DEV Community: Flavio Campelo

Azure Service Bus and Azure Functions Integration

Flavio Campelo — Tue, 04 Jun 2024 13:48:46 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Azure Service Bus and Azure Functions Integration

This documentation provides a step-by-step guide on how to create and configure an Azure Service Bus and implement Azure Functions to send and process messages using dependency injection.

Prerequisites

Azure Subscription
Visual Studio or Visual Studio Code
Azure Functions Core Tools
.NET Core SDK

Steps

1. Create Azure Service Bus

Using Azure Portal

Create a Service Bus Namespace:

a. Go to the Azure portal and click on "Create a resource".

b. Search for "Service Bus" and click "Create".

c. Fill in the necessary details:
```
- Name: Enter a unique name for the namespace.

- Region: Select your preferred region.

- Pricing tier: Choose the appropriate pricing tier.
```
d. Click "Review + create" and then "Create".
Create Queues in the Namespace:

a. After the namespace is created, navigate to it.

b. In the left-hand menu, select "Queues" and click "+ Queue" at the top.

c. Fill in the queue details:
```
- Name: flow.normal

- Configure additional settings as needed or leave default values.
```
d. Click "Create".

e. Repeat the process to create a queue named flow.rejected.

Using Azure CLI

az login


2. Create a Service Bus Namespace:

```sh


az servicebus namespace create --resource-group <ResourceGroupName> --name <NamespaceName> --location <Region>

Create Queues:



az servicebus queue create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name flow.normal
az servicebus queue create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name flow.rejected

2. Create Azure Functions

Create a New Azure Functions Project

Open Visual Studio or Visual Studio Code and create a new Azure Functions project:



func init MyFunctionApp --dotnet
cd MyFunctionApp
func new --name CreateServiceBusMessage --template "HTTP trigger" --authlevel "anonymous"
func new --name NormalFlow --template "Queue trigger" --queueName "flow.normal"
func new --name RejectedFlow --template "Queue trigger" --queueName "flow.rejected"

Add Necessary Packages:

Add the following packages to your .csproj file:

Microsoft.Azure.Functions.Extensions
Microsoft.Extensions.DependencyInjection
Azure.Messaging.ServiceBus

Add ServiceBusClient as service in Program.cs class:



// ... 
var host = new HostBuilder()
    .ConfigureServices((builderContext, services) =>
    {

        services
        // add this line...
            .AddSingleton<ServiceBusClient>(new ServiceBusClient(Environment.GetEnvironmentVariable("ServiceBusConnectionString")));
    })
    .ConfigureFunctionsWorkerDefaults()
    .Build();
// ...

Create a MyMessage class:



public class MyMessage
{
    public string Message { get; set; }
    public int Value { get; set; }
}

Implement the Functions:

Create the functions CreateServiceBusMessage, NormalFlow, and RejectedFlow.



[Function(nameof(CreateServiceBusMessage))]
    public async Task<HttpResponseData> CreateServiceBusMessage(
        [HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "CreateServiceBusMessage")]
        HttpRequestData req,
        FunctionContext executionContext)
    {
        var logger = executionContext.GetLogger("CreateServiceBusMessage");
        string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
        MyMessage message = JsonConvert.DeserializeObject<MyMessage>(requestBody);

        if (message == null || string.IsNullOrEmpty(message.Message))
        {
            var badResponse = req.CreateResponse(System.Net.HttpStatusCode.BadRequest);
            badResponse.WriteString("Invalid message");
            return badResponse;
        }

        ServiceBusSender sender = serviceBusClient.CreateSender("flow.normal");

        try
        {
            await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(message)));
            var response = req.CreateResponse(System.Net.HttpStatusCode.OK);
            response.WriteString("Message sent to Service Bus");
            return response;
        }
        catch (Exception ex)
        {
            logger.LogError($"Error sending message: {ex.Message}");
            var errorResponse = req.CreateResponse(System.Net.HttpStatusCode.InternalServerError);
            errorResponse.WriteString("Failed to send message");
            return errorResponse;
        }
        finally
        {
            await sender.DisposeAsync();
        }
    }

    [Function("NormalFlow")]
    public async Task NormalFlow(
        [ServiceBusTrigger("flow.normal", Connection = "ServiceBusConnectionString")]
        string myQueueItem, FunctionContext executionContext)
    {
        var logger = executionContext.GetLogger("NormalFlow");
        logger.LogInformation("Processing message from flow.normal queue: {myQueueItem}", myQueueItem);

