DEV Community: The 425 Show

.NET 7 WebApp with Https in Docker, secured by Azure AD

Christos Matskas — Thu, 14 Apr 2022 02:05:26 +0000

I have to admit, this was a weird and tough one. All I wanted to do was run an ASP.NET Razor Pages app inside a container using Https and Azure Active Directory authentication. Well, this was definitely a fun one to solve. In this blog post I'll show you exactly how to do the following:

export the .NET Dev certs to use with Docker
configure the Azure AD authentication
configure the SameSite cookie policy in .NET
configure Docker to use the dev-certs

Export the .NET Dev certs

In order to be able to work in local dev with Docker and HTTPS we need a certificate. And the easiest way to get a cert is to use the .NET dev certs - they are free and available.

Note: this should only be used for local Dev to unblock certain scenarios

Open your favorite terminal and type the following

dotnet dev-certs https --clean
dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p <your secret>

### If you're using PowerShell, then you have to use the following command instead
dotnet dev-certs https -ep $env:USERPROFILE\.aspnet\https\aspnetapp.pfx -p <your secret>

dotnet dev-certs https --trust

Configure the ASP.NET Core Web App

By default, ASP.NET Core website have HSTS and HTTPS redirection enabled. This means that when running the application, it will expect and redirect all requests to the TLS-enabled port. I like to set mine to the standard 5001 since .NET 6 and 7 are now randomizing the app ports. You can change the default ports in the Properties\launchSettings.json file. This is what mine looks like:

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:43362",
      "sslPort": 44382
    }
  },
  "profiles": {
    "AzureADAuthInDocker": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": true,
      "applicationUrl": "http://localhost:5000;https://localhost:5001",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}

Implement the necessary authentication, you need to add the following NuGet packages:

Microsoft.Identity.Web
Microsoft.Identity.Web.UI

In the appsettings.json file add the following AzureAD specific settings:

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "<your Azure AD tenant name>.onmicrosoft.com",
    "TenantId": "<your Azure AD tenant ID>",
    "ClientId": "<your Azure AD App Registration client ID>",
    "CallbackPath": "/signin-oidc"
  },

Update the program.cs add the following code:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddAuthorization(options =>
{
    // By default, all incoming requests will be authorized according to the default policy.
    options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages()
    .AddMicrosoftIdentityUI();


// code ommitted

app.UseAuthentication();
app.UseAuthorization();

At this point you can run the application locally using dotnet run and if everything has been configured correctly, you should be prompted to authenticate with your organizational (Azure AD) account

Create a Cookie Policy

If you plan on using Cookies in your solution, then you need to add a cookie policy. In Program.cs above the authentication settings, add the following code:

builder.Services.Configure<CookiePolicyOptions>(
    options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
        options.Secure = CookieSecurePolicy.Always;
    });

Then, just above the app.UseAuthentication() you need to add this:

app.UseCookiePolicy();

Run the application and test that everything's working as expected!

If you get a cookie error as per below, make sure you have the right settings. Check everything and try again:

Configure Docker for our web app

There are some prerequisites when it comes to working with Docker, namely that you need to have Docker Desktop installed and WSL2 enabled if you want to use Linux containers. Make sure to have these installed correctly.

When it comes to creating the Docker files, I like to lean on VS Code to do the heavy lifting for me. You can find the information on how to set things up for your ASP.NET app here

Running the appropriate Docker commands from the VS Code pallette, should generate the following 3 files:

Dockerfile
docker-compose.yml
docker-compose.debug.yml

I left my Dockerfile mostly unchanged apart from the ENV ASPNETCORE_URLs value which I updated to: http://+:5000;https://+:5001

My docker-compose.yml file looks like this:

version: '3.4'

services:
  azureadauthindocker:
    image: azureadauthindocker
    build:
      context: .
      dockerfile: ./Dockerfile
    ports:
      - 5000:5000

And finally, the bulk of the changes took place in the docker-compose.debug.yml

# Please refer https://aka.ms/HTTPSinContainer on how to setup an https developer certificate for your ASP .NET Core service.

version: '3.4'

services:
  azureadauthindocker:
    image: azureadauthindocker
    build:
      context: .
      dockerfile: ./Dockerfile
    ports:
      - 5000:5000
      - 5001:5001
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:5001;http://+:5000
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<your secret>
    volumes:
      - ~/.vsdbg:/remote_debugger:rw
      - C:\Users\chmatsk\.aspnet\https:/https/:ro

With these changes, I can run my web app inside Docker directly from VS Code.

And this is an example with everything working end-to-end

If you want to run the container from the command line, then this is the command you need to use

docker run --rm -it -p 5000:5000 -p 5001:5001 -e ASPNETCORE_URLS="https://+:5001;http://+:5000" -e ASPNETCORE_HTTPS_PORT=5001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="<your secret>" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx -v C:\Users\chmatsk\.aspnet\https:/https/ <your image>

Running this command should produce the following output and your website should be accessible on https://localhost:5001

Reach out if you have any questions!

Azure Functions, Azure AD B2C and Python

Christos Matskas — Fri, 04 Mar 2022 01:45:30 +0000

Azure App Authentication (aka Eazy Auth) has been around for a while and it's a great turnkey solution for implementing authentication for your Azure Web Apps, APIs and Azure Functions.

There are, as with every technology, certain limitations. For example, you can't implement complex logic or do token validation and, in some cases, you need to write some code if you want to interact with the authenticated context. But if you want an ON/OFF solution that can quickly secure your Azure-based apps, then App Authentication is the solution!

In this blog post I'll show you how to:

Configure App Authentication with Azure AD B2C
How to retrieve and interact with the B2C Access Token
All of the above in Python!

Create a local Azure Function

I'll spare you the trouble of taking you through the steps in creating the boilerplate Azure Function. There is a great Quickstart in our official docs

Once you have the Function created, open the requirements.txt and add the following package: python-jose. This library is excellent for working with JWTs.

Then, open the __init__.py file and update the code to look like below:

import logging
from jose import jwt
import azure.functions as func
import json

token=None

def main(req: func.HttpRequest) -> func.HttpResponse:

    logging.info('Python HTTP trigger function processed a request.')

    auth = req.headers.get("Authorization", None)
    if not auth:
        return func.HttpResponse(
             "Authentication error: Authorization header is missing",
             status_code=401
        )
    parts = auth.split()

    if parts[0].lower() != "bearer":
        return func.HttpResponse("Authentication error: Authorization header must start with ' Bearer'", 401)
    elif len(parts) == 1:
        return func.HttpResponse("Authentication error: Token not found", 401)
    elif len(parts) > 2:
        return func.HttpResponse("Authentication error: Authorization header must be 'Bearer <token>'", 401)

    token_claims = jwt.get_unverified_claims(parts[1])

    # Do anything else you need here

    return func.HttpResponse(json.dumps(token_claims, indent=4))

This code checks for an Authorization header and then, it either returns an error message if something is wrong, or parses the claims and dumps them back in the HTTP response. Since we're not using Azure AD but Azure AD B2C, the standard App Authentication headers don't apply. The access token will be passed in the Authorization header with the expected value of Bearer <token>.

