Secure Azure Storage API

Overview

AAD App Registration

What Is App Registration

Create App Registration for the API

Generate Code

dotnet new webapi -au SingleOrg -o SecureApi
cd SecureApi
dotnet add package Azure.Identity
dotnet add package Azure.Storage.Blobs
Options:
-au|--auth
The type of authentication to use
None - No authentication
IndividualB2C - Individual authentication with Azure AD B2C
SingleOrg - Organizational authentication for a single tenant
Windows - Windows authentication
Default: None

Develop Code From Local

{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "need to update xyz.onmicrosoft.com",
"TenantId": "need to update ",
"ClientId": "need to update ",
"Scopes": "ToDoList.Read ToDoList.Write",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"AzureStorage": {
"AcctName": "need to update tbd",
"ContainerName": "need to update tbd"
}
}

Customize Code

namespace SecureApi;
public class MyBlobFile
{
public string? BlobFile { get; set; }
public DateTimeOffset? LastModified { get; set; }
}

This version of the code is almost same as the code from last blog post, we just apply the [Authorize]attribute.

Validation

Get Access Token

C:\WINDOWS\system32>az login --scope api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write
C:\WINDOWS\system32>az account get-access-token --scope "api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write"
{
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs....",
"expiresOn": "2022-06-10 23:53:19.000000",
"subscription": "24c9c37c-bf59-4b84-907c-43819602e881",
"tenant": "9b2ec8d7-37b8-4aac-acd2-9ed0acfb1c5a",
"tokenType": "Bearer"
}
{
"aud": "api service app registration client id",
"iss": "https://login.microsoftonline.com/<tenant id>/v2.0",
...
"scp": "ToDoList.Read ToDoList.Write",
...
"ver": "2.0"
}

Call API with Authorization Header

$ curl -k -X 'POST'  'https://localhost:7249/MyBlobFile'   -H 'accept: text/plain'  -H 'Content-Type: application/json' -H 'Authorization: bearer eyJ0eXAiOiJKV1Q....'  -d '{  "blobFile": "dummy.txt"}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45 100 18 100 27 1 1 0:00:27 0:00:14 0:00:13 4
dummy file line #1

Conclusion

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store