you did in the previous step : provide a name, the account types and the redirect uri should be http://localhost:7000/swagger/oauth2-redirect.html where http://localhost:7000 is the host of the web api.

Because after the authentication process , you should be redirected back to the swagger UI.

To authorize the swagger UI to call the web api, I should grant the admin consent for the tenant.

So open the swagger UI app registration and click on API Permissions

Click on Add a permission button and select My APis and choose the web API you registered earlier.

Select all the scopes and click on  Add Permissions

Finally click on click grant admin consent for {your tenant}

Click on Certificates & secrets and create a new client secret. you should keep it for use later because you cannot see it again.

Open appsettings.Development.json file add the swaggerUI  section  where :

[TenantName]  is the name of your B2C tenant
[OAuthClientId] is the swaggerUI application identifier you registered.
[OAuthClientSecret] is the client secret you created 

Open startup.cs class and the following code 

 options.AddSecurityDefinition

Add a securityDefinition to  describe how your API is protected to the generated Swagger

options.AddSecurityRequirement

Add a global security requirement. Here you should add the  list of scopes  and OpenApiReference to oauth2.

Testing

Run the application and navigate to ttp://localhost:7000/swagger/index.html or https://localhost:7001/swagger/index.html and click on Authorize button

Enter the user credentials ( should be a user of the tenant)

Click on Close 

You will be able to call the api 

Code source is available here : 

Thanks for reading, if you have any feedback, feel free to post it

Regards

Gora LEYE

I'm a microsoft most valuable professional (MVP) .NET Architect and Technical Expert skills located in Paris (FRANCE). The purpose of this blog is mainly to post general .NET tips and tricks, www.masterconduite.com Gora LEYE

Support us

BMC logoBuy me a coffee