Function done!

Create the B2C application registration

In the Azure AD B2C, head to App Registrations and hit the New Registration button at the very top. Give it a meaningful name and press Register

Head over to the Expose an API tab and click on the Set Application ID URI

Final step, add a new scope. Give it a name such as access_as_user and the message for the admin consent and click the Add Scope button

Since this is B2C, you also need a SignUp/SignIn policy. You can follow the steps in this document.

There is one more piece of information we need to complete the process in B2C. Head to the Overview tab of the App Registration you just created and grab the well known endpoint from the Endpoints tab!

In the end, the information we need to configure our Azure Function Authentication is:

ClientID: your app registration client id
TenantID: your tenant ID
The well known URL: this is for JWT information

Set up Eazy Auth in the Azure Function App

The App Service Authentication can be set up through the CLI etc, but for the purpose of this blog, we'll use the Azure Portal. In the Azure Function App, navigate to the Authentication Tab and click on the Add New Authentication button

In the next window, add the following details

Identity Provider: Microsoft
App Registration Type: Provide the details of an existing app registration
Application ID: the API App Registration Client ID
Issuer URL: The Azure AD B2C Well Known endpoint
Allowed Token Audiences: your API App Registration Client ID
Restrict Access: Require Authentication
Unauthenticated requests: HTTP 401

With this information, the Azure Function App will require an Access Token to be passed in the HTTP request in the Authorization Header. If no token is available or the token is invalid, an HTTP 401 will be returned to the client

Source code

You can find the source code for this blog post on GitHub

Securing a .NET Azure Function with Azure AD

Christos Matskas — Tue, 25 Jan 2022 23:39:07 +0000

Last week I was asked by someone in the community for a sample that shows how to secure Azure Functions with Azure AD. And specifically, a .NET 5 or 6 Azure Function using the Microsoft.Identity.Web library to validate tokens and authorize access.

Watch the video

If you want to watch the 1hr video that shows you how to do it end-to-end, it's available on YouTube

Grab the code

The sample project from the stream is available to clone from GitHub

Prerequisites

You need an Azure Subscription Get it free here
An Azure Active Directory Free M365 Developer
.NET 6 Download here
Identity extension tool for the .NET Core command line
Azure Functions Core Tools Install instructions

Known issues

At the time of writing this, there is a known issue with .NET 6, Azure Functions **v4 and Microsoft.Identity.Web. Therefore, only the magic combination of the libries/NuGet packages mentioned in this blog/video work. The team is aware and working on a fix. What's the magic combo you ask? Your Azure Functions csproj file should have these dependencies (hardcode the version!)



<ItemGroup>
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.0.1" />
    <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
    <PackageReference Include="Microsoft.Identity.Web" Version="1.5.1" />
  </ItemGroup>

Create the project

The easiest way to get started is to use the .NET command line with the M.I.W extension (check the prereqs ^^^^). Open your favorite terminal and run the following command



mkdir <your directory name>
cd <your directory name>
dotnet new func2 --auth SingleOrg

This will create the files we need and implement the necessary middleware code.

First thing we need to do is open the *.csproj file and update it to look like this:



<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <AzureFunctionsVersion>v4</AzureFunctionsVersion>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.0.1" />
    <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
    <PackageReference Include="Microsoft.Identity.Web" Version="1.5.1" />
  </ItemGroup>
  <ItemGroup>
    <None Update="host.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>
    <None Update="local.settings.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
      <CopyToPublishDirectory>Never</CopyToPublishDirectory>
    </None>
    <None Update="appsettings.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>
  </ItemGroup>
</Project>

This will update the Azure Functions runtime to v4, set the target framework to .NET 6 and then pin the NuGet packages to the versions that work!

That's all the changes we have to implement in the code.

Configure Azure Active Directory

The Azure function is already configured to expect authenticated calls. Out of the box, since we used the M.I.W extension, there is also an API permission that we need to configure. Now, you can go ahead and set up Azure AD manually, or you can use the nifty .NET Notebook in the project to programmatically set up everything for you.

Configure the Azure AD settings in the Function project

Open appsettings.json and add the App Registration information that was in the output of the Notebook from the previous step. Your appsettings.json should look like this:



{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "<your ad domain name>.onmicrosoft.com",
    "TenantId": "<your tenant id>",
    "ClientId": "<your API Client Id>",
    "CallbackPath": "/signin-oidc"
  },
 "Logging": {
   "LogLevel": {
     "Default": "Information",
     "Microsoft": "Warning",
     "Microsoft.Hosting.Lifetime": "Information"
   }
  }
}

Save and close! You are now ready to run the Azure Function! In your terminal, type func host start. You should be presented with the following output that indicates that your Azure Function is up and running:

The default endpoint to call the API is: http://localhost:7071/api/SampleFunc

How does authentication work in this code?

Firstly, in Startup.cs we configure our authentication middleware in the ConfigureServices() method with the following code:



services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = Microsoft.Identity.Web.Constants.Bearer;
    sharedOptions.DefaultChallengeScheme = Microsoft.Identity.Web.Constants.Bearer;
})
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));

Then, inside the Function code, first we make sure that we have an authenticated request, i.e. we look for an auth header with Bearer tokenstring value. If there is no Auth header, the code will generate an HTTP 401 error. Secondly, we check the token claims to ensure that the user has the right api permission, in this instance access_as_user. If a valid token with the wrong permission or missing permissions is presented, the code will return a 403 error back to the client. If a valid token and the right permissions are present, the code executes as expected. The code that does this is here:



var (authenticationStatus, authenticationResponse) =
   await req.HttpContext.AuthenticateAzureFunctionAsync();
if (!authenticationStatus) return authenticationResponse;
        req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);

NOTE: Auth attributes (a la ASP.NET) are supported but currently ignored. There will be a fix soon to fully support method-level attributes

Call the Azure Function from your client

Whichever client you use, you need to make sure that you can authenticate and get an Access Token to pass to your Azure Function. I use Thunder Client, which is a VS Code extension. These are my settings:

We can now call our Function from our client. If everything was setup correctly, we should receive an HTTP 200 with a response that contains a greeting with the name of the signed in user.

We now have an HTTP endpoint built with .NET 6 and Azure Functions, all secured with Azure Active Directory in 3 lines of code!

