| page_type | name | description | languages | products | urlFragment | extensions | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sample |
How to secure an ASP.NET Core Web API with the Microsoft identity platform |
This sample demonstrates an ASP.NET Core Web App signing-in a user and calling an ASP.NET Core Web API that is secured with Microsoft Entra ID. |
|
|
active-directory-aspnetcore-webapp-openidconnect-v2 |
|
- Overview
- Scenario
- Prerequisites
- Setup the sample
- Explore the sample
- Troubleshooting
- About the code
- How the code was created
- How to deploy this sample to Azure
- Next Steps
- Contributing
- Learn More
This sample demonstrates a ASP.NET Core Web App calling a ASP.NET Core Web API that is secured using Microsoft Entra ID.
This sample demonstrates an ASP.NET Core client Web App calling an ASP.NET Core Web API that is secured using Microsoft Entra ID.
- The client ASP.NET Core Web App uses the Microsoft.Identity.Web to sign-in a user and obtain a JWT ID Token and an Access Token from Microsoft Entra ID.
- The access token is used as a bearer token to authorize the user to call the ASP.NET Core Web API protected by Microsoft Entra ID.
- The service uses the Microsoft.Identity.Web to protect the Web api, check permissions and validate tokens.
- Either Visual Studio or Visual Studio Code and .NET Core SDK
- An Microsoft Entra ID tenant. For more information, see: How to get a Microsoft Entra tenant
- A user account in your Microsoft Entra ID tenant. This sample will not work with a personal Microsoft account. If you're signed in to the Microsoft Entra admin center with a personal Microsoft account and have not created a user account in your directory before, you will need to create one before proceeding.
From your shell or command line:
git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2.gitor download and extract the repository .zip file.
⚠️ To avoid path length limitations on Windows, we recommend cloning into a directory near the root of your drive.
cd 4-WebApp-Your-API\4-1-MyOrgThere are two projects in this sample. Each needs to be separately registered in your Microsoft Entra tenant. To register these projects, you can:
-
follow the steps below for manually register your apps
-
or use PowerShell scripts that:
- automatically creates the Microsoft Entra applications and related objects (passwords, permissions, dependencies) for you.
- modify the projects' configuration files.
Expand this section if you want to use this automation:
⚠️ If you have never used Microsoft Graph PowerShell before, we recommend you go through the App Creation Scripts Guide once to ensure that your environment is prepared correctly for this step.-
On Windows, run PowerShell as Administrator and navigate to the root of the cloned directory
-
In PowerShell run:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
-
Run the script to create your Microsoft Entra application and configure the code of the sample application accordingly.
-
For interactive process -in PowerShell, run:
cd .\AppCreationScripts\ .\Configure.ps1 -TenantId "[Optional] - your tenant id" -AzureEnvironmentName "[Optional] - Azure environment, defaults to 'Global'"
Other ways of running the scripts are described in App Creation Scripts guide. The scripts also provide a guide to automated application registration, configuration and removal which can help in your CI/CD scenarios.
To manually register the apps, as a first step you'll need to:
- Sign in to the Microsoft Entra admin center.
- If your account is present in more than one Microsoft Entra tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory to change your portal session to the desired Microsoft Entra tenant.
- Navigate to the Microsoft Entra admin center and select the Microsoft Entra ID service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
TodoListService-aspnetcore-webapi. - Under Supported account types, select Accounts in this organizational directory only
- Select Register to create the application.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
- In the Overview blade, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
- In the app's registration screen, select the Expose an API blade to the left to open the page where you can publish the permission as an API for which client applications can obtain access tokens for. The first thing that we need to do is to declare the unique resource URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps:
- Select Set next to the Application ID URI to generate a URI that is unique for this app.
- For this sample, accept the proposed Application ID URI (
api://{clientId}) by selecting Save. Read more about Application ID URI at Validation differences by supported account types (signInAudience).
- All APIs must publish a minimum of one scope, also called Delegated Permission, for the client apps to obtain an access token for a user successfully. To publish a scope, follow these steps:
- Select Add a scope button open the Add a scope screen and Enter the values as indicated below:
- For Scope name, use
ToDoList.Read. - Select Admins and users options for Who can consent?.
- For Admin consent display name type in Read users ToDo list using the 'TodoListService-aspnetcore-webapi'.
- For Admin consent description type in Allow the app to read the user's ToDo list using the 'TodoListService-aspnetcore-webapi'.
- For User consent display name type in Read your ToDo list items via the 'TodoListService-aspnetcore-webapi'.
