Comments (9)
@winzuus
the sample you are looking for is here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md and is fully functional and maintained.
This repo here is for OWIN, which is indeed old tech
from active-directory-b2c-dotnet-webapp-and-webapi.
-
Secrets should be rotated periodically and while the AAD portal helps you with that (e.g. you can set expiry on a secret), this is not enforced. Certificate expiration is something that is better handled - e.g. you can get KeyVault to rotate certs and your app just gets the latest cert from KV (by name). Just remember to update your app registration!
-
Secrets are like passwords - vulnerable to brute force or spraying attacks. It's hard to enforce a 'strong' password. The private key of a certificate is much more complex and not vulnerable to these type of attacks.
from active-directory-b2c-dotnet-webapp-and-webapi.
@winzuus the sample you are looking for is here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md and is fully functional and maintained.
This repo here is for OWIN, which is indeed old tech
Hi @jmprieur thank you so much for providing the up to date code sample and glad to see a contributor replying my issue :)
I have read the Sample Code and found it uses the OpenID Connect Flow, but I need to use the "Client Credential Flow".
The reason for this is I need to test my endpoint being protected without the user interactions. I will test it first with Postman, later I would like to do the auto testing in Unit tests, so a flow which requires user interactions does not fit my purpose.
Does Microsoft have code sample for this scenario? Appreciated if you could provide a link.
Many thanks,
Winston
from active-directory-b2c-dotnet-webapp-and-webapi.
@winzuus - client credentials flow is for service principals not for users. If your web api acts on behalf of a user, then we recommend that you test with Username/Password flow:
from active-directory-b2c-dotnet-webapp-and-webapi.
@winzuus - client credentials flow is for service principals not for users. If your web api acts on behalf of a user, then we recommend that you test with Username/Password flow:
Hi @bgavrilMS thanks for your update.
No our API does not act behalf of a user.
I have found the Client Credential Flow is the most suitable flow for our case.
I have checked its official document but have not found a Github demo.
Appreciated if you could share the link of demo code for Client Credential Flow ( if there was one).
Thanks
from active-directory-b2c-dotnet-webapp-and-webapi.
@bgavrilMS @jmprieur
Also I have found a code example for Client Certificate Flow.
Is it the same flow as the Client Credential Flow?
from active-directory-b2c-dotnet-webapp-and-webapi.
Yes @winzuus
The OAuth2 spec mentions the client_credentials
grant. There are several variants of this:
- based on a secret (we don't recommend this in production)
- based on a certificate (you found the right sample)
- based on a federated credential (I don't think this works for b2c)
from active-directory-b2c-dotnet-webapp-and-webapi.
Yes @winzuus
The OAuth2 spec mentions the
client_credentials
grant. There are several variants of this:* based on a secret (we don't recommend this in production) * based on a certificate (you found the right sample) * based on a federated credential (I don't think this works for b2c)
Hi @bgavrilMS
Thank you for your reply.
For the 1st option: based on a secret, what is the reason that it is not recommended in production?
from active-directory-b2c-dotnet-webapp-and-webapi.
- Secrets should be rotated periodically and while the AAD portal helps you with that (e.g. you can set expiry on a secret), this is not enforced. Certificate expiration is something that is better handled - e.g. you can get KeyVault to rotate certs and your app just gets the latest cert from KV (by name). Just remember to update your app registration!
- Secrets are like passwords - vulnerable to brute force or spraying attacks. It's hard to enforce a 'strong' password. The private key of a certificate is much more complex and not vulnerable to these type of attacks.
Thank you all questions answered 😌
from active-directory-b2c-dotnet-webapp-and-webapi.
Related Issues (20)
- make the sample code work behind organization proxy HOT 2
- App very old - Do you have once that works? HOT 7
- Cannot create SSL/TLS link when retrieving metadata HOT 9
- No account or login hint was passed to the AcquireTokenSilent call HOT 12
- Could not load file or assembly Microsoft.Identity.Client, Version=4.37.0.0 HOT 1
- Sign up / Sign in failed HOT 4
- Upgrade to .NET 6 for macOS HOT 3
- Why we need `ReaderWriterLockSlim` in OpenIdConnectCachingSecurityTokenProvider?
- Metadata Endpoint Url cannot be accessed from the sample code
- Bad Request open two tabs with the same web HOT 1
- HttpContext.GetOwinContext().Get<string>("Policy") is a global setting, not a per user session setting HOT 1
- How to use MSAL in this example to do refresh token from azure ad b2c?
- Instructions for configuration back end (.NET web API Project) on AppService is not clear as per the documentation
- How to access "ID token"/"claims" in Web Controllers? HOT 5
- Azure AD B2C - .NET-Web app calling web api - No account or login hint was passed to the AcquireTokenSilent call HOT 21
- Startup Error IDX20807: Unable to retrieve document from: 'System.String' / TLS 1.2 HOT 2
- Implicit grant
- Nuget package Owin.1.0.1 can not be found HOT 1
- Redirect results in 404.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-dotnet-webapp-and-webapi.