Summary

There may still be a few small issues with the Microsoft.Identity.Web library and Azure Functions, but if you're willing to take a hard dependency on a couple of NuGet packages, then you get a lot for free using the out of the box tools. As always, make sure to reach out to us via Discord or email us at 425Show@microsoft.com if you have any questions!

Open Standards, Security, Azure AD and AWS

Christos Matskas — Fri, 05 Nov 2021 01:45:29 +0000

One of the things we always talk about as Microsoft Identity Dev Advocates, is the openness and interoperability of our platform. You'll often hear me say: "any platform, any language" and that extends to tools and libraries.

For example, in the past 12 months, we worked closely with the JetBrain team to bring Azure AD integration in the Rider and IntelliJ IDEs to ensure that developers can successfully implement authentication and authorization in their applications directly from their favorite IDE.

Anything that can or should work with Azure AD is a fair game for me. So you can imagine how excited I got when I saw the awesome new library ( aws-jwt-verify) from the AWS that could perform token validation with 1st and 3rd party Identity Providers. So I got to work and built a Node.js app to test the library...

Unfortunately, my first attempt to build a working sample failed because there was a small issue with the library. The alg claim was expected in the JWT header but Azure AD omits it because it's marked is an optional field as per RFC 7517. Sinc the library is open source, we jumped to the repo to let the team know. I also gave them a polite nudge on Twitter to ensure that we got some eyeballs.

The team was quick to respond and within a few days we got a fix! The library works flawlessly now with Azure AD so if you're building an application that needs to verify (Azure AD) tokens, now you have a new library to work with.

Create the Azure AD App Registrations

Since this example builds on a previous blog post, check out the Create the Azure AD App Registrations section here. At some point I'll provide you with a Python/.NET Notebook to do this programmatically too :)

Build the secure Node API

Open your favorite terminal and type the following:

mkdir <your-project-name>
cd <your-project-name>
npm init -y
npm install aws-jwt-verify
npm install body-parser
npm install express
npm install --save-dev @types/node

Create 2 files:

index.ts
tsconfig.json

Open the project in code with code . and edit the tsconfig.json file to add the following code:

{
    "compilerOptions": {
        "target":"esnext",
        "sourceMap": true,
        "module": "esnext",
        "outDir": "out",
        "moduleResolution": "node",
        "allowSyntheticDefaultImports":true
    },
    "exclude": [
        "node_modules"
    ]
}

Finally, we're ready to add the code for our API. Open the index.ts file and add the following code:

import { JwtRsaVerifier } from "aws-jwt-verify";
import express from 'express';
import bodyParser from 'body-parser';

const SERVER_PORT = process.env.PORT || 8000;
const readOnlyScope: Array<string> = ["access_as_reader"];
const readWriteScope: Array<string> = ["access_as_writer"];
let accessToken;

const config = {
    auth: {
        clientId: "c7639087-cb59-4011-88ed-5d535bafc525",
        authority: "https://login.microsoftonline.com/e801a3ad-3690-4aa0-a142-1d77cb360b07",
        jwtKeyDiscoveryEndpoint: "https://login.microsoftonline.com/common/discovery/keys"
    }
};

const verifier = JwtRsaVerifier.create({
    tokenUse: "access",
    issuer: `${config.auth.authority}/v2.0`,
    audience: config.auth.clientId,
    jwksUri: config.auth.jwtKeyDiscoveryEndpoint
  });

const validateJwt = async (req, res, next) => {
    const authHeader = req.headers.authorization;
    if (authHeader) {
        const token = authHeader.split(' ')[1];

        try {
            const payload = await verifier.verify(token);
            console.info("Token is valid.");
            accessToken = payload;
            next();
        } catch {
            console.error("Token not valid!");
            return res.sendStatus(401);
        }
    } else {
        res.sendStatus(401);
    }
};

function confirmRequestHasTheRightScope(scopes:Array<string>): boolean{
    const tokenScopes:Array<string> = accessToken.scp.split(" ");
    scopes.forEach(scope => {
        if(!tokenScopes.includes(scope)){
            return false;
        }
    });
    return true;
}

// Create Express App and Routes
const app = express();
app.use(bodyParser.json());

app.get('/', (req, res)=>{
    var data = {
        "endpoint1": "/read",
        "endpoint2": "/write"
    };
    res.send(data); 
})

app.get('/read', validateJwt, (req, res) => {
    if(!confirmRequestHasTheRightScope(readOnlyScope)){
        res.status(403).send("Missing or invalid scope");
    };
    var data ={
        "message": "Congratulations - you read some data securely"
    }
    res.status(200).send(data);
});

app.get('/write', validateJwt, (req, res) => {
    if(!confirmRequestHasTheRightScope(readWriteScope)){
        res.status(403).send("Missing or invalid scope");
    };
    var payload = JSON.stringify(req.body);
    res.status(200).send(payload);
});

app.listen(SERVER_PORT, () => console.log(`Secure Node API is listening on port ${SERVER_PORT}!`))

The API provides 3 endpoints

/ (insecure)
/read (secure | requires a read-only scope)
/write (secure | requires a read-write scope)

The config object contains the necessary information for the verifier to be able to validate the authenticity and validity of the incoming token. Things like the authority and audience of the token ensuring that the token was issued by the right Azure AD tenant and it's for the right audience (i.e. our API). Without these checks, an attacker could pass any valid Azure AD token to our API.

The instantiation of the verifier is extremely simple, although there are more options :

const verifier = JwtRsaVerifier.create({
    tokenUse: "access",
    issuer: `${config.auth.authority}/v2.0`,
    audience: config.auth.clientId,
    jwksUri: config.auth.jwtKeyDiscoveryEndpoint
  });

We use the config object to populate the necessary options and set the verifier to only accept Access tokens with the tokenUse option. Once we instantiate the verifier, we can call the .verify(token); method to validate the passed token. I chose to implement a middleware function to do the token validation :)

Show me the code

You can find the full source code from this blog post on GitHub. And if you want a more complex example where we show you how to securely call some Azure Services such as Key Vault, Cosmos DB and Azure Storage, check out this GitHub repo

Summary

This blog post is a testament of what Open Source and open standards can achieve. The ability to use the language, tools and libraries of your choice to achieve your goals is great and I, for one, am truly excited that I get to do this every day. I also want to give a big shoutout to the AWS dev team (such as ottokruse ) that worked on this library for their openness to work with us to make the library truly interoperable. Here's to more collaborations!

Encrypt/decrypt data with .NET 6 and Azure Key Vault

Christos Matskas — Wed, 27 Oct 2021 18:48:31 +0000

Security is hard. It's hard because there are so many things that can go wrong along the way. Attackers only need to find one small gap to make it through whereas developers and IT Pros have to think about all the possible attack permutations and potential security vulnerabilities every step of the way. That's why we talk about "security in layers" when it comes to building systems that handle ~~sensitive~~ data. And unless you're creating static marketing pages, it's very likely that your solution will need to work with some data.