        // For demonstration, we'll move the message to rejected queue if value is less than 10
        MyMessage message = JsonConvert.DeserializeObject<MyMessage>(myQueueItem);
        if (message != null && message.Value < 10)
        {
            ServiceBusSender sender = serviceBusClient.CreateSender("flow.rejected");
            try
            {
                await sender.SendMessageAsync(new ServiceBusMessage(myQueueItem));
            }
            catch (Exception ex)
            {
                logger.LogError("Error moving message to flow.rejected queue: {message}", ex.Message);
            }
            finally
            {
                await sender.DisposeAsync();
            }
        }
    }

    [Function("RejectedFlow")]
    public async Task RejectedFlow(
        [ServiceBusTrigger("flow.rejected", Connection = "ServiceBusConnectionString")]
        string myQueueItem, FunctionContext executionContext)
    {
        var logger = executionContext.GetLogger("RejectedFlow");
        logger.LogInformation("Processing rejected message: {myQueueItem}", myQueueItem);
    }

Add ServiceBus conneciton string:

In your local.settings.json file, add a new environment variable to connect to ServiceBus:



{
  "IsEncrypted": false,
  "Values": {
    ... // other environment variables
    "ServiceBusConnectionString": "Endpoint=sb://my-service-bus.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=MY_SECRET_KEY"
  }
}

3. Run and Test the Functions

Run the Project:
Run the project in Visual Studio.
Test CreateServiceBusMessage:
Use a tool like Postman to send a POST request to the URL of the CreateServiceBusMessage function with a JSON body:



{
    "message": "Test message",
    "value": 5
}

Verify Processing of NormalFlow and RejectedFlow:

Check the logs for the NormalFlow and RejectedFlow functions to confirm that the messages are being processed correctly.

With these steps, you have successfully created and configured an Azure Service Bus and implemented Azure Functions to send and process messages using dependency injection.

Source code

Sample code

Typos or suggestions?

If you've found a typo, a sentence that could be improved or anything else that should be updated on this blog post, you can access it through a git repository and make a pull request. If you feel comfortable with github, instead of posting a comment, please go directly to https://github.com/campelo/documentation and open a new pull request with your changes.

Azure Storage - On-Behalf-Of token and audit log

Flavio Campelo — Thu, 30 May 2024 22:59:02 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Setting Up Front-End and Back-End Applications with Azure Blob Storage Access

This document provides a step-by-step guide to configure Front-End (FE) and Back-End (BE) applications to access Azure Blob Storage using the On-Behalf-Of (OBO) flow.

Prerequisites

Azure Subscription
Azure CLI
Visual Studio or any C# development environment

Steps

1. Register Back-End (BE) Application in Azure AD

Register the BE Application:
- Navigate to "Microsoft Entra ID" > "App registrations".
- Click on "New registration".
- Note the Application (client) ID and Directory (tenant) ID.
Add Client Secret:
- Go to "Certificates & secrets".
- Add a new client secret and note it down.
Expose API:
- Go to "Expose an API".
- Add a new scope, e.g., api://{client_id_be}/user_impersonation.
Add API Permissions:
- Go to "API Permissions".
- Add delegated and application permissions for https://storage.azure.com/.default.

2. Register Front-End (FE) Application in Azure AD

Register the FE Application:
- Navigate to "Microsoft Entra ID" > "App registrations".
- Click on "New registration".
- For this sample we are using mobile and desktop applications.
- Note the Application (client) ID and Directory (tenant) ID.
Configure Redirect URI:
- Go to "Authentication" under the FE application.
- Add a Redirect URI (e.g., http://localhost).
Add API Permissions:
- Go to "API Permissions".
- Click on "Add a permission".
- Select "Microsoft Graph" and add delegated permissions such as user.read.
- Click on "Add a permission" again.
- Select "APIs My organization uses" and find the BE application.
- Add the delegated permission api://{client_id_be}/user_impersonation.
Grant Admin Consent:
- Ensure admin consent is granted for the added permissions.

3. Configure Azure Blob Storage

Create a Storage Account:
- Navigate to "Storage accounts" and create a new storage account.
- Note the storage account name.
Create a Container:
- Inside the storage account, create a new container.
- Note the container name.
Assign Roles:
- Go to the storage account.
- Navigate to "Access Control (IAM)".
- Click on "Add role assignment".
- Assign roles like Storage Blob Data Reader or Storage Blob Data Contributor to the appropriate users or service principals.
Enable logging in Azure Storage Container:
- Go to the storage account.
- Navigate to "Diagnostics settings".
