DEV Community

Discussion on: Secure Open API (Swagger) calls with Azure Active Directory

chrisworledge profile image
Chris Wobble

The startup/appsettings code looks fine, but the Azure AD setup is a bit mysterious

Not sure what the comment about the interactive notebook means, but I can configure an OpenAPI Client with a redirect uri of api/swagger/index. Not sure about the scopes though.... or Select the tokens you would like to be issued by the authorization endpoint:
Access tokens (used for implicit flows)
ID tokens (used for implicit and hybrid flows)

christosmatskas profile image
Christos Matskas Author

Hi Chris, thanks for the comment. The .NET Interactive Notebook sets up 2 App Registrations. One of them is used by the API to validate incoming tokens and scopes. The second one is used by the Swagger UI to acquire an Access Token and call the API endpoints. Please note that we don't use and encourage against implicit flows at all times. The current implementation uses Auth Code with PKCE. Ping us if you have any questions