Where do I start?

If you're running on Azure (or other cloud providers) there are tools to help you keep your data secure both at rest and in transit. This is great document that can help you get a high level overview of Azure data security and encryption. And there are many more tools to help you lock down and tightly monitor access to your data: Azure Security Center, [Azure Advisor] and more etc etc.

In this blog post we're going to look at client data encryption/decryption using .NET and Azure key Vault. However, if you're not a .NET developer, the practices and ideas in this blog post are applicable and available to every language that's supported by the Azure SDK and since everything is a wrapper around our Azure REST API, you can even roll out your own libraries (if you decide to choose so)

The main point of this blog post is to help developers implement a robust solution to encrypt/decrypt data without having to worry about the underlying cryptographic implementation. Therefore, instead of spending weeks or months learning how cryptography works (symmetric, asymmetric, recommended algorithms and hard maths), you delegate the work to a service like Azure Key Vault. This way, you have a reliable and scalable service to manage your keys and perform complex operation outside your code! And that's the key: removing sensitive operations from you code makes it more robust

Prerequisites

To be able to use the code in this solution you'll need the following:

An Azure Subscription get a FREE one
An Azure Key Vault (create one)
.NET 6 Download
VS Code Download

One thing we haven't discussed yet is that this solution requires internet access to call into Key Vault. Consequently, if you have an on prem app that needs to run in isolation and not call into Azure, you'll need to look at equivalent, on prem solutions like HashiCorp Vault etc.

Account security and best practices

Most developers when working with Azure tend to use their own accounts out of convenience. However, this is not ideal. Instead, they should use Service Principals with restricted access rights to only the necessary resources. When moving to production, the Azure.Identity library makes it extremely easy to switch to Managed Identities without changing the code. Security end-to-end.

Let's create a Service Principal with the right permissions:

Open your favorite terminal (that has the Azure CLI installed) or jump straight to Azure Cloud Shell and run the following commands:



az ad sp create-for-rbac -n "cm-keyvault-crypto" --role "Key Vault Crypto User"
az keyvault set-policy --name cm-identity-kv --object-id a4e0e9c6-c507-4449-a9c4-25243ef61fe9 --key-permissions decrypt encrypt list get
az login --service-principal -u 2ff15c46-97bd-424a-b97a-433c8e5640d7 -p <your secret> --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

The first command creates a service principal account and assigns it to Crypto user RBAC role. Although we will not be using RBAC for this example, it's recommended practice to assign the appropriate roles to your SPs. Also note that the default az ad sp create-for-rbac command behavior will change and stop assigning Contributor role by default - a great security measure going forward! Contributor is an overprivileged role and we want to avoid using such accounts for dev/test/prod.

The second command assigns the appropriate Access Policies to Azure Key Vault to allow us retrieve keys to use for encryption/decryption.

The final command signs in the Service Principal in the Azure CLI as we will be using this to provide credentials to our code.

Let's write some code

For this solution we are going to use the .NET CLI and VS Code. In your terminal type the following:



dotnet new console -n EncryptDecryptSample
dotnet add package install Azure.Identity
dotnet add package Azure.Security.KeyVault.Keys -v 4.3.0-beta.2

Open the project in VS Code with code .. Now we can write the necessary code to encrypt and decrypt data. Update the Program.cs file with the following code:



using System.Text;
using Azure;
using Azure.Identity;
using Azure.Security.KeyVault.Keys;
using Azure.Security.KeyVault.Keys.Cryptography;

// vault URL could be passed as a parameter
var KeyVaultUrl = "https://cm-identity-kv.vault.azure.net";
// using Azure AD to support secretless authentication to Azure Key Vault
var credentials = new ChainedTokenCredential(
                        new AzureCliCredential(),
                        new ManagedIdentityCredential()
                );

var client = new KeyClient(new Uri(KeyVaultUrl), credentials);

//this could be parametarized as you may wish to pass different keys for different operations
var keyName = "MyEncryptionKey";

//get the key (or create one on the fly - very unlikely in a production environment)
KeyVaultKey key;
try 
{
    key = await client.GetKeyAsync(keyName); 
} 
catch (RequestFailedException ex) when (ex.Status == 404) 
{
    key = await client.CreateRsaKeyAsync(new CreateRsaKeyOptions(keyName));
} 

//get the crypto client of the key
var cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version);

//do the fun stuff
var plainText = "My secret message";
var byteData = Encoding.Unicode.GetBytes(plainText);

Console.WriteLine("Encrypting...");
var encryptedResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, byteData);
Console.WriteLine($"Encrypted data: {Convert.ToBase64String(encryptedResult.Ciphertext)}");
Console.WriteLine("Decrypting...");
var decryptedResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptedResult.Ciphertext);
Console.WriteLine($"Decrypted data: {Encoding.Unicode.GetString(decryptedResult.Plaintext)}");

If the Service Principal is configured correctly then running the code with dotnet run should yield the following output:

If the Key Vault permissions are wrong (they shouldn't be if you followed the instructions above and signed in with the right account), you may receive the following error:

The code makes use of the Azure.Identity library to authenticate to Azure Key Vault and then instantiate a KeyClient and a CryptographyClient to perform the necessary operations. This way, we never have to use and Keys or Secrets to authenticate to Key Vault making our application even more secure.

NOTE: this code attempts to retrieve a key and, if not found, it creates a new one. The current Service Principal (as configured earlier) doesn't have the appropriate permission to create keys so the code will fail. We can either create a key using a more privileged account, or temporarily update the SP with a Create permission. In real world scenarios, the IT Admins or Security team will be responsible for creating (and rolling) keys in Key Vault.

Where is the code?

You can grab the code from [this GitHub repo] - notice how it jumps straight to the (https://github.dev/425show/EncryptDecryptDataWithKeyVault)

Summary

Application security is hard but we shouldn't be intimated by it, especially since, as developers we are spoiled for choice these days! Many of the hard problems that we had to solve in the past are now a service or product that we can easily pull off the shelf and add it to our solution. Therefore, if you need to encrypt/decrypt data in your application, you can now do it with less than 20 lines of code using Azure Key Vault backed by Azure AD. Let me know in the comments if you have any Qs :)

Working with Python Jupyter Notebooks and MS Graph in VS Code

Christos Matskas — Tue, 28 Sep 2021 20:59:21 +0000

Lately I find myself falling in love with Python more and more. It's simple, fast and super powerful. I know I'm late to the game but you know the saying: "better late than never" :)

Since Python is my go-to language these days, I decided to use it to automate one of the mundane and tricky parts of working with Azure AD - creating an App Registration for app authentication. Every time you need to implement authentication and authorization in your applications, be it a web app, api, desktop, mobile etc, you need to register an app, or possibly multiple apps in Azure AD. This is how you create the 1:1 relationship between your code and Azure AD and where you also configure api permissions, flows etc. This can get tricky since there are multiple steps and missing one can break things. What if there was a way to automate all that and avoid human errors?