- Click on the resource to view diagnostic settings.
- Click on "Add diagnostic setting".
- Select "StorageAccountLog" and "Blob".
- Click on "Review + create" and then "Create".
- This will enable logging for the Azure Storage Container.

4. Implement the Code

This sample uses a console application for demo purposes only. After creating a new application, you have to install these nuget packages.

Azure.Storage.Blobs
Microsoft.Identity.Client

You can get the sample code here.

using Azure.Core;
using Azure.Storage.Blobs;
using Microsoft.Identity.Client;
using System;
using System.Threading;
using System.Threading.Tasks;

string tenantId = "tenant_id";

// FE
string clientIdFE = "fe_id";
string[] scopesFE = { "user.read", "api://be_id/user_impersonation" };

// BE
string clientIdBE = "be_id";
string clientSecretBE = "be_secret";
string[] scopesBE = new[] { "https://storage.azure.com/.default" };

// BLOB
string storageAccountName = "storage_name";
string containerName = "container_name";
string blobName = "blob_name";

string userAccessToken = await GetUserAccessTokenAsync();
Console.WriteLine($"User Access Token: {userAccessToken}");

string oboToken = await GetOboTokenAsync(userAccessToken);
Console.WriteLine($"OBO Token: {oboToken}");

await AccessBlobStorageAsync(oboToken);

async Task<string> GetUserAccessTokenAsync()
{
    var app = PublicClientApplicationBuilder.Create(clientIdFE)
        .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
        .WithRedirectUri("http://localhost")
        .Build();

    var accounts = await app.GetAccountsAsync();
    AuthenticationResult result;

    try
    {
        result = await app.AcquireTokenSilent(scopesFE, accounts.FirstOrDefault())
            .ExecuteAsync();
    }
    catch (MsalUiRequiredException)
    {
        result = await app.AcquireTokenInteractive(scopesFE)
            .ExecuteAsync();
    }

    return result.AccessToken;
}

async Task<string> GetOboTokenAsync(string userAccessToken)
{
    var confidentialClient = ConfidentialClientApplicationBuilder.Create(clientIdBE)
        .WithClientSecret(clientSecretBE)
        .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
        .Build();

    var oboResult = await confidentialClient.AcquireTokenOnBehalfOf(scopesBE, new UserAssertion(userAccessToken))
        .ExecuteAsync();

    return oboResult.AccessToken;
}

async Task AccessBlobStorageAsync(string oboToken)
{
    TokenCredential tokenCredential = new ObTokenCredential(oboToken);
    BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri($"https://{storageAccountName}.blob.core.windows.net"), tokenCredential);
    BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
    BlobClient blobClient = containerClient.GetBlobClient(blobName);

    var response = await blobClient.DownloadAsync();
    using (var stream = response.Value.Content)
    {
        Console.WriteLine("Blob content read successfully.");
    }
}

class ObTokenCredential : TokenCredential
{
    private readonly string _token;

    public ObTokenCredential(string token)
    {
        _token = token;
    }

    public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
    {
        return new AccessToken(_token, DateTimeOffset.MaxValue);
    }

    public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
    {
        return new ValueTask<AccessToken>(new AccessToken(_token, DateTimeOffset.MaxValue));
    }
}

5. Check OBO and logs

Run the code and check the logs to see all information about who accessed the file.

Conclusion

By following these steps, you can configure FE and BE applications to access Azure Blob Storage using the On-Behalf-Of (OBO) flow. Ensure all permissions and configurations are correctly set in Azure AD and the Blob Storage account.

Typos or suggestions?

Reset wsl user's password

Flavio Campelo — Wed, 30 Aug 2023 11:29:25 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Reset wsl user's password

Open cmd.exe

# Display a list of distros.
wsl -l 

# Open a connects at distro with a specified user
wsl -u my-user -d my-distro

# Change user password
passwd my-user

# Quit distro
exit

Typos or suggestions?

How to import json to SQL

Flavio Campelo — Mon, 31 Oct 2022 21:24:57 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Declaring a variable with json content

Json content:

[
  {
    "name": "Flavio",
    "code": "FLA-1",
    "isDeleted": false
  },
  {
    "name": "Contoso",
    "code": "CON-1",
    "isDeleted": true
  }
]

-- SET JSON CONTENT TO A VARIABLE (@JSON)...
DECLARE @json NVARCHAR(max) = N'[
    {
      "name": "Flavio",
      "code": "FLA-1",
      "isDeleted": false
    },
    {
      "name": "Contoso",
      "code": "CON-1",
      "isDeleted": true
    }
  ]';

Fill a temp table with json content

-- FILL #TEMP TABLE WITH JSON CONTENT...
SELECT firstName, code, IIF(isDeleted = 1, 0, 1) as active 
    INTO #temp
    FROM OPENJSON(@json)
WITH  (
        firstName   VARCHAR(50) '$.name', 
