-
Notifications
You must be signed in to change notification settings - Fork 218
daemon scenarios
Jean-Marc Prieur edited this page Oct 29, 2024
·
7 revisions
Microsoft.Identity.Web supports daemon scenarios, that is a console app or worker role, or web app or web API can call a downstream API on behalf of itself instead of on behalf of a user.
The following samples demonstrate applications that accesses the Microsoft Graph API or a downstream API with its own identity (with no user).
Language /
PlatformCode sample(s