Enter the world of MS Graph and Jupyter Notebooks.

Set up your environment

You'll need to install the latest Python. I'm using Python 3.9.x and since I'm late to the game, I'm happy to avoid the whole 2v3 debacle. Straight to Python 3!

In VS Code, you also want to install the following extensions:

Create the project

Crate a new directory and open it in VS Code. Here, we're going to create our Python virtual environment and install our dependencies. To create and activate a virtual environment, type the following commands:

PS - I'm working on Windows so the commands are slightly different

python -m venv .venv
.venv/scripts/activate.ps1

Next, we'll create a requirements.txt file and add the following dependencies/packages

ipykernel>=6.4.1
msgraph-core>=0.2.2
azure-identity>=1.6.1

Use this command to install the dependencies

pip install -r requirements.txt

If you get prompted to upgrade your pip to stop being pestered every time you run the pip command, now is a good time. In your terminal, type the following:

<path to your current directory>\.venv\scripts\python.exe -m pip install --upgrade pip

Finally, we can use the command palette to create a new Jupyter Notebook

Let's write some MS Graph code

To automate the Azure AD App Registration code, we can use MS Graph - the one API to rule them all! But before we write any code, we first need to.... register an app in Azure AD. Confused? I'm sure you are but let me break it down for you. To interact with Azure AD we need to be in an authenticated context. We need a way to authenticate as a user and consent to the right permissions so that we can programmatically configure Azure AD. And for this to happen, we need an App Registration.

I have created a multitenant app registration so if you have the right permissions, you should be able to sign in with your own organizational account and run the notebook. However, if you need to create your own App Registration, then these are the steps:

Open the browswer and navigate to your Azure AD Portal
Navigate to App Registrations
Create a new App Registration
Navigate to the Authentication tab
Add a new Platform
Select Desktop and Mobile
Set the Redirect Uri to Custom -> http://localhost
Save everything
From the Overview tab, copy the Client ID

And now we can write some code :)

In the first code segment of our Jupyter Notebook, we'll initialize our Graph client and set some variables to use later. Something that you may notice is that MS Graph now relies on the Azure.Identity library, which is part of the Azure SDKs, for authenticating and acquiring tokens which is super neat!

from azure.identity import InteractiveBrowserCredential
from msgraph.core import GraphClient
import uuid
import json

browser_credential = InteractiveBrowserCredential(client_id='7537790f-b619-4d30-a804-1c6b8b7f1523')
graph_client = GraphClient(credential=browser_credential)
scopes = ['Application.ReadWrite.All', 'User.Read']

On the next code segment, we'll create an API App Registration and set a custom API permission. Client apps should use this scope to call our API in the future.

apiAppName='automation - Python API'
apiIdentifier = f"api://{uuid.uuid4()}"
permissionId = f"{uuid.uuid4()}";

body = {
    'displayName': apiAppName,
    'identifierUris': [
        apiIdentifier           
    ], 
    'api': {
        'acceptMappedClaims': None,
        'knownClientApplications': [],
        'requestedAccessTokenVersion': 2,
        'oauth2PermissionScopes': [
            {
                'id': permissionId,
                'adminConsentDescription':'access the api as a reader',
                'adminConsentDisplayName':'access the api as a reader',
                'isEnabled': True,
                'type': 'User',
                'userConsentDescription': 'access the api as a reader',
                'userConsentDisplayName': 'access the api as a reader',
                'value':'api.read'
            }],
        'preAuthorizedApplications':[]
    }
}

result = graph_client.post('/applications',
                data=json.dumps(body),
                headers={'Content-Type': 'application/json'}
                )
appJson = json.dumps(result.json())
application = json.loads(appJson)

response = graph_client.get('/organization')
tenantJson = json.dumps(response.json())
tenant = json.loads(tenantJson)

print(f"Client Id: {application['appId']}")
print(f"Domain: {application['publisherDomain']}")
print(f"Tenant Id: {tenant['value'][0]['id']}")

For your example, you'll have to change the ApiAppName and ApiPermission variable values to make them meaningful to you and you're ready to go!

Show me teh c0dez

If you want to grab the Notebook and run it on your end, check out the GitHub repo

Secure Minimal APIs with .NET 6 and Azure AD B2C

Christos Matskas — Wed, 08 Sep 2021 00:37:59 +0000

Minimal APIs are all the rage these days. Python and Node.js have had a much simpler model for creating APIs for a while. And now .NET 6 joins this trend - which is a welcome change. I streamed about this on our 425Show Twitch channel so if you prefer video over text, you can watch all the action on our YouTube channel:

Prerequisites

You'll need the following to follow along:

.NET 6 Preview 7 (as of writing this blog post)
Visual Studio Code (or any other .NET IDE)
And Azure AD B2C (as part of your Azure subscription - get a free one here)

Create the Azure AD B2C App

We'll start by creating the two App Registrations needed for our API and our API client. In the Azure AD B2C portal, navigate to the App Registrations blade and create a new one by clicking on the + New Registration. Give it a meaningful name, leave the default for Supported Account Types and press Register. In the newly created App Registration, navigate to the Expose an API and Set the Application ID URI.

We can now add a Scope. Since we'll be pulling weather data, we can use something like Weather.Read for the scope name.

Take a note of the following information:

Application (Client) ID (App Registration Overview Tab)
Azure AD B2C Instance name (e.g https://[YourB2CName].b2clogin.com)
B2C Domain (e.g [YourB2CName].omicrosoft.com)
User flow name (e.g B2C_1_susi)

Using Thunder Client in VS Code to test a secure API

What good is it if we can't test/use our secure API? When I work with APIs, I like to use Thunder Client, a VS Code extension that provides a GUI based REST Client. Unlike Postman, I don't have to install it on every machine and it is available in CodeSpaces too! For Thunder Client to be able to call an Azure AD B2C secure API we we need a client API App Registration. Let's do this!

Create a new App Registration, give it a meaningful name and press Register. Then navigate to the Authentication tab and press the + Add a platform button. Make sure to select Web and add the following for the Redirect URI: https://www.thunderclient.io/oauth/callback. This is the URL that Thunder Client is expecting to receive the Access Token.

Next, navigate to the Certificates & Secrets tab and create a new secret. Make sure to copy it as we'll need it to configure Thunder Client.

Finally, we need to add our API permissions. Navigate to the API permissions tab and press the Add a permission. Select My APIs, find the name of the App Registration you created at the previous step and select it.

Expand the permissions, select the name of your permission (in your case it should be Weather.Read). Then press the Add Permission button.