        code        VARCHAR(10) '$.code',
        isDeleted   BIT         '$.isDeleted'
    );

Show items from temp table

-- SHOW ITEMS FROM #TEMP TABLE
SELECT * FROM #temp;

If you need to drop temp table

-- REMOVE A #TEMP TABLE...
DROP TABLE #temp;

Typos or suggestions?

Retrieving tenant by path

Flavio Campelo — Wed, 07 Sep 2022 20:48:51 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Retrieve tenant by path

Using ASP.NET Boilerplate (ABP) we could retrieve tenants by domain, header and cookie. These options are offered by default. But if you want to get tenant informantion by path like my-domain.com/api/{tenant}/resource you have to add a new class implementing ITenantResolveContributor.

Adding tenant in all api routes

By default APB set all routes like $"api/services/{moduleName}/{controllerName}/{action.ActionName}" then I would like to add a new parameter {tenant} in this route. Looking at the ABP code we can see that CreateAbpServiceAttributeRouteModel is a private static method inside AbpAppServiceConvention.cs file.

private static AttributeRouteModel CreateAbpServiceAttributeRouteModel(string moduleName, string controllerName, ActionModel action)
{
    return new AttributeRouteModel(
        new RouteAttribute(
            $"api/services/{moduleName}/{controllerName}/{action.ActionName}"
        )
    );
}

Knowing that and looking all nested calls, I've decided to rewrite some part of the code to use a customized route template like I would like. For that, I've copied AbpAppServiceConvention.cs, AbpMvcOptionsExtensions.cs, ReflectionHelper.cs and TypeHelper.cs files to my project. So I was able to change the route template to

$"api/services/{moduleName}/{{tenant}}/{controllerName}/{action.ActionName}"

I've also had to add this new services at Startup class right before services.AddAbpWithoutCreatingServiceProvider.

// new code...
services.Configure<MvcOptions>(mvcOptions => { mvcOptions.AddTest(services); });

// existing code...
services.AddAbpWithoutCreatingServiceProvider<AbpCustomizedWebHostModule>(
// ...

Creating a custom PathTenantResolveContributor

You can create your custom TenantResolveContributor class. I've create a PathTenantResolveContributor that implements ITenantResolveContributor for basic ABP tenant functionalities and IPerWebRequestDependency to keep the instance alive while a request is open.

The main implementation is to retrieve the tenant from tenant key inside RouteValues of the request.

public class PathTenantResolveContributor : ITenantResolveContributor, IPerWebRequestDependency
{
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly ITenantStore _tenantStore;

    public PathTenantResolveContributor(IHttpContextAccessor httpContextAccessor, ITenantStore tenantStore)
    {
        _httpContextAccessor = httpContextAccessor;
        _tenantStore = tenantStore;
    }

    public int? ResolveTenantId()
    {
        var httpContext = _httpContextAccessor.HttpContext;

        if (httpContext is null || !httpContext.Request.RouteValues.Any(x => x.Key.Equals("tenant", StringComparison.OrdinalIgnoreCase)))
            return null;

        string tenancyName = httpContext.Request.RouteValues.First(x => x.Key.Equals("tenant", StringComparison.OrdinalIgnoreCase)).Value.ToString();

        if (string.IsNullOrEmpty(tenancyName))
            return null;

        var tenantInfo = _tenantStore.Find(tenancyName);

        if (tenantInfo is null)
            return null;

        return tenantInfo.Id;
    }
}

Then, we're able to clear all other tenancy resolvers and use only this one. For that you should go to PreInitialize method of WebCoreModule and do this action.

public override void PreInitialize()
{
    // new code...
    Configuration.MultiTenancy.Resolvers.Clear();
    Configuration.MultiTenancy.Resolvers.Add<PathTenantResolveContributor>();

    // existing code...
    Configuration.DefaultNameOrConnectionString = _appConfiguration.GetConnectionString(
        AbpCustomizedConsts.ConnectionStringName
    );

    // ...
}

Finally, you can run the application and see that all routes has a new tenant parameter by default.

Source code

Typos or suggestions?

Retrieving, using and validating token from an IdentityServer

Flavio Campelo — Tue, 06 Sep 2022 20:16:32 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

This is an example of how to a client application retrieves a token from a Identity Server and use it in an WebApi to consumes an endpoint.

How this project was created

This example was built based on Duende documentation

Identity Server

Identity provider for our sample.

Install Duende templates

dotnet new --install Duende.IdentityServer.Templates

Create an empty solution

dotnet new sln -n IdentityServerDemo

Create Identity server project

dotnet new isempty -n IdentityServer

Add IdendityServer projet to the blank solution

dotnet sln add .\IdentityServer\IdentityServer.csproj

