-
Notifications
You must be signed in to change notification settings - Fork 219
1.2.0
Microsoft Identity Web 1.2.0 brings new features:
When you want to call Microsoft.Graph from your web app or web API, you need to:
- specify AddMicrosoftGraph in the startup.cs
- inject GraphServiceClient in the controller, or Razor page or Blazor page.
When you call AddMicrosoftGraph, you specify (by configuration or programmatically) the scopes to request initially. Until Microsoft.Identity.Web 1.2.0, you could not request more scopes when using a GraphServiceClient query, and you could not specify that the query needed app permissions (instead of delegated permissions)
With version 1.2.0, you can now:
-
specify the delegated scopes to use by using
.WithScopes(string[])after theRequest(). For instance:var users = await _graphServiceClient.Users .Request() .WithScopes("User.Read.All") .GetAsync(); NumberOfUsers = messages.Count;
-
specify that you want to use app permissions (that is https://graph.microsoft.com/.default) by using
.WithAppOnly()after theRequest(). For instance:var apps = await _graphServiceClient.Applications .Request() .WithAppOnly() .GetAsync(); NumberOfApps = apps.Count;
Microsoft.Identity.Web adds new generic extension methods applicable to the IDownstreamWebAPI interface to make it easier to call downstream APIs taking (or not) input parameters, and returning (or not) some output, and with a specified HTTP verb.
| HTTP Verb | Extension Method |
|---|---|
| GET with input only | GetForUserAsync |
| GET with output only | GetForUserAsync |
| POST with input and output | PostForUserAsync<TOutput, TInput> |
| PUT with input only | PutForUserAsync |
| PUT with input and output | PutForUserAsync<TOutput, TInput> |
When you deploy your app to Azure App Services, until now if you activated the Authentication/Authorization in App Services (EasyAuth), and also had authentication/authorization handled by Microsoft.Identity.Web, this did not work.
From version 1.2.0, the same code for your web app written with Microsoft.Identity.Web will work seamlessly with our without EasyAuth. Your web app can sign-in users and possibly call web APIs or Microsoft Graph. Indeed, Microsoft.Identity.Web now detects that the app is hosted in App Services, and uses that authentication. You can still sign-in users, and you can call web APIs provided you enabled them in App Services. For details on how to do that, see this tutorial:
Normally your app should not need to know if it's hosted in App Services with Authentication or not, but if you want to propose a different UI, it can call AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled to detect it.
Note that when Microsoft.Identity.Web detects EasyAuth, it automatically overrides the default authentication scheme to be AppServicesAuthenticationDefaults.AppServicesAuthenticationDefaults.
Microsoft.Identity.Web handles claims challenge exceptions automatically (See Handling incremental consent and conditional access for details)
However, in some advanced scenarios, if you need the application to request specific claims (known by Azure AD), you can ask
Microsoft.Identity.Web automatically handles the incremental consent and conditional access
public class MicrosoftIdentityConsentAndConditionalAccessHandler {
public void ChallengeUser(string[] scopes, string claims=null, string userflow=null);
}
public class TokenAcquisitionOptions {
public string Claims { get; set; }
}
public class MicrosoftIdentityOptions : OpenIdConnectOptions {
public bool AllowWebApiToBeAuthorizedByACL { get; set; }
}
public class AadIssuerValidatorOptions { public AadIssuerValidatorOptions(); public string HttpClientName { get; set; } }
AadIssuerValidator.GetIssuerValidator(string aadAuthority) is now obsolete with a clear message.
namespace Microsoft.Identity.Web.Resource { public class MicrosoftIdentityIssuerValidatorFactory { public MicrosoftIdentityIssuerValidatorFactory(IOptions aadIssuerValidatorOptions, IHttpClientFactory httpClientFactory); public AadIssuerValidator GetAadIssuerValidator(string aadAuthority); }
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities