Great explanation. Which users will have a successful login when trying to acquire the token? All users from your directory, or is a specific permission required?
Right now, any one who can log on to the directory can access this. If you need any restrication as such, you can use role claims on API. you can do it in other ways too.
Thanks for your video. Since I have access to swagger securely: Is it possible in Swagger to create an End-Point to get the Azure token? And then, using this Token, access the App from another App without having to register the second App? Otherwise. How could I access this API without having to register my APP with Azure? Maybe using Swagger to get the Token? Is this possible?
Still Swagger is a client which calls API. General Rule of thumb is API and Client should have their own app registrations. More over, App registrations are free 😀. Thank you.
I thank you for sharing your knowledge. By the way, is is neccessary to register a new SwaggerClientAppRegistration registration for Swagger in Azure AD? Cannot it be possible somehow to create a Swagger client in the SwaggerAzureADApi registration, please?
Unfortunatelly when I open the Swagger API in Chrome or Edge after I click on Authorize button nothing happens but in the Firefox authorization works but when I want to try out the WeatherForcast endpont it gives me this error: 'The user or administrator has not consented to use the application with ID ... named API. Send an interactive authorization request for this user and resource.' Could you tell me what is the problem, here, please?
Can you direct me, how can I do the same in web api .Net Core 6. Both client call and API call will be in same. Long story shot I need Id Token with user roles, without pop-up. Like get the token silent. Your help is much appreciated.
16:35 this is fine for testing in Swagger, but do you have a video showing how to authenticate a request m2m without any user to manually authenticate?
Generally when you use APIs, there should be a client application. So need to have both apps. More over, app registrations are free of cost in azure. Please subscribe to the channel if you have not subscribed yet. Thanks.
If I create an Azure Entra ID service to generate a bearer token, with a client_id and client_secret. Can I integrate this in the swagger? Because in your approach you are not using the client secret. I need to use the client secret because I'm building a swagger for a client with oauth2 authentication endpoints, and the idea is to generate the bearer token with a client_id client_secret and the scope. Thanks in advance
I hope you have tried different solutions online. Please read below. 1. Swaggger sends request to the token endpoint with an ajax call using browser's fetch API. 2. Azure can send the token for client credentials if the request originated from BROWSER, only if the client app is SPA app. 3. I tried authentication of app registration as SPA, but still it was not working. Later after researching, came to know that, "Origin" header should not be present in the token request. But unfortunately, BROWSER(Chrome/EDGE) by default adds the header. 4. I tried intercepting Fetch requests from browser and removing the header, but the browser is adding the origin header just before sending the request, so no luck. 5. The solution is, your configurations will work but you have to run chrome by disabling web security. Then only it will not send "origin" header and azure returns the token. 6. One other solution is, call your own api endpoint from swagger authorize screen, by configuring your own api url, use publicClientApplication to generate token using client id and secret then return it. EVEN SWAGGER HAVE AN OPEN ISSUE RELATED THIS which was opened in Novemeber 2022. Please let me know if it helps. Otherwise please wait for the video. Thanks.
Hi @@azureteachnet , Thanks for your fast response! Yes, I have tried differents solutions but nothing work. And I think disable web security is not an option because I have to send the swaggerUI to a client, and I can't say to the client to disable the web security on chrome :( . BTW I'll wait for your video to check with details how do you do, thanks!
@@Kokolino_ If you dont want to go with disable web security option. the other solution is very simple. Instead of relying on microsoft token url for fetching the token. you can add your own endpoint in the api and use the client id and client secret to fetch the token. You have to configure the same endpoint with Swagger in Program.cs Unfortunately Video creation taking time as I am too busy personally and professionally. I have added a sample solution in my git hub repo. github.com/AzureTeachNet/AzureTeachTutorials/tree/NetCoreWebApiAzureADClientCredentials/SwaggerClientCredentials I have added 3 screenshots in the same repo for better understanding. If this is helpful to you, please subscribe to the channel and share my channel accross in your friend circles. Thank you.
Please note that, you have to configure your azure ad details in appsettings.json and modify code in program.cs. modifiying program.cs is optional. After making this change, you can ask your clients to logon with their client id and client secret.
We can do that way too. You can generate the token separately from Postman or from your own endpoint and paste the token in the text box to login. At present the channel did not have the video. May be in future I will create one. Please subscribe to the channel if you have not subscribed yet. Thanks.
On Swagger Authentication popup itself you will see log out button. If you are talking about API, logging out is not responsibility of API. It is responsiblity of Client Application(Angular or react or others).
@@azureteachnetThanks for the answer. Yes I know about the logout swagger button but exactly like you said I'm speaking about calling the Login and Logout API endpoint from an angular client app ?
@@M_Oussama89 for logout, you have to redirect the user to azure ad. refer this video - th-cam.com/video/98T1CumHofI/w-d-xo.html . If this video is helpful to you please subscribe to the channel.
Do you have something similar on swagger azure ad b2c authentication? I tried to apply this on Azure AD b2c but some steps are different, especially app registration on AD B2C.
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet. There are a lot azure videos in the channel and more to come in future.
1. An API works in a client and server model. 2. If you watch the video, we are giving permission to client app registration. 3. It is recommended to use a separate client app registration for swagger. Please subscribe to the channel if you have not subscribed yet.
@@azureteachnet yes i have an Angular UI Client app registered already other than the Api, i want to use UI Client app info instead of creating a new App Registration for SwaggerCleint. let me know if that works
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet. There are more videos in the channel and a lot more to come. Thanks
Thanks for the suggestion. I delete my app registrations frequently and I dont think it is an issue. All my videos uses user login to authenticate (1 or 2 videos has client secret based), Unless the user is in my azure ad tenant, they cannot login and use my account details. Thanks. Please subscribe to the channel if you have not subscribed yet.
Auth error Error: Bad Request, error: invalid_grant, description: AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request. Trace ID: ********* Correlation ID: ******** Timestamp: 2024-05-07 03:55:22Z
Auth error Error: Bad Request, error: invalid_grant, description: AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request. Trace ID: ******** Correlation ID: ********* Timestamp: 2024-05-07 03:55:22Z
![ตีสิบเดย์ [FULL] | เปิดใจ "อาจารย์ เบียร์ ฅนตื่นธรรม" นักสนทนาธรรมสายดุดัน!](http://i.ytimg.com/vi/vqaBI_mnoDk/mqdefault.jpg)
Great explanation. Which users will have a successful login when trying to acquire the token? All users from your directory, or is a specific permission required?
Right now, any one who can log on to the directory can access this. If you need any restrication as such, you can use role claims on API. you can do it in other ways too.
Wow ! It has lot of configuration. Really informative content.
Thanks for your video.
Since I have access to swagger securely:
Is it possible in Swagger to create an End-Point to get the Azure token?
And then, using this Token, access the App from another App without having to register the second App?
Otherwise. How could I access this API without having to register my APP with Azure? Maybe using Swagger to get the Token? Is this possible?
Perfact explanation. Most awaited video.
Thank you for the feedback. Please subscribe to the channel if you have not subscribed yet.
thx for the details. Why must swagger have it's own app registration though? Swagger is within the API app no?
Still Swagger is a client which calls API. General Rule of thumb is API and Client should have their own app registrations. More over, App registrations are free 😀. Thank you.
I thank you for sharing your knowledge. By the way, is is neccessary to register a new SwaggerClientAppRegistration registration for Swagger in Azure AD? Cannot it be possible somehow to create a Swagger client in the SwaggerAzureADApi registration, please?
Thanks for the feedback. It is recommended to create.
Unfortunatelly when I open the Swagger API in Chrome or Edge after I click on Authorize button nothing happens but in the Firefox authorization works but when I want to try out the WeatherForcast endpont it gives me this error: 'The user or administrator has not consented to use the application with ID ... named API. Send an interactive authorization request for this user and resource.' Could you tell me what is the problem, here, please?
provide admin consent on default directory on your client app registration. It will work.
Can you direct me, how can I do the same in web api .Net Core 6. Both client call and API call will be in same. Long story shot I need Id Token with user roles, without pop-up. Like get the token silent. Your help is much appreciated.
16:35 this is fine for testing in Swagger, but do you have a video showing how to authenticate a request m2m without any user to manually authenticate?
M2M - do you mean, you want to authenticate using a client application, rather logging in with user?
@@azureteachnet yes
How to authenticate the generated bearer token without opening the login window after clicking authorize.
Your explained very well. Thank you very much! I appreciate it.
Thanks for your feedback. Please subscribe to the channel if you have not subscribed yet.
Hi I have a question please, why do we need 2 applications ? It's working with one
Generally when you use APIs, there should be a client application. So need to have both apps. More over, app registrations are free of cost in azure. Please subscribe to the channel if you have not subscribed yet. Thanks.
If I create an Azure Entra ID service to generate a bearer token, with a client_id and client_secret. Can I integrate this in the swagger? Because in your approach you are not using the client secret. I need to use the client secret because I'm building a swagger for a client with oauth2 authentication endpoints, and the idea is to generate the bearer token with a client_id client_secret and the scope. Thanks in advance
I am working on the video for the same as most of others asked. Will post it soon. Thanks
I hope you have tried different solutions online. Please read below.
1. Swaggger sends request to the token endpoint with an ajax call using browser's fetch API.
2. Azure can send the token for client credentials if the request originated from BROWSER, only if the client app is SPA app.
3. I tried authentication of app registration as SPA, but still it was not working. Later after researching, came to know that, "Origin" header should not be present in the token request. But unfortunately, BROWSER(Chrome/EDGE) by default adds the header.
4. I tried intercepting Fetch requests from browser and removing the header, but the browser is adding the origin header just before sending the request, so no luck.
5. The solution is, your configurations will work but you have to run chrome by disabling web security. Then only it will not send "origin" header and azure returns the token.
6. One other solution is, call your own api endpoint from swagger authorize screen, by configuring your own api url, use publicClientApplication to generate token using client id and secret then return it.