Add scope to config.cs

public static IEnumerable<ApiScope> ApiScopes =>
    new ApiScope[]
        { new ApiScope(name: "campelo-api", displayName: "CampeloAPI") };

Add client to config.cs

public static IEnumerable<Client> Clients =>
    new Client[]
        { new Client
        {
            ClientId = "client",
            // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            // secret for authentication
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },
            // scopes that client has access to
            AllowedScopes = { "campelo-api" }
        } };

Openid-configuration

Now you can access openid-configuration from the identity server. Run the solution and go to https://localhost:5001/.well-known/openid-configuration. So you can retrieve something like this.

{
   "issuer":"https://localhost:5001",
   "jwks_uri":"https://localhost:5001/.well-known/openid-configuration/jwks",
   "authorization_endpoint":"https://localhost:5001/connect/authorize",
   "token_endpoint":"https://localhost:5001/connect/token",
   "userinfo_endpoint":"https://localhost:5001/connect/userinfo",
   "end_session_endpoint":"https://localhost:5001/connect/endsession",
   "check_session_iframe":"https://localhost:5001/connect/checksession",
   "revocation_endpoint":"https://localhost:5001/connect/revocation",
   "introspection_endpoint":"https://localhost:5001/connect/introspect",
   "device_authorization_endpoint":"https://localhost:5001/connect/deviceauthorization",
   "backchannel_authentication_endpoint":"https://localhost:5001/connect/ciba",
   "frontchannel_logout_supported":true,
   "frontchannel_logout_session_supported":true,
   "backchannel_logout_supported":true,
   "backchannel_logout_session_supported":true,
   "scopes_supported":[
      "openid",
      "campelo-api",
      "offline_access"
   ],
   "claims_supported":[
      "sub"
   ],
   "grant_types_supported":[
      "authorization_code",
      "client_credentials",
      "refresh_token",
      "implicit",
      "urn:ietf:params:oauth:grant-type:device_code",
      "urn:openid:params:grant-type:ciba"
   ],
   "response_types_supported":[
      "code",
      "token",
      "id_token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "response_modes_supported":[
      "form_post",
      "query",
      "fragment"
   ],
   "token_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post"
   ],
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "subject_types_supported":[
      "public"
   ],
   "code_challenge_methods_supported":[
      "plain",
      "S256"
   ],
   "request_parameter_supported":true,
   "request_object_signing_alg_values_supported":[
      "RS256",
      "RS384",
      "RS512",
      "PS256",
      "PS384",
      "PS512",
      "ES256",
      "ES384",
      "ES512",
      "HS256",
      "HS384",
      "HS512"
   ],
   "authorization_response_iss_parameter_supported":true,
   "backchannel_token_delivery_modes_supported":[
      "poll"
   ],
   "backchannel_user_code_parameter_supported":true
}

API project

Web API project.

Create a new web API project

dotnet new webapi -n WebApi

Adding webapi to the solution

dotnet sln add .\WebApi\WebApi.csproj

Adding JWT Bearer authentication

dotnet add .\WebApi\WebApi.csproj package Microsoft.AspNetCore.Authentication.JwtBearer

Set JWT Bearer as the default authentication scheme

Update the Program.cs or Startup.cs file.

builder.Services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>
    {
        options.Authority = "https://localhost:5001";

        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false
        };
    });

/// UseAuthentication right before UseAuthorization
app.UseAuthentication();
app.UseAuthorization();

Add a new controller for testing

[Route("identity")]
[Authorize]
public class IdentityController : ControllerBase
{
    [HttpGet]
    public IActionResult Get()
    {
        return new JsonResult(from c in User.Claims select new { c.Type, c.Value });
    }
}

Configure the WebAPI to listen on Port 6001

Edit the launchSettings.json file in Properties folder.

"applicationUrl": "https://localhost:6001"

Run the WebAPI project

Now you have a 401 (unauthorized) error response when trying to access https://localhost:6001/identity

Client project

Create a console client project

dotnet new console -n Client

Add the client project to the solution

dotnet sln add .\Client\Client.csproj

Add IdentityModel to the client project

dotnet add .\Client\Client.csproj package IdentityModel

Discover endpoints from metadata

var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001");
if (disco.IsError)
{
    Console.WriteLine(disco.Error);
    return;
}

Request token

var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
    Address = disco.TokenEndpoint,

    ClientId = "client",
    ClientSecret = "secret",
    Scope = "campelo-api"
});

if (tokenResponse.IsError)
{
    Console.WriteLine(tokenResponse.Error);
