languages | products | page_type | urlFragment | description | |||
---|---|---|---|---|---|---|---|
|
|
sample |
active-directory-dotnet-native-aspnetcore-v2 |
Protect an ASP.NET Core Web API with the Microsoft identity platform. |
In this scenario, we protect a web API using the Microsoft identity platform. This ensures that the web API is accessible only to authenticated users. In these samples, we work with apps that authenticate users using both Work and school accounts and personal Microsoft accounts (MSA).
We also enhance the web API to use the on-behalf-of flow to call other web APIs protected by the Microsoft identity platform.
- Install .NET Core for Windows by following the instructions at dot.net/core which includes Visual Studio 2019.
- a Microsoft Entra tenant. For more information on how to get a Microsoft Entra tenant, see Quickstart: Set up a tenant
- A user account in your Microsoft Entra tenant, or a personal Microsoft account (MSA)
From your shell or command line:
git clone https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2.git
TIP: To avoid path length limitations on Windows, you may need to clone into a directory with a shorter name or near the root of your drive.
This repository contains a progressive tutorial made up of the following chapters. We recommend you follow the tutorial in the order presented, but you can try out individual chapters if you wish.
Subfolder | Description |
---|---|
1. Desktop app calls a protected Web API | In the first chapter, we protect an ASP.Net Core Web API using the Microsoft identity platform. The Web API will be protected using Microsoft Entra ID OAuth Bearer Authorization. The Web API is called by a .NET Desktop WPF application. In this chapter, the desktop application uses the Microsoft Authentication Library for .NET (MSAL.NET) to sign-in the user to acquire an Access Token for the protected Web API. |
2. Web API now calls Microsoft Graph | In the second chapter we enhance the Web API to call Microsoft Graph using the on-behalf flow to represent the user signed-in in the desktop application to Microsoft Graph. In this chapter, the Web API uses the MSAL.NET to acquire an Access Token for Microsoft Graph using the on-behalf-of flow |
3. Web API and client share the same app id and signs-in MSA users | In the third chapter, we present another pattern where a tightly-knit client and Web API share the same client id (app id). In this one we will sign-in users with Microsoft Personal Accounts. The sign-in flow and the call to Web API uses the same flow as chapter 2. |
4. Client app calls a Web API with Proof of Possession (PoP) | In this chapter, the ASP.NET Core Web API is expecting an Access Token with a Proof of Possession key. |
We recommend that you start with chapter 1. Desktop app calls Web API, where you learn how to protect a web API with Microsoft Entra ID.
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Tag your questions or comments with [msal
dotnet
].
If you find a bug in the sample, please open an issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
See also other samples where a client app calls your own web API:
- Sample: ASP.NET Core web app calling your own web API
- Sample: .NET Core Daemon application calling your own web API
- Sample: Angular application calling your own web API
Then for other samples and docs:
- Other samples for Microsoft identity platform are available from https://aka.ms/aaddevsamplesv2.
- The conceptual documentation for MSAL.NET is available from https://aka.ms/msalnet.
- The documentation for identity platform is available from https://aka.ms/aadv2.