EVEN SWAGGER HAVE AN OPEN ISSUE RELATED THIS which was opened in Novemeber 2022.
Please let me know if it helps. Otherwise please wait for the video. Thanks.
Hi @@azureteachnet , Thanks for your fast response! Yes, I have tried differents solutions but nothing work. And I think disable web security is not an option because I have to send the swaggerUI to a client, and I can't say to the client to disable the web security on chrome :( . BTW I'll wait for your video to check with details how do you do, thanks!
@@Kokolino_ If you dont want to go with disable web security option. the other solution is very simple. Instead of relying on microsoft token url for fetching the token. you can add your own endpoint in the api and use the client id and client secret to fetch the token. You have to configure the same endpoint with Swagger in Program.cs
Unfortunately Video creation taking time as I am too busy personally and professionally.
I have added a sample solution in my git hub repo.
github.com/AzureTeachNet/AzureTeachTutorials/tree/NetCoreWebApiAzureADClientCredentials/SwaggerClientCredentials
I have added 3 screenshots in the same repo for better understanding.
If this is helpful to you, please subscribe to the channel and share my channel accross in your friend circles.
Thank you.
Please note that, you have to configure your azure ad details in appsettings.json and modify code in program.cs. modifiying program.cs is optional.
After making this change, you can ask your clients to logon with their client id and client secret.
Thank you very much for your video! Really well explained!
Thank you for the feedback. Please subscribe to the channel if you have not subscribed yet.
Thank you for the video. Can you configure swagger to call controller that configure with [Authorize(Roles = "Api.ReadWrite")]? Thank you in advance
You need to authorize the user by login to the swagger. If the user has the role, he should be able to access it.
can we create an andpoint "login" to get the token and put it in authorize botton to gain access? any link to share? thanks man!
We can do that way too. You can generate the token separately from Postman or from your own endpoint and paste the token in the text box to login.
At present the channel did not have the video. May be in future I will create one.
Please subscribe to the channel if you have not subscribed yet. Thanks.
just in case... there`s no more uploaded sample project in github you shared here.
Unfortunately, I did not upload this code. Going forward, will upload all my videos code to git hub. Thanks.
Does this work for AzureAD B2C?
Yes.
Thanks I like it but project not exist in GitHub link and how we can have a logout end point ?
On Swagger Authentication popup itself you will see log out button. If you are talking about API, logging out is not responsibility of API. It is responsiblity of Client Application(Angular or react or others).
@@azureteachnetThanks for the answer. Yes I know about the logout swagger button but exactly like you said I'm speaking about calling the Login and Logout API endpoint from an angular client app ?
@@M_Oussama89 for logout, you have to redirect the user to azure ad. refer this video - th-cam.com/video/98T1CumHofI/w-d-xo.html . If this video is helpful to you please subscribe to the channel.
Can I use JavaScript to access this API?
we can
Do you have something similar on swagger azure ad b2c authentication? I tried to apply this on Azure AD b2c but some steps are different, especially app registration on AD B2C.
I dont have one right now. Will create a video soon. Thanks
Is there anyway to refresh the token this way?
We need to pass the refresh token url in the swagger configuration. If possible will make a video for the same. Thank you.
Loved this, great content!
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet. There are a lot azure videos in the channel and more to come in future.
Great video and well explained!
Thank you for the feedback.
Hi, can share the source code? Thanks.
Unfortunately, this code is not available in the repo. Going forward, will push all my video code to repo. Thanks.
Instead of creating an App Registration for Swagger Client, can we reuse the UI Client App registration client code in Swagger Configuration?
1. An API works in a client and server model.
2. If you watch the video, we are giving permission to client app registration.
3. It is recommended to use a separate client app registration for swagger.
Please subscribe to the channel if you have not subscribed yet.
@@azureteachnet yes i have an Angular UI Client app registered already other than the Api, i want to use UI Client app info instead of creating a new App Registration for SwaggerCleint. let me know if that works
@@stk8115 That works.
Brilliant!
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet.
ty
Thanks for the feedback. please subscribe to the channel if you are not subscribed yet.
Thank you!
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet. Thanks
Thanks a lot. It works.
Thanks for the feedback. Please subscribe to the channel if you have not subscribed yet. There are more videos in the channel and a lot more to come. Thanks
You should not be exposing your tenent and client information so casually on the internet. Perhaps blur it or remove it during the recording.
Thanks for the suggestion. I delete my app registrations frequently and I dont think it is an issue. All my videos uses user login to authenticate (1 or 2 videos has client secret based), Unless the user is in my azure ad tenant, they cannot login and use my account details. Thanks. Please subscribe to the channel if you have not subscribed yet.
this is not working
Auth error
Error: Bad Request, error: invalid_grant, description: AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request. Trace ID: ********* Correlation ID: ******** Timestamp: 2024-05-07 03:55:22Z
Auth error
Error: Bad Request, error: invalid_grant, description: AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request. Trace ID: ******** Correlation ID: ********* Timestamp: 2024-05-07 03:55:22Z