The final, and most important, step in the process is to give Admin Consent to our custom API Permission.

The information we need from this App Registration is:

Application (Client) ID (App Registration Overview Tab)
Auth endpoint (e.g https://cmatdevb2c.b2clogin.com/cmatdevb2c.onmicrosoft.com/YourB2CPolicyName/oauth2/v2.0/authorize
Token endpoint (e.g https://cmatdevb2c.b2clogin.com/cmatdevb2c.onmicrosoft.com/YourB2CPolicyName/oauth2/v2.0/token)
Client Secret
API Permission (e.g https://cmatdevb2c.onmicrosoft.com/b332fc47-cfff-4f57-bb0f-7b6ccea75521/weather.read)

In Thunder Client, create a new Request and navigate to the Auth tab, select OAuth2 and configure the settings as shown in the pic below:

We can now test it out. If all is configured correctly, you should see the following:

Create and secure the minimal API

Open your favorite terminal (mine is Windows Terminal) and type the following:

dotnet new webapi --auth IndividualB2C

The template does most of the work for us, but we can tweak the code to make it truly minimal! Update your Program.cs to look like this

using Microsoft.Identity.Web;
using Microsoft.Identity.Web.Resource;
using MinimalAPIWithB2C2;

string[] Summaries = new[]
{
    "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
};

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAdB2C");

builder.Services.AddAuthorization();
builder.Services.AddCors(options => options.AddPolicy("allowAny", o => o.AllowAnyOrigin()));
builder.Services.AddControllers();
builder.Services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new() { Title = "MinimalAPIWithB2C2", Version = "v1" });
});

var app = builder.Build();

// Configure the HTTP request pipeline.
if (builder.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
    app.UseSwagger();
    app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "MinimalAPIWithB2C2 v1"));
}

app.MapGet("/weatherforecast",(HttpContext context) => 
{
    context.VerifyUserHasAnyAcceptedScope(new[] {"access_as_user"});
    return Enumerable.Range(1, 5).Select(index => new WeatherForecast
    {
        Date = DateTime.Now.AddDays(index),
        TemperatureC = Random.Shared.Next(-20, 55),
        Summary = Summaries[Random.Shared.Next(Summaries.Length)]
    })
    .ToArray();
}).RequireAuthorization();

app.UseAuthentication();
app.UseHttpsRedirection();
app.UseCors();
app.UseAuthorization();

app.MapControllers();

app.Run();

We can now delete the Controllers folder and all it's contents. Finally, we need to update the appsettings.json with the info we collected from the first step when we created the API App Registration. Your appsettings.json should look like this:

{
  "AzureAdB2C": {
    "Instance": "https://<yourB2CName>.b2clogin.com/tfp/",
    "ClientId": "<your client id>",
    "Domain": "<yourB2CName>.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1_susi"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*"
}

The policy name needs to match in both your API and your Thunder Client settings.

Let's build and run the API so that we can test it :)

dotnet build
dotnet run

Then, let's switch to Thunder Client in VS Code and send a GET request to our API endpoint: https://localhost:5001/weatherforecast. If everything was configured correctly, we should receive the following output from the API:

Show me the Code!!

If you want to go straight to the source code, check out our working sample in the 425Show Github repo

Summary

I really dig the new minimal API templates in .NET 6. And although this approach may not be for everyone, I can totally see the appeal. Also note that you don't have to stick with this design and you can refactor your code out to separate files to keep your files small and concise. Controllers are here to stay! In the end, it all comes down to personal preference and what works best for you and your team.

Calling an Azure AD secured API with Postman

Christos Matskas — Thu, 02 Sep 2021 23:59:31 +0000

Secure APIs are all the rage, but how can we easily test them. If you're using Postman, then this blog post will show you how to configure and use Postman to call an Azure AD-secured API.

The secure API expects an access token to be passed. Therefore, Postman needs to acquire and use an Access Token when calling the API. If there is no token attached to the request, then you'll most likely receive an HTTP 401 error (unauthenticated) - which is right. If you pass an Access Token with your request but don't have the right scope, if your API has been coded correctly, you should receive an HTTP 403 error (unauthorized) - which is also right. Let's see how we can test our APIs with Postman!

Configure the App Registration for Postman

In order for Postman to be able to acquire an Access Token, it needs to have a corresponding Azure AD App Registration. In this section, we'll configure the App Registration in Azure AD. If you don't have an Azure AD already (I doubt it since you're reading this), you can get a FREE, full-blown P1 Azure AD Tenant through the Microsoft 365 Developer Program.

Sign in to your Azure AD portal, navigate to App Registrations and click on the + New Registration button. Give the app a meaningful name and press Register.

Then, open the Authentication tab and Add a platform. Select Web for the platform. In the Redirect URI add the following https://oauth.pstmn.io/v1/callback and then press Configure.

We also need a client secret. Navigate to the Certificates and Secrets tab and create a new secret. Make sure to copy the secret value as it will be unavailable once you navigate off this tab (but you can always delete it and recreate it).

Information needed for Postman

Client Id: Can be found in the Overview Tab
Client Secret: Was created and copied in the previous step
Auth URL: In the Overview Tab, click on Endpoints
Access Token URL: In the Overview Tab, click on Endpoints
Scope: e.g api://279cfdb1-18d5-4fd6-b563-291dcd4b561a/weather.read

You can find the right scope in your API App Registration in Azure AD -> open the Expose an API tab -> Copy the Scope

Copy the v2 URLs for the Authorization and Token endpoints as per the image below:

Configure Postman

We now have everything we need to configure our Auth settings in Postman. In your Postman, create a new Request and navigate to the Authorization tab. Next populate the fields as shown in the image below, using all the settings we gathered in the previous section.

Note: you'll need to check the Authorize using browser checkbox and ensure that your browser is not blocking any popups.

We are now ready to test our configuration. Press the Get New Access Token in Postman. If everything's configured correctly, you should see something similar as per the video below:

You can now use Postman to call various API endpoints. Note that if you need different scopes for different parts of the API, you'll need to add them to the scopes which will need to be space delimited.

Have fun securing and testing your APIs and make sure to join our Discord if you have any Identity or Azure related questions.

Delete all users in an Azure AD Tenant programmatically

Christos Matskas — Tue, 27 Jul 2021 00:33:17 +0000

The first part of "deleting an Azure AD tenant programmatically" is here. Today, we're going to delete all Azure AD users (except our admin account). Me an JP streamed the whole process along with the steps necessary to achieve this, but you can always skip to the code or the blog post below:

Prerequisites

VS Code
.NET Core 3.1 (or later)
An Azure AD B2C tenant

The Azure AD App Registration

To be able to interact with Azure AD, we need to create an App Registration. In Azure AD, got to App Registrations -> New Registration. Give it a meaningful name and select multi-tenant for supported account types. In the new App Registration, navigate to the Authentication and Add a Platform. Select Mobile & Desktop, choose the URI that works best for you (I like the MSAL one) and then make sure to select the Enable Public Client Flows option. Save this! Finally, we need to add and admin-consent to the necessary MS Graph permissions. In API Permissions press the Add a permission button, select Delegated permissions and search for the User.ReadWrite.All permission. Make sure to press the Add Permission at the bottom of the window.

