How to protect APIs using the Microsoft identity platform

preview_player
Показать описание
In this video, Matthijs Hoekstra explains how developers can use the Microsoft identity platform to implement authorization that protects APIs.


The basics of protecting an API 0:31
Using the Azure portal to setup protection of APIs - 3:42
Using and validating access tokens - 7:00
Enabling application permissions - 9:48
Demo: validating access tokens - 12:50
Why do you need custom validation behavior? - 19:06
Determining effective permissions in your code - 20:58
Example access tokens from different authentication scenarios - 25:55
APIs calling APIs: "on behalf of" flow - 29:26
  1. Microsoft Azure
  2. Microsoft identity platform
  3. APIs
  4. Azure portal
  5. Identity for Developers
  6. access tokens
Рекомендации по теме
Understanding The Fundamentals 0:09:41

Understanding The Fundamentals of API Security | How APIs are Attacked and How to Secure Them

This is the 0:09:25

This is the best way to protect your APIs

How to protect 0:33:17

How to protect APIs using the Microsoft identity platform

How to protect 0:06:10

How to protect your APIs against these 6 security threats

5 Best Practices 0:15:42

5 Best Practices for Securing Your APIs

Protect an API 0:09:13

Protect an API in Azure API Management using OAuth - Step-by-Step Tutorial

5 JavaScript API 0:12:49

5 JavaScript API Key Mistakes (and how to fix them)

How to HIDE 0:04:27

How to HIDE Your API Keys in Python Projects

How to Hide 0:10:13

How to Hide & Protect API Keys in Your Android App (Reverse Engineering)

How to hide 0:24:45

How to hide your API keys SAFELY when using React

Secure your API 0:24:31

Secure your API Gateway with Lambda Authorizer | Step by Step AWS Tutorial

3.4 Hiding API 0:11:51

3.4 Hiding API Keys with Environment Variables (dotenv) and Pushing Code to GitHub

Properly Load & 0:07:58

Properly Load & Manage API Keys in Python

How Hacking APIs 0:18:51

How Hacking APIs Works | Cybersecurity

How to Create 0:08:42

How to Create a Secure REST API with Node.js and Express

API Security Explained 0:02:14

API Security Explained

Protect Your API 0:41:40

Protect Your API With Rate Limiting | Full Guide (2024)

Securing REST APIs 0:04:24

Securing REST APIs - JWT Token Explained in 4 Minutes For Beginners Tutorial - S27E01

Your API Keys 0:09:26

Your API Keys are NOT SAFE in a native app 🤬

Securing a REST 0:03:30

Securing a REST API with JWT, concepts

Make your Flask 0:05:24

Make your Flask API more Secure with Basic Authentication Python

Next.js Tutorial - 0:04:11

Next.js Tutorial - 75 - Securing API Routes

How to Hide 0:10:13

How to Hide Your API Keys

MERN Authentication Tutorial 0:14:25

MERN Authentication Tutorial #14 - Protecting API Routes

Комментарии
Автор

Probably the best video about the subject I've ever watched

yassinesouabni
Автор

Has anybody ACTUALLY managed to get this to work? I've been going in circles with crappy Microsoft documentation and lack of support for .NET 5.0 for days, all I want to do is validate a token: signature, audience, issuer and scopes. I don't get how this is so difficult.

I thought it would be as simple as having my appsettings file containing the tenant and client details, then adding Microsoft.Identity.Web middleware, but depending on how I add it in Startup it either doesn't validate the token at all or tells me to provide a ClientId, which I have. I dearly wish these things worked as easy as they always do in these demos.

martialtech
Автор

I have a question for the OBO token flow. I have a middle tier application A which calls APIs of application B. I can generate encrypted tokens for A. For encryption A uses public/private key certificate. So when I want to generate the OBO token, should I be using the public certificate in the call? Or should it be a different one. Also does the OBO call need the token to be decrypted or would it work with encryption

_ityadi
Автор

Right around the 22:50 mark, he shows us a controller in his API. He has this User object from which he gets the oid and sub. Can anyone tell me what class that User object is? Also, what are all those URL strings? Where do we find them in our Azure app registration?

frankromeo
Автор

Nicely explained. Thanks for the video!!

vinodcd
Автор

So I understand correctly the Access token that the API(including custom API) gets, it's verified with Azure AD if it's the correct one ? Or ? Thank you.

nolimitsREAL
Автор

Hello Sir,
I am able to do authentication and get access token with Angular application now when access token is passed in backend service that need to be validate in backend on java side. Right !
Please confirm.
Also what is the use of resourcesProtectionMap ?

devendrachaudhary
Автор

Question: How is it secure that the issuer of a token also supplies the public key, albeit through their own interface? To me the only thing securing this is that the URL to lookup the public key is hardcoded in my API application. Thanks for any comments.

pauldubois
Автор

How do you get keys for token validation in our app middleware?

gabrielpaiz
Автор

Thanks a lots! it was clear and nicely explained...

ChandraShekharaTN
Автор

Hi, i have an api with appRole created and a Daemon app without that permission assigned and i am able to get an access token for the api using daemon(clientCredentials). Why am i getting access token if the daemon app doesn't have the correct permissions assigned?

camiloandresgomezm.
Автор

Is on behalf of flow supported with Azure B2C? We desperately need this feature.

sahilroyal
Автор

Hi, @15:00, I do not see "role" in the token, only "scp" impersonation" was shown, is this right?

jinbaoxin
Автор

Hi sir,
Is there any other way of Validating api without registering webapi in azure

srivishalsangepu
Автор

This is great, but boy, do I hate security. It's totally beyond me, but hopefully will get simpler in future iterations. Good job though - all going the right way.

chairmakerPete
Автор

Don't reguister. Register instead.

mhalton