    return;
}

Console.WriteLine(tokenResponse.AccessToken);

Call WebAPI

var apiClient = new HttpClient();
apiClient.SetBearerToken(tokenResponse.AccessToken);

var response = await apiClient.GetAsync("https://localhost:6001/identity");
if (!response.IsSuccessStatusCode)
{
    Console.WriteLine(response.StatusCode);
}
else
{
    var doc = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
    Console.WriteLine(JsonSerializer.Serialize(doc, new JsonSerializerOptions { WriteIndented = true }));
}

Run client

Be sure that the IdentityServer and WebAPI are running and run the Client project to see something like this

Source code

Typos or suggestions?

Azure - Adding custom claims to token

Flavio Campelo — Mon, 02 May 2022 18:55:41 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Adding custom claims to token

You can add custom claims to token. Here we'll show you how you can do that.

First Method

On Token configuration, add all optional claim you need.

Set acceptMappedClaims to true in the application registration manifest in Azure.

Original claims

{
    "aud": "xxxxxx-xxxxxx",
    "iss": "https://login.microsoftonline.com/xxxxxx-xxxxxx/v2.0",
    "iat": 1651237210,
    "nbf": 1651237210,
    "exp": 1651241110,
    "name": "Carlos Trump",
    "nonce": "xxxxxx-xxxxxx",
    "oid": "xxxxxx-xxxxxx",
    "preferred_username": "Carlos@xxxxxx.onmicrosoft.com",
    "rh": "0.AXYAqOdw6jRZRkSWfP72hzb6eT8SDlNWZqdPqMc67VBLYYiZAB4.",
    "sub": "zuB5I9MCoF1qr-crecx909wvV5P9YActkklSSJD8AV4",
    "tid": "xxxxxx-xxxxxx",
    "uti": "fzv0cbl8Skai4_NzlvlpAA",
    "ver": "2.0"
}

With some basic attributes

{
    "aud": "xxxxxx-xxxxxx",
    "iss": "https://login.microsoftonline.com/xxxxxx-xxxxxx/v2.0",
    "iat": 1651258028,
    "nbf": 1651258028,
    "exp": 1651261928,
    "aio": "ATQAy/8TAAAAk4vHaYNEYYdk9mGabVnZU3k7irtTt8kN9nSCwi33t2WnUZQ+wfVqhmfagvrEDaFl",
    "name": "Carlos Trump",
    "nonce": "xxxxxx-xxxxxx",
    "oid": "xxxxxx-xxxxxx",
    "preferred_username": "Carlos@xxxxxx.onmicrosoft.com",
    "rh": "0.AXYAqOdw6jRZRkSWfP72hzb6eQ2WycEzZuJOvIt24Do6O26ZAB4.",
    "sub": "HZpJ82-w-xbNiIIZO4rbPyMLwespkL6vImL3tjtjWfQ",
    "tid": "xxxxxx-xxxxxx",
    "uti": "ei9kLnvfnUW37Vn--2SUAA",
    "ver": "2.0",
    "country": "CA"
}

Country is a tenant information that is shown here.

With extension attributes

{
    "aud": "xxxxxx-xxxxxx",
    "iss": "https://login.microsoftonline.com/xxxxxx-xxxxxx/v2.0",
    "iat": 1651264242,
    "nbf": 1651264242,
    "exp": 1651268142,
    "aio": "ATQAy/8TAAAAewvv7oKplIyMzAwyQB1cJQtJ5AxLPwkQqAtvthJuBannRHsbRqiqXPpIWalURrbA",
    "extn.testString": [
        "my string value"
    ],
    "name": "Carlos Trump",
    "nonce": "xxxxxx-xxxxxx",
    "oid": "xxxxxx-xxxxxx",
    "preferred_username": "Carlos@xxxxxx.onmicrosoft.com",
    "rh": "0.AXYAqOdw6jRZRkSWfP72hzb6eQ2WycEzZuJOvIt24Do6O26ZAB4.",
    "sub": "HZpJ82-w-xbNiIIZO4rbPyMLwespkL6vImL3tjtjWfQ",
    "tid": "xxxxxx-xxxxxx",
    "uti": "HX0mTfONKEKwFXRbx76SAA",
    "ver": "2.0"
}

extn.testString is a new custom attribute that is now present among all retrieved information.

Second Method

Because AzureAD and AzureADPreview Module don't work with PowerShell v7.x, you should use powershell 5.

Verify your powershell version

$PSVersionTable

If you're not running 5.1 version, you should use this command

PowerShell -version 5.1

Then confirm you're using the correct version

$PSVersionTable

IMPORTANT

You have to use AzureADPreview because AzureAD doesn't have several commands.

Install-Module AzureADPreview
Import-Module AzureADPreview
Connect-AzureAD -tenantId {TENANT_ID}

Get-AzureADPolicy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"employeeid","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"employeeid"},{"Source":"company","ID":"tenantcountry","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country","JwtClaimType":"country"}]}}') -DisplayName "ExtraClaimsExample" -Type "ClaimsMappingPolicy"

# for extension attributes
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ExtensionID":"extension_{CLIENT_ID}_testString","JwtClaimType":"extTestString"}]}}') -DisplayName "ExtraClaimsExample" -Type "ClaimsMappingPolicy"

Remove-AzureADPolicy -Id {POLICY_ID}

IMPORTANT

For extension attributes, you have to use ExtensionID instead of ID

ExtensionID values are case sensitives.

Get Service Principal ObjectID

Get-AzureADServicePrincipal -SearchString {APP_REGISTRATION_NAME}

Applying the policy to Service Principal

Add-AzureADServicePrincipalPolicy -Id {SERVICE_PRINCIPAL_OBJECT_ID} -RefObjectId {POLICY_ID}

Adding new application key

New-AzureADApplicationKeyCredential -ObjectId {APPLICATION_OBJECT_ID} -CustomKeyIdentifier "Test" -StartDate "4/29/2022" -Type "Symmetric" -Usage "Sign" -Value "123"

APPLICATION_OBJECT_ID => This value is available on App registrations overview's page.

Source

Typos or suggestions?

Creating AD users' extension properties