Since this is a Console app, we need to provide admin consent prior to authenticating. On the API Permissions blade, press the Grant Admin consent for

We are now ready to build our user deletion code...

Let's write some code

Our code needs to

Authenticate the current user (interactive auth)
Retrieve all user objects in the directory
Ensure we exclude our admin account (otherwise we lose access)
batch up the delete operation and execute the batches.

Open up your favorite Terminal and type:
dotnet new console -n tenant_deleter

We also need to add a couple of NuGet packages to make our lives easier when interacting with Azure AD and MS Graph. In the Terminal, type:

dotnet add package Microsoft.Graph
dotnet add package Microsoft.Identity.Client

Open the project in your favorite code editor (I use VS Code) and add a new file: MsalTokenProvider.cs. Add the following code:

using System;
using System.Linq;
using System.Net.Http;
using System.Threading.Tasks;
using Microsoft.Graph;
using Microsoft.Identity.Client;

namespace tenant_deleter
{
    // todo: stop building new MsalTokenProviders for every project
    public class MsalTokenProvider : IAuthenticationProvider
    {
        public readonly IPublicClientApplication _client;
        private readonly string[] _scopes = {
             "https://graph.microsoft.com/User.ReadWrite.All"
            };

        public MsalTokenProvider(string tenantId)
        {
            _client = PublicClientApplicationBuilder
               // mt app reg in separate tenant
               // todo: move to config
               .Create("<Your Azure AD App registration Client ID>")
               .WithAuthority($"https://login.microsoftonline.com/{tenantId}")
               .Build();
        }

        public async Task AuthenticateRequestAsync(HttpRequestMessage request)
        {
            AuthenticationResult token;
            try
            {
                // get an account ------ ??????
                var account = await _client.GetAccountsAsync();
                token = await _client.AcquireTokenSilent(_scopes, account.FirstOrDefault())
                    .ExecuteAsync();
            }
            catch (MsalUiRequiredException)
            {
                token = await _client.AcquireTokenWithDeviceCode(
                    _scopes,
                    resultCallback =>
                    {
                        Console.WriteLine(resultCallback.Message);
                        return Task.CompletedTask;
                    }

                ).ExecuteAsync();
            }
            request.Headers.Authorization =
                    new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token.AccessToken);
        }
    }
}

This code is responsible for signing in to Azure AD and acquiring the Access Token for MS Graph.

Go back into Program.cs to add the necessary code:

using System;
using System.Net.Http;
using System.Threading.Tasks;
using Microsoft.Graph;

namespace tenant_deleter
{
    class Program
    {
        async static Task Main(string[] args)
        {
            string tenantId;
            if (args.Length < 1)
            {
                Console.WriteLine("gimme a tenant");
                tenantId = Console.ReadLine();
            }
            else
            {
                tenantId = args[0];
            }

            var graph = new GraphServiceClient(new MsalTokenProvider(tenantId));
            var td = new ThingDeleter(graph);
            await td.DeleteAllUsersFromTenant();
            Console.WriteLine("*fin*");
            Console.ReadLine();
        }
    }

    public class ThingDeleter
    {
        private readonly GraphServiceClient _graphServiceClient;
        public ThingDeleter(GraphServiceClient client)
        {
            _graphServiceClient = client;
        }

        // delete all users from tenant
        public async Task DeleteAllUsersFromTenant()
        {
            var me = await _graphServiceClient.Me.Request().Select(x => x.Id).GetAsync();
            var users = await _graphServiceClient.Users.Request()
                .Select(x => x.Id)
                .Top(20)
            .GetAsync();

            var batch = new BatchRequestContent();
            var currentBatchStep = 1;
            var pageIterator = PageIterator<User>
            .CreatePageIterator(
                _graphServiceClient,
                users,
                (user) =>
                {
                    if (user.Id == me.Id) return true; //don't delete me
                    var requestUrl = _graphServiceClient
                            .Users[user.Id]
                            .Request().RequestUrl;

                    var request = new HttpRequestMessage(HttpMethod.Delete, requestUrl);
                    var requestStep = new BatchRequestStep(currentBatchStep.ToString(), request, null);
                    batch.AddBatchRequestStep(requestStep);

                    if (currentBatchStep == users.Count)
                    {
                        _graphServiceClient.Batch.Request().PostAsync(batch).GetAwaiter().GetResult();
                        currentBatchStep = 1; // batches are 1-indexed, weird
                        return true;
                    }
                    currentBatchStep++;
                    return true;
                },
                (req) =>
                {
                    return req;
                }
            );
            await pageIterator.IterateAsync();
        }
    }
}

You'll notice that the Graph code uses batching to optimize the calls against MS Graph. This is necessary, especially for larger tenants with 1000s of users. The nice thing is that we can also parallelize this to make it ever more efficient :)

Now, we can build the code with dotnet build to make sure that everything builds and that we haven't missed anything.

Finally, let's run the app with dotnet run <your Tenant Id>

Job done. One task down, a few more to go! Check the main blog post on how to delete an Azure AD Tenant.

Show me the code

If you want to clone and run the app, head out to the GitHub Repo

Delete an Azure AD B2C tenant programmatically

Christos Matskas — Mon, 26 Jul 2021 23:15:21 +0000

There are many cases where you may want to programmatically delete an Azure AD B2C instance programmatically. Luckily, most of what we need to do is doable via MS Graph APIs. Quick reminder that MS Graph may not be available for client accounts that use B2C to sign up/in but it's available to admin accounts and can be used to automate or manage a B2C tenant. With that in mind, we're good to go!

Prerequisites

.NET Core (3.1 or later)
VS Code
An Azure AD B2C tenant

Necessary steps

Unlike other Azure Resources, Azure AD and B2C require more work to be deleted. When attempting to delete a B2C tenant, the portal present us with a list of actions that need to be completed before we're allowed to blast the resource off the face of the earth. Example below:

Subsequently, we will be tackling these one at a time and in most cases, there will be an associated video stream to show you how we went about it. If you don't want to see me and JP struggling through the process, you can jump straight to the blog post and code repository:

Delete all users in an Azure AD Tenant
Delete all app registrations in an Azure AD Tenant
Delete all associated Azure subscriptions in an Azure AD Tenant
Delete all identity providers in an Azure AD Tenant
Delete all user flows in an azure AD Tenant

As always, reach out to us if you have any questions and don't forget to join our Discord

Secure Open API (Swagger) calls with Azure Active Directory

Christos Matskas — Wed, 21 Jul 2021 00:52:18 +0000

We have talked about secure web apps and APIs many times here. In this blog post we'll examine how to secure Swashbuckle (.NET's version of Open API/Swagger) with Azure Active Directory in order to make authenticated calls to secure APIs.

Configure the Azure AD App Registrations

To enable end-to-end authentication ,we need to create 2 App Registrations in Azure AD. One for the API and one for the OpenAPI client. You can use the attached .NET Interactive Notebook app-registrations.ipynb to automatically configure both the API and the Swagger App Registrations in Azure AD.

Open API/Swagger with .NET

When you create a new API in .NET Core, the default template adds the Open API configuration by default. This means that everything works out of the box. However, if you add authentication to the API then Open Api stops working and needs additional configuration to acquire the necessary access token from Azure AD to make authenticated calls to the API.

Below we have the starting configuration of Open API in .NET



public void ConfigureServices(IServiceCollection services)
{
    services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
    services.AddControllers();
    services.AddSwaggerGen(c =>
    {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "VolcanoAPI", Version = "v1" });
        });
    }

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseSwagger();
        app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "YouAPI v1"));
    }

    app.UseHttpsRedirection();
    app.UseRouting();
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
         endpoints.MapControllers();
    });
}

Let's implement authentication for our Open API middleware and UI. First, update the Startup.cs with the necessary code. In the ConfigureServices() method, add the following code:



services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "swaggerAADdemo", Version = "v1" });            
    c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
    {
        Description = "OAuth2.0 Auth Code with PKCE",
        Name = "oauth2",
        Type = SecuritySchemeType.OAuth2,
        Flows = new OpenApiOAuthFlows
        {
            AuthorizationCode = new OpenApiOAuthFlow
            {
                AuthorizationUrl = new Uri(Configuration["AuthorizationUrl"]),
                TokenUrl = new Uri(Configuration["TokenUrl"]),
                Scopes = new Dictionary<string, string>
                {
                    { Configuration["ApiScope"], "read the api" }
                }
            }
        } 
    });
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
            },
            new[] { Configuration["ApiScope"] }
        }
    });
});

Next step, update the Configure() method to wire up the UI with the appropriate authentication settings. This bit will enable users to login in the UI before making API calls in the OpenAPI page.



if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "swaggerAADdemo v1");
        c.OAuthClientId(Configuration["OpenIdClientId"]);
        c.OAuthUsePkce();
        c.OAuthScopeSeparator(" ");
    });
}

As you may have noticed, both bits of code require some configuration settings. Open the appsettings.json file and add the following json at the end:



"AuthorizationUrl":"https://login.microsoftonline.com/<your tenant Id>/oauth2/v2.0/authorize",
TokenUrl":"https://login.microsoftonline.com/<your tenant Id>/oauth2/v2.0/token",
"ApiScope": <your api scope(s)>,
"OpenIdClientId": "<your swagger app reg client id>"

The APIScope property should have a value similar to this "api://cd28264c-2a31-49df-b416-bf6f332c716d/". This is the scope expected in the Access token by your API.

Finally, the OpenIdClientId should contain the Client ID from the Azure AD App Registration -> We did this as part of step 1 when we created the Azure AD App Registrations.

See it in action below:
Step 1 - Authenticate in Swagger UI

Step 2 - Make an authenticated call to the API

Source Code

As always, if you want to clone the source code, you can find a working repo on GitHub

Conclusion

I hope you found this useful but feel free to reach out to us on Twitter @christosmatskas, @AzureAndChill or join us on Discord to let us know if you have any issues with authentication, Azure AD or B2C!

A Python MSAL Token Cache for Confidential Clients

Christos Matskas — Wed, 30 Jun 2021 17:15:58 +0000

MSAL, the Microsoft Authentication Library, helps developers implement authentication and authorization using Azure AD or Azure AD B2C. With a few lines of code, you can add the necessary functionality sign in users and secure resources. MSAL comes with a lot of built-in capabilities to help you do as little work as possible. MFA, Conditional Access and advanced features are available out of the box - no code needed. In many cases, token caching is also provided out of the box. For example, the default cache is in memory. This works great for most dev scenarios, like testing web apps and APIs.

However, there are certain scenarios that in-memory token caching doesn't work. Ideally, any workload deployed to production should have a persisted and scalable token cache.

In this blog post, we'll look at how to setup a file-based token cache for our Python-based daemon app. The reason why we need a token cache is because daemon apps are ephemeral. The app runs for a bit to execute a certain task and then terminates. The problem here is that without a token cache, every time we run the daemon, we have to authenticate and acquire a token from Azure AD - which is not efficient!

Let's build a cache.

Building the MSAL Python Cache

The good news is that we don't really have to do a lot of work for this. The MSAL team has already built an extension library for Python to provide the basic plumbing for our token cache.

In our existing Python app, we need to add the new library and implement a bit of code to set everything up.

Open the requirements.txt, add the following and save the file:

msal-extensions>=0.3.0

We can now update our dependencies

pip install -r requirement.txt

Create a new file msalcache.py and add the following code

import sys
import logging

from msal_extensions import *

def build_persistence(location, fallback_to_plaintext=False):
    if sys.platform.startswith('win'):
        return FilePersistenceWithDataProtection(location)
    if sys.platform.startswith('darwin'):
        return KeychainPersistence(location, "my_service_name", "my_account_name")
    if sys.platform.startswith('linux'):
        try:
            return LibsecretPersistence(
                location,
                schema_name="my_schema_name",
                attributes={"attr1": "hello", "attr2": "world"},
                )
        except:
            if not fallback_to_plaintext:
                raise
            logging.exception("Encryption unavailable. Opting in to plain text.")
    return FilePersistence(location)

That's it. We can now use this code to instantiate a cache and assign it to our MSAL Confidential Client.

Using the token cache with MSAL

Before instantiating our MSAL ConfidentialClient we need to create a cache. Add the following code to console.py (or your main code file)

persistence =msalcache.build_persistence("token_cache.bin")
print(f'The MSAL Cache supports encryption: {persistence.is_encrypted}')
cache = PersistedTokenCache(persistence)

Finally, we have to update our ConfidentialClient client to use the cache. Update the code as per below:

app = msal.ConfidentialClientApplication(
    client_id=config["client_id"],
    client_credential=aad_client_secret.value,
    authority=config["authority"],
    token_cache=cache
)

That's it!

Running the code from now on will make use of the cache and the call the acquire_token_silent() will yield an access token after the first time we run our daemon :)

You can get the source code for this project from our GitHub repo

If you want to learn more about the MSAL for Python library, you can read the docs here