- For User consent description type in Allow the app to read your ToDo list items via the 'TodoListService-aspnetcore-webapi'.
- Keep State as Enabled.
- Select the Add scope button on the bottom to save this scope.
Repeat the steps above for another scope named ToDoList.ReadWrite
- For Scope name, use
- Select the Manifest blade on the left.
- Set
accessTokenAcceptedVersionproperty to 2. - Select on Save.
- Set
ℹ️ Follow the principle of least privilege when publishing permissions for a web API.
-
All APIs should publish a minimum of one App role for applications, also called Application Permission, for the client apps to obtain an access token as themselves, i.e. when they are not signing-in a user. Application permissions are the type of permissions that APIs should publish when they want to enable client applications to successfully authenticate as themselves and not need to sign-in users. To publish an application permission, follow these steps:
-
Still on the same app registration, select the App roles blade to the left.
-
Select Create app role:
- For Display name, enter a suitable name for your application permission, for instance ToDoList.Read.All.
- For Allowed member types, choose Application to ensure other applications can be granted this permission.
- For Value, enter ToDoList.Read.All.
- For Description, enter Allow the app to read every user's ToDo list using the 'TodoListService-aspnetcore-webapi'.
- Select Apply to save your changes.
Repeat the steps above for another app permission named ToDoList.ReadWrite.All
- Still on the same app registration, select the Token configuration blade to the left.
- Select Add optional claim:
- Select optional claim type, then choose Access.
- Select the optional claim idtyp.
Indicates token type. This claim is the most accurate way for an API to determine if a token is an app token or an app+user token. This is not issued in tokens issued to users.
- Select Add to save your changes.
Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
- Open the
TodoListService\appsettings.jsonfile. - Find the key
Domainand replace the existing value with your Microsoft Entra tenant domain, ex.contoso.onmicrosoft.com. - Find the key
TenantIdand replace the existing value with your Microsoft Entra tenant/directory ID. - Find the key
ClientIdand replace the existing value with the application ID (clientId) ofTodoListService-aspnetcore-webapiapp copied from the Microsoft Entra admin center.
- Navigate to the Microsoft Entra admin center and select the Microsoft Entra ID service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
TodoListClient-aspnetcore-webapi. - Under Supported account types, select Accounts in this organizational directory only
- Select Register to create the application.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
- In the Overview blade, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
- In the app's registration screen, select the Authentication blade to the left.
- If you don't have a platform added, select Add a platform and select the Web option.
- In the Redirect URI section enter the following redirect URI:
https://localhost:44321/signin-oidc
- In the Front-channel logout URL section, set it to
https://localhost:44321/signout-oidc. - Click Save to save your changes.
- In the Redirect URI section enter the following redirect URI:
- In the app's registration screen, select the Certificates & secrets blade in the left to open the page where you can generate secrets and upload certificates.
- In the Client secrets section, select New client secret:
- Type a key description (for instance
app secret). - Select one of the available key durations (6 months, 12 months or Custom) as per your security posture.
- The generated key value will be displayed when you select the Add button. Copy and save the generated value for use in later steps.
- You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Microsoft Entra admin center before navigating to any other screen or blade.
💡 For enhanced security, instead of using client secrets, consider using certificates and Azure KeyVault.
- Since this app signs-in users, we will now proceed to select delegated permissions, which is is required by apps signing-in users.
- In the app's registration screen, select the API permissions blade in the left to open the page where we add access to the APIs that your application needs:
- Select the Add a permission button and then:
- Ensure that the My APIs tab is selected.
- In the list of APIs, select the API
TodoListService-aspnetcore-webapi.- Since this app signs-in users, we will now proceed to select delegated permissions, which is requested by apps that signs-in users.
- In the Delegated permissions section, select ToDoList.Read, ToDoList.ReadWrite in the list. Use the search box if necessary.
- Select the Add permissions button at the bottom.
- Type a key description (for instance
- Still on the same app registration, select the Token configuration blade to the left.
- Select Add optional claim:
- Select optional claim type, then choose ID.
- Select the optional claim acct.
Provides user's account status in tenant. If the user is a member of the tenant, the value is 0. If they're a guest, the value is 1.
- Select Add to save your changes.
Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
- Open the
Client\appsettings.jsonfile. - Find the key
Domainand replace the existing value with your Microsoft Entra tenant domain, ex.contoso.onmicrosoft.com. - Find the key
TenantIdand replace the existing value with your Microsoft Entra tenant/directory ID. - Find the key
ClientIdand replace the existing value with the application ID (clientId) ofTodoListClient-aspnetcore-webapiapp copied from the Microsoft Entra admin center. - Find the key
ClientSecretand replace the existing value with the generated secret that you saved during the creation ofTodoListClient-aspnetcore-webapicopied from the Microsoft Entra admin center. - Find the key
TodoListScopesand replace the existing value with "api://<your_service_api_client_id>/ToDoList.Read api://<your_service_api_client_id>/ToDoList.ReadWrite". - Find the key
TodoListBaseAddressand replace the existing value with the base address ofTodoListService-aspnetcore-webapi(by defaulthttps://localhost:44351).
Follow README-use-certificate.md to know how to use this option.
From your shell or command line, execute the following commands:
cd 4-WebApp-Your-API\4-1-MyOrg\TodoListService
dotnet runThen, open a separate command terminal and run:
cd 4-WebApp-Your-API\4-1-MyOrg\Client
dotnet runExpand to see how to use the sample
Open your web browser and navigate to `https://localhost:44321` and sign-in using the link on top-right. The app immediately attempts to authenticate you via the Microsoft identity platform endpoint. Sign in using an user account in that tenant.- Click on
TodoList, you can click onCreate Newlink. It will redirect to create task screen where you can add a new task and assign it to any user from the list. - The
TodoListscreen also displays tasks that are assigned to and created by signed-in user. The user can edit and delete the created tasks but can only view the assigned tasks.
NOTE: Remember, the TodoList is stored in memory in this
TodoListServiceapp. Each time you run the projects, your TodoList will get emptied.
Did the sample not work for you as expected? Did you encounter issues trying this sample? Then please reach out to us using the GitHub Issues page.
Expand for troubleshooting info
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [azure-active-directory adal msal dotnet].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
Expand the section
-
In the
TodoListServiceproject, which represents the web api, first the packageMicrosoft.Identity.Webis added from NuGet. -
Starting with the Startup.cs file :
-
at the top of the file, the following using directory was added:
using Microsoft.Identity.Web;
-
in the
ConfigureServicesmethod, the following code was added, replacing any existingAddAuthentication()code:services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
-
AddMicrosoftIdentityWebApiAuthentication()protects the Web API by validating Access tokens sent tho this API. Check out Protected web API: Code configuration which explains the inner workings of this method in more detail. -
There is a bit of code (commented) provided under this method that can be used to used do extended token validation and do checks based on additional claims, such as:
- check if the client app's
appid (azp)is in some sort of an allowed list via the 'azp' claim, in case you wanted to restrict the API to a list of client apps. - check if the caller's account is homed or guest via the
acctoptional claim - check if the caller belongs to right roles or groups via the
rolesorgroupsclaim, respectively
- check if the client app's
See How to manually validate a JWT access token using the Microsoft identity platform for more details on to further verify the caller using this method.
-
-
Then in the controllers
TodoListController.cs, the[Authorize]added on top of the class to protect this route.-
Further in the controller, the RequiredScopeOrAppPermission is used to list the (Delegated permissions), that the user should consent for, before the method can be called.
-
The delegated permissions are checked inside
TodoListService\Controllers\ToDoListController.csin the following manner:[HttpGet] [RequiredScopeOrAppPermission( AcceptedScope = new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }, AcceptedAppPermission = new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" } )] public IEnumerable<Todo> Get() { if (!IsAppOnlyToken()) { // this is a request for all ToDo list items of a certain user. return TodoStore.Values.Where(x => x.Owner == _currentLoggedUser); } else { // Its an app calling with app permissions, so return all items across all users return TodoStore.Values; } }
The code above demonstrates that to be able to reach a GET REST operation, the access token should contain AT LEAST ONE of the scopes (delegated permissions) listed inside parameter of RequiredScopeOrAppPermission attribute Please note that while in this sample, the client app only works with Delegated Permissions, the API's controller is designed to work with both Delegated and Application permissions.
The ToDoList.<*>.All permissions are Application Permissions.
Here is another example from the same controller:
[HttpDelete("{id}")] [RequiredScopeOrAppPermission( AcceptedScope = new string[] { "ToDoList.ReadWrite" }, AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })] public void Delete(int id) { if (!IsAppOnlyToken()) { // only delete if the ToDo list item belonged to this user if (TodoStore.Values.Any(x => x.Id == id && x.Owner == _currentLoggedUser)) { TodoStore.Remove(id); } } else { TodoStore.Remove(id); } }
The above code demonstrates that to be able to execute the DELETE REST operation, the access token MUST contain the
ToDoList.ReadWritescope. Note that the called is not allowed to access this operation with justToDoList.Readscope only. Also note of how we distinguish the what a user can delete. When there is a ToDoList.ReadWrite.All permission available, the user can delete ANY entity from the database, but with ToDoList.ReadWrite, the user can delete only their own entries. -
The method IsAppOnlyToken() is used by controller method to detect presence of an app only token, i.e a token that was issued to an app using the Client credentials flow, i.e no users were signed-in by this client app.
private bool IsAppOnlyToken() { // Add in the optional 'idtyp' claim to check if the access token is coming from an application or user. // // See: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims if (GetCurrentClaimsPrincipal() != null) { return GetCurrentClaimsPrincipal().Claims.Any(c => c.Type == "idtyp" && c.Value == "app"); } return false; }
-
-
In the
TodoListClientproject, which represents the client app that signs-in a user and makes calls to the web api, first the packageMicrosoft.Identity.Webis added from NuGet.
- The following lines in Startup.cs adds the ability to authenticate a user using Microsoft Entra ID.
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(
Configuration.GetSection("TodoList:TodoListScopes").Get<string>().Split(" ", System.StringSplitOptions.RemoveEmptyEntries)
)
.AddInMemoryTokenCaches();- Specifying Initial scopes (delegated permissions)
The ToDoListClient's appsettings.json file contains ToDoListScopes key that is used in startup.cs to specify which initial scopes (delegated permissions) should be requested for the Access Token when a user is being signed-in:
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(Configuration.GetSection("TodoList:TodoListScopes")
.Get<string>().Split(" ", System.StringSplitOptions.RemoveEmptyEntries))
.AddInMemoryTokenCaches();-
Detecting Guest users of a tenant signing-in. This section of code in Startup.cs shows you how to detect if the user signing-in is a member or guest.
app.Use(async (context, next) => { if (context.User != null && context.User.Identity.IsAuthenticated) { // you can conduct any conditional processing for guest/homes user by inspecting the value of the 'acct' claim // Read more about the 'acct' claim at aka.ms/optionalclaims if (context.User.Claims.Any(x => x.Type == "acct")) { string claimvalue = context.User.Claims.FirstOrDefault(x => x.Type == "acct").Value; string userType = claimvalue == "0" ? "Member" : "Guest"; Debug.WriteLine($"The type of the user account from this Microsoft Entra tenant is-{userType}"); } } await next(); });
- There is some commented code in Startup.cs that also shows how to user certificates and KeyVault in place, see README-use-certificate for more details on how to use code in this section.
- Also consider adding MSAL.NET Logging to you project
Expand the section
The code for the TodoListService was created in the following way:
md TodoListService
cd TodoListService
dotnet new webapi -au=SingleOrg
- Open the generated project (.csproj) in Visual Studio, and save the solution.
In the TodoListService project, add a folder named Models and then create a new file named TodoItem.cs. Copy the contents of the TodoListService\Models\TodoItem.cs in this file.
Update Program.cs file :
*replace the following code:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));with
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);- Add a reference to the ToDoListService.
- Create a new Controller named
TodoListControllerand copy and paste the code from the sample (TodoListService\Controllers\TodoListController.cs) to this controller. - Open the
appsettings.jsonfile and copy the keys from the sample's corresponding file under theAzureAdandTodoListsections.
-
Run the following command to create a sample from the command line using the
SingleOrgtemplate:md TodoListClient cd TodoListClient dotnet new mvc --auth SingleOrg --client-id <Enter_the_Application_Id_here> --tenant-id <yourTenantId>
Note: Replace
Enter_the_Application_Id_herewith the Application Id from the application Id you just registered in the Application Registration Portal and<yourTenantId>with the Directory (tenant) ID where you created your application.
-
Open the generated project (.csproj) in Visual Studio, and save the solution.
-
Add the
Microsoft.Identity.Webvia Nuget. -
Open the Program.cs file and:
- Replace the two following lines:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));with these lines:
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(
Configuration.GetSection("TodoList:TodoListScopes").Get<string>().Split(" ", System.StringSplitOptions.RemoveEmptyEntries)
)
.AddInMemoryTokenCaches();- This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
-
Change the
Properties\launchSettings.jsonfile to ensure that you start your web app from https://localhost:44321 as registered. For this:- update the
sslPortof theiisSettingssection to be44321 - in the
applicationUrlproperty of usehttps://localhost:44321 - Then add the following code to inject the ToDoList service implementation in the client
// Add APIs services.AddTodoListService(Configuration);
- update the
-
Open the
appsettings.jsonfile and copy the keys from the sample's corresponding file under theAzureAdandTodoListsections.
-
In the TodoListClient project, add a folder named
Modelsand then create a new file namedTodoItem.cs. Copy the contents of the TodoListClient\Models\TodoItem.cs in this file. -
Create a new Controller named
TodoListControllerand copy and paste the code from the sample (TodoListService\Controllers\TodoListController.cs) to this controller. -
Copy the files
TodoListServiceandTodoListService.csin the TodoListClient\Services folder provided in this sample to your project. -
Copy the contents of TodoListClient\views\ToDo folder to the views folder of your project.
-
Modify the
Views\Shared\_Layout.cshtmlto add a link to the ToDolist controller. Check theViews\Shared\_Layout.cshtmlin the sample for reference. -
Add a section name TodoList in the appsettings.json file and add the keys
TodoListScope,TodoListBaseAddress. -
Update the
configureServicesmethod instartup.csto add the MSAL library and a token cache.services.AddMicrosoftIdentityWebAppAuthentication(Configuration) .EnableTokenAcquisitionToCallDownstreamApi( Configuration.GetSection("TodoList:TodoListScopes").Get<string>().Split(" ", System.StringSplitOptions.RemoveEmptyEntries) ) .AddInMemoryTokenCaches(); // Add APIs services.AddTodoListService(Configuration);
Expand the section
There is one web API in this sample. To deploy it to Azure App Services, you'll need to:
- create an Azure App Service
- publish the projects to the App Services
⚠️ Please make sure that you have not switched on the Automatic authentication provided by App Service. It interferes the authentication code used in this code example.
Follow the link to Publish with Visual Studio.
- Install the Visual Studio Code extension Azure App Service.
- Follow the link to Publish with Visual Studio Code
ℹ️ When calling the web API, your app may receive an error similar to the following:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://some-url-here. (Reason: additional information here).
If that's the case, you'll need enable cross-origin resource sharing (CORS) for you web API. Follow the steps below to do this:
- Go to Microsoft Entra admin center, and locate the web API project that you've deployed to App Service.
- On the API blade, select CORS. Check the box Enable Access-Control-Allow-Credentials.
- Under Allowed origins, add the URL of your published web app that will call this web API.
There is one web app in this sample. To deploy it to Azure App Services, you'll need to:
- create an Azure App Service
- publish the projects to the App Services, and
- update its client(s) to call the website instead of the local environment.
Follow the link to Publish with Visual Studio.
- Install the Visual Studio Code extension Azure App Service.
- Follow the link to Publish with Visual Studio Code
- Navigate back to to the Microsoft Entra admin center. In the left-hand navigation pane, select the Microsoft Entra ID service, and then select App registrations (Preview).
- In the resulting screen, select the
TodoListClient-aspnetcore-webapiapplication. - In the app's registration screen, select Authentication in the menu.
- In the Redirect URIs section, update the reply URLs to match the site URL of your Azure deployment. For example:
https://TodoListClient-aspnetcore-webapi.azurewebsites.net/signin-oidc
- Update the Front-channel logout URL fields with the address of your service, for example https://TodoListClient-aspnetcore-webapi.azurewebsites.net
- In the Redirect URIs section, update the reply URLs to match the site URL of your Azure deployment. For example:
- In your IDE, locate the
TodoListClient-aspnetcore-webapiproject. Then, openClient\appsettings.json. - Find the key for redirect URI and replace its value with the address of the web app you published, for example, https://TodoListClient-aspnetcore-webapi.azurewebsites.net/redirect.
- Find the key for web API endpoint and replace its value with the address of the web API you published, for example, https://TodoListService-aspnetcore-webapi.azurewebsites.net/api.
⚠️ If your app is using an in-memory storage, Azure App Services will spin down your web site if it is inactive, and any records that your app was keeping will be empty. In addition, if you increase the instance count of your website, requests will be distributed among the instances. Your app's records, therefore, will not be the same on each instance.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
For more information, visit the following links:
*To lean more about the application registration, visit: *Quickstart: Register an application with the Microsoft identity platform *Quickstart: Configure a client application to access web APIs *Quickstart: Configure an application to expose web APIs
*To learn more about the code, visit: *Conceptual documentation for MSAL.NET and in particular: *Acquiring tokens with authorization codes on web apps *Customizing Token cache serialization
*To learn more about security in aspnetcore, *Introduction to Identity on ASP.NET Core *AuthenticationBuilder *Microsoft Entra ID with ASP.NET Core *Protected web API: Verify scopes and app roles