Flavio Campelo — Thu, 28 Apr 2022 21:10:20 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Creating AD users' extension properties

Required permission

You need to allow this permission for on your app registration page.

Application.ReadWrite.All

Creating extension property

You have to get your application's ObjectId from the overview's page

Then you can make a POST request to this url to create a new extension property.

https://graph.microsoft.com/v1.0/applications/{APPLICATION_OBJECT_ID}/extensionProperties

{
    "name": "testString",
    "dataType": "String",
    "targetObjects": [
        "User"
    ]
}

Your response should look like this

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications({APPLICATION_OBJECT_ID})/extensionProperties/$entity",
    "id": "fa613ce9-164b-40ca-bf68-276195a1888c",
    "deletedDateTime": null,
    "appDisplayName": "My Application Name",
    "dataType": "String",
    "isSyncedFromOnPremises": false,
    "name": "extension_{APPLICATION_ID}_testString",
    "targetObjects": [
        "User"
    ]
}

Updating an AD user

Now, you can make a PATCH request to user's endpoint.

https://graph.microsoft.com/v1.0/users/{USER_ID}

with this content

{
    "extension_{APPLICATION_ID}_testString": "my test string"
}

Getting new extention from user

You can get the new information from users

https://graph.microsoft.com/v1.0/users?$select=displayName,extension_{APPLICATION_ID}_testString

Response

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,extension_{APPLICATION_ID}_testString)",
    "value": [
        {
            "displayName": "Bill Musk",
            "extension_{APPLICATION_ID}_testString": "my test string"
        }
    ]
}

Source

Create extensionProperty

Typos or suggestions?

Azure Functions - Creating a new function

Flavio Campelo — Thu, 28 Apr 2022 13:29:09 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Creating a Function App

Once you're connected on Azure Portal, you can create a new Function App.

I recommend to user Consumption plan for your new function because it's included on Microsoft's limited free services.

Using Visual Studio Code

Installing extensions on Visual Studio Code

It's recommended to install Azure Tools on your VS Code that will connect with your Azure account to make easy to interact with Azure Cloud Services

INFO
You could install Azure Functions Core Tools

Creating a local function

So you can click on create a new function and choose some information for your new function.

For our test we've choosen the following values:

Language C#
.NET runtime .NET 6
Template HTTP trigger
Name you can choose the name that you want
Namespace you can choose the namespace that you want
Aythorization level Anonymous
How do you like to open your project Add to workspace

Using Visual Studio

Creating a local function

Click on File > New > Project

And search for Azure Functions

Fill out all required information for your new function. For our example we'll use HTTP trigger and Anonymous authorization.

INFO
You can find more information about function triggers here and information about Authorization here.

Running the function

Now you are able to run your new function. You can hit F5 for that and you'll see some message like that

You can open your browser and navigate to this endpoint

http://localhost:7071/api/Function1?name=Flavio

Source

Typos or suggestions?

Azure - Registering a client credentials app

Flavio Campelo — Fri, 22 Apr 2022 18:36:01 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Register a new application

Go to Azure portal
Open App registrations
Click on New registration
Fill out the basic informations and add a callback url for Redirect URI as web application. (It's necessary to grant access later).

We inserted a postman's callback url, but you should use your application's callback url.

https://www.getpostman.com/oauth2/callback

On API permissions add and grant permission to Microsoft Graph User.Read.All as application permission and remove User.Read

Add a new client secret on Certifiates & secrets and copy and hold the client secret value, it's showed once only and it'll be necessary later.

Go to overview and copy and keep Application (client) ID and Directory (tenant) ID values

Consenting app permission

Use your app information to go to this URL in a browser.

GET https://login.microsoftonline.com/{tenantId}/adminconsent
?client_id={applicationId}
&state=12345
&redirect_uri={redirectUri}

tenantId => Your tenant's ID. You can get this information on your application overview's page or in your tenant overview's page.
applicationId => Your application's ID. You can get this information on your application overview's page.
redirect_uri => The same application's callback url that you have put in callback url of your app. It must be exact the same of one of your app's callback url.

Here's a url sample

