Protecting an ASP.NET Core Web API using Microsoft identity platform
About this sample
In this scenario, we protect a web API using the Microsoft identity platform. This ensures that the web API is accessible only to authenticated users. In these samples, we work with apps that authenticate users using both Work and school accounts and personal Microsoft accounts (MSA).
We also enhance the web API to use the on-behalf-of flow to call other web APIs protected by the Microsoft identity platform.
- Install .NET Core for Windows by following the instructions at dot.net/core which includes Visual Studio 2019.
- An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see Quickstart: Set up a tenant
- A user account in your Azure AD tenant, or a personal Microsoft account (MSA)
Step 1: Clone or download this repository
From your shell or command line:
git clone https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2.git
TIP: To avoid path length limitations on Windows, you may need to clone into a directory with a shorter name or near the root of your drive.
Structure of the repository
This repository contains a progressive tutorial made up of the following chapters. We recommend you follow the tutorial in the order presented, but you can try out individual chapters if you wish.
|1. Desktop app calls a protected Web API||In the first chapter, we protect an ASP.Net Core Web API using the Microsoft identity platform. The Web API will be protected using Azure Active Directory OAuth Bearer Authorization. The Web API is called by a .NET Desktop WPF application. In this chapter, the desktop application uses the Microsoft Authentication Library for .NET (MSAL.NET) to sign-in the user to acquire an Access Token for the protected Web API.|
|2. Web API now calls Microsoft Graph||In the second chapter we enhance the Web API to call Microsoft Graph using the on-behalf flow to represent the user signed-in in the desktop application to Microsoft Graph. In this chapter, the Web API uses the MSAL.NET to acquire an Access Token for Microsoft Graph using the on-behalf-of flow|
|3. Web API and client share the same app id and signs-in MSA users||In the third chapter, we present another pattern where a tightly-knit client and Web API share the same client id (app id). In this one we will sign-in users with Microsoft Personal Accounts. The sign-in flow and the call to Web API uses the same flow as chapter 2.|
|4. Client app calls a Web API with Proof of Possession (PoP)||In this chapter, the ASP.NET Core Web API is expecting an Access Token with a Proof of Possession key.|
We recommend that you start with chapter 1. Desktop app calls Web API, where you learn how to protect a web API with Azure AD.
Community Help and Support
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Tag your questions or comments with [
If you find a bug in the sample, please open an issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
Other samples and documentation
See also other samples where a client app calls your own web API:
- Sample: ASP.NET Core web app calling your own web API
- Sample: .NET Core Daemon application calling your own web API
- Sample: Angular application calling your own web API
Then for other samples and docs: