Net core web application. I am trying to implement groups based authorization in my .Net core app. I am trying to call groups from Microsoft graph. I have some confusion here. Below are the steps.
- Created Web API app in .Net core 2.1
- Added swashbuckle swagger support to it.
- created app in Azure AD for swagger
- Created app in Azure AD for back end .Net core API (Name is WebServicesAPP).
- In WebServicesAPP app -> Expose an API-> Add client application -> Added my swagger app.
- In WebServicesAPP app -> API Permissions -> Add Permission -> Microsoft graph API -> Application Permission -> Group.ReadAll
- changed Oauthimplicitflow to True in manifest.
These are the steps I taken. After this I have added relevant code to implement swagger as below. In startup I have added
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services
.AddAuthentication(o =>
{
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = azureActiveDirectoryOptions.Authority;
o.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new List<string>
{
azureActiveDirectoryOptions.AppIdUri,
azureActiveDirectoryOptions.ClientId
},
ValidateIssuer = true
};
});
services.AddScoped<IAuthorizationHandler, GroupsCheckHandler>();
services.AddAuthorization(options =>
{
options.AddPolicy("GroupsCheck", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new GroupsCheckRequirement("9da02036-fc14-4e97-ac58-2293bddae44d"));
});
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "My API", Version = "v1" });
c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
Type = "oauth2",
Flow = "implicit",
AuthorizationUrl = swaggerUIOptions.AuthorizationUrl,
TokenUrl = swaggerUIOptions.TokenUrl
});
c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
{ "oauth2", new[] { "readAccess", "writeAccess" } }
});
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.OAuthClientId(swaggerUIOptions.ClientId);
c.OAuthClientSecret(swaggerUIOptions.ClientSecret);
c.OAuthRealm(azureActiveDirectoryOptions.ClientId);
c.OAuthAppName("Swagger");
c.OAuthAdditionalQueryStringParams(new { resource = azureActiveDirectoryOptions.ClientId });
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
});
app.UseAuthentication();
app.UseMvc();
}
Now with my above code I am generating swagger. In swagger I clicked on Authorize Tab-> Added my login details and I tried to hit below sample API.
[Authorize]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
With Application permission and client credential I am using below code to get token for MS graph
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResource, clientCred).ConfigureAwait(false);
var token = authenticationResult.AccessToken;
Once I get toke from above code I am successfully getting groups like below
GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var groupList = await client.Users[userId].MemberOf.Request().GetAsync();
I am able to hit API and I am having no issue.
Now I want to get all the groups from Microsoft graph API end point. I need little clarification on below.
- Now I already have token and can I use same token to call Microsoft graph API?
- Now I am trying to get current logged in users group so when adding Microsoft graph we have two options delegated permission and application permission. delegated permission -> Used to call graph API on behalf of user Application permission -> App itself calls Microsoft graph API. Using client credentials flow It generates token and passes to Microsoft graph and authenticates.
- In my case I have logged in user ad I am trying to hit Microsoft graph. So which One I should use Delegated Permission or Application Permission?
I am finding very hard to understand these since quite time and I do not see any relevant document for my approach. Can someone help me to understand this? Really any suggestions will really help me. Thanks a lot.