https://login.microsoftonline.com/00000-000-000-00000/adminconsent?client_id=00010001-001-001-00010001&state=12345&redirect_uri=https://www.getpostman.com/oauth2/callback

So, you be asked to grant permissions for your app.

Testing your application

Using postman

Getting token

Create a new post request to this URL.

https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

with this x-www-form-urlencoded body

client_id={clientId}
scope=https://graph.microsoft.com/.default
client_secret={clientSecret}
grant_type=client_credentials

Then you can receive a response like that

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAiO... ..._f9iN-w"
}

Now you can use your access_token to make calls to Microsoft graph's API.

Calling users endpoint

Create a new GET request to this URL

https://graph.microsoft.com/v1.0/users

And add the bearer token authorization

When you send your request, you should receive a response with all registered users:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
    "value": [
        {
            "businessPhones": [],
            "displayName": "Bill Musk",
            "givenName": "Bill",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Musk",
            "userPrincipalName": "Bill@myCompany.onmicrosoft.com",
            "id": "838cd9e3-48f5-41f8-0612-6bea2f4b06d7"
        },
        {
            "businessPhones": [],
            "displayName": "Elon Jordan",
            "givenName": "Elon",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Jordan",
            "userPrincipalName": "Elon@myCompany.onmicrosoft.com",
            "id": "f002bcf8-41f8-0612-48f5-9fd8725e5340"
        }
        {
            "businessPhones": [],
            "displayName": "Michael Gates",
            "givenName": "Michael",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Gates",
            "userPrincipalName": "michael@myCompany.onmicrosoft.com",
            "id": "41d7f802-48f5-0612-41f8-cd79b7bd6107"
        }
    ]
}

Using CURL

Getting token

Make a call like that:

curl -X POST https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token -H "Content-type: application/x-www-form-urlencoded" -d "client_id={clientId}&scope=https://graph.microsoft.com/.default&client_secret={clientSecrect}&grant_type=client_credentials"

Then you can receive a response like that:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAiO... ..._f9iN-w"
}

Now you can use your access_token to make calls to Microsoft graph's API.

Calling users endpoint

Make a call using the token that you've received

curl -X GET https://graph.microsoft.com/v1.0/users -H "Authorization: Bearer {access_token}"

And you'll receive a response like that:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
    "value": [
        {
            "businessPhones": [],
            "displayName": "Bill Musk",
            "givenName": "Bill",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Musk",
            "userPrincipalName": "Bill@myCompany.onmicrosoft.com",
            "id": "838cd9e3-48f5-41f8-0612-6bea2f4b06d7"
        },
        {
            "businessPhones": [],
            "displayName": "Elon Jordan",
            "givenName": "Elon",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Jordan",
            "userPrincipalName": "Elon@myCompany.onmicrosoft.com",
            "id": "f002bcf8-41f8-0612-48f5-9fd8725e5340"
        }
        {
            "businessPhones": [],
            "displayName": "Michael Gates",
            "givenName": "Michael",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "Gates",
            "userPrincipalName": "michael@myCompany.onmicrosoft.com",
            "id": "41d7f802-48f5-0612-41f8-cd79b7bd6107"
        }
    ]
}

Sources

Typos or suggestions?

Azure - Creating a new tenant

Flavio Campelo — Fri, 22 Apr 2022 10:21:43 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Creating a new tenant

Go to Azure Active Directory Admin Center
Click on Azure Active Directory > Manage Tenants

Click on Create button to create a new tenant.

Using a new tenant

Go to Azure Portal
Click on Directories + Subscriptions on top bar

Click on Switch button of your new tenant

Now you're able to use all Azure resources in your new tenant.

Typos or suggestions?

Full format disk with EFI protected partition

Flavio Campelo — Mon, 28 Feb 2022 13:45:22 +0000

📮 Contact 🇧🇷 🇺🇸 🇫🇷

Twitter
LinkedIn

Disk management

Type disk management on start menu, or
Right-click computer manage > disk management
Open run window (Win + R), type diskmgmt.msc and press Enter.

Choose disk partition and click delete button. But for some EFI protected partitions, like this...

...you might see messages like below.

Then you can use a command line to fully format your disk.

Diskpart

Open your command prompt or powershell as admin. And type diskpart

So you can type list disk to list all available disks.

Select the correct disk to format.

So you can type clean to erase all disk.

And now the disk is fully formated.