Obtain access token via authorization code grant with PKCE in angular using oidc-client-js and Microsoft Identity Platform.

Recently, I learned about why implicit flow is not secure because of exposing the access token in the browser. Authorization code grant with PKCE is more secure and should be preferred over implicit flow for protecting a public application which cannot keep the client secret secure. The good new is if you already use oidc-client-js and get tokens from azure ad via implicit flow, the changes you have to make to use authorization code flow with PKCE are minimal. In this post, I show what you need to change to use authorization code grant with PKCE.

Continue reading

Securely log to blob storage using NLog with connection string in key vault.

If you do a simple google search on how to log to blob storage using NLog, you can find examples from the project page as well as posts from other developers. However, in most of the examples I have found, the connection string for the blob storage are directly embedded in the nlog.config file, which is not ideal. In this post, I show you another example of using NLog to log to azure blob storage, with the connection string coming from an azure key vault.

Continue reading

Why the implicit flow is no longer recommended for protecting a public client.

In his post on The State of the Implicit Flow in OAuth2, Brook Allen mentions several reasons why OIDC/OAuth2 implicit flow is no longer a recommended approach to protect a public application and discusses using Oauth2 authorization code grant with Proof key for code exchange (PKCS) if the client and the resource server run on different domains, or simply using cookie based authentication with same-site cookie policy if the client and resource server run on a same domain. This post is my notes on what I have learned after reading Brook Allen’s post and also the related documents from Internet Engineering Task Force about the security risks of using OAuth2 implicit flow.

Continue reading

How to authenticate user against Azure ADB2C from Angular app using oidc-client-js.

In this post, I show you how to authenticate your user against azure adb2c to obtain an id and access token. Specifically, we’ll discuss the following:

• Create azure adb2c directory
• Register applications in b2c tenant.
• Define scopes and setup permissions.
• Setup sign up and sign in user flow.
• Authentication service.
• Response to authentication events in component.

Please checkout the latest codes for this post here.

Also, check out the follow-up posts relating to using oidc-client-js to interact with Azure ADB2C:

• Integrate Azure ADB2C edit-profile user flow.
• Integrate Azure ADB2C reset-password user flow.

Continue reading

Why you need to register authentication middleware even if your ASP.NET core web API does not handle authentication.

Sometimes ago, I was confused about the role of the Authentication middleware in an ASP.NET core web API that does not authenticate an user. It makes sense to me that you need to use the Authentication middleware if your web application handles the authentication. Specifically, I did not understand why you need to use Authentication middleware if your app is a web API that does not handle authentication. For instance, my web API performs token validation but it does not authenticate a user. Authentication handling is part of the client application which implements OpenID implicit flow to authenticate the user and obtains authorization to access the web API. I believed I only needed the Authorization middleware so that I can annotate the endpoints I want to protect with the [Authorized] attribute. The document states

The UseAuthentication method adds a single authentication middleware component, which is responsible for automatic authentication and the handling of remote authentication requests. 

Authentication Middleware and services

So if my web API does not handle authentication, why do I still need to call UseAuthentication to add the middleware?

Continue reading

Implement OAuth2 Client-Credentials flow with Azure AD and Microsoft Identity Platform.

OAuth2 Client Credentials flow is a protocol to allow secure communication between two web APIs. Specifically, the protocol specifies the flow of obtaining authorization for a client to access protected endpoints of a resource server with no user interaction involved. With Microsoft Identity Platform, Azure portal, Microsoft Authentication Library (MSAL), and .NET core security middleware, you can implement the OAuth2 client credentials flow without much difficulty. In this post, I go over how to leverage those technologies to protect your ASP.NET core web APIs.

Continue reading

Connect to azure key vault from an ASP.NET core app using azure managed identity

Of the three different ways to access an azure key vault from an ASP.NET core application, if your app runs on an azure resource, the best option is using azure managed identities for simplicity and the highest security. In this post, I go over how I configure the application and azure sides to leverage azure managed identities when accessing the key vault.

Continue reading

Configure OAuth2 implicit flow for Swagger UI

In this post, I share some example codes of how to enable OAuth2 implicit flow within Swagger UI to obtain an access token from Microsoft Identity Framework (v2.0 endpoint).

Continue reading

Audit your web application with Google Lighthouse.

Today, my coworker showed us Lighthouse, a cool feature that is available in Google Chrome to quickly evaluate a performance of a website. I thought the name is pretty cool; it reminds me of the book I read before, “The Lights Between Oceans”. I just learned about Lighthouse even though the tool has been around since 2017. You specify the URL of the website you want Lighthouse to evaluate, the tool then runs a series of tests and in about thirty seconds or less, you get a report. In the report, you can see scores for: performance, accessibility, best practices, SEO and PWA. Besides showing the score, the tool also offers suggestions to address some of the issues it found. For instance, one of the angular web application I have is running with a development, non-optimized build. When I ran Lighthouse against the app, the tool showed me a low performance score of 0 as well as suggesting a couple fixes including minifying JavaScript, enabling text compression, adjusting image sizes …

Now that I know about the tool, I definitely use it when working on a web application to ensure we address issues that could degrade the user’s experiences sooner rather than later.

You can find the tool in Chrome’s Developer tools, under Audits. For more information, checkout the document.

Pass user’s identity and authorization from a client application to a web API to another web API using OAuth 2.0 On-Behalf-Of flow.

A few months ago, I gave an overview of the libraries I use to implement OpenID Connect implicit flow in an angular app, and On-Behalf-Of (OBO) flow in ASP.NET core backend APIs. You can checkout this post for more info. In that post, I talk about the security flow from the angular app to the downstream APIs. The angular app communicates only with a single backend API which acts as a gateway that forwards the requests from to other downstream APIs.

In this post, I go over the details of obtaining an access token via the OBO flow to call protected endpoints from a web API (which I refer to as the gateway in this post) to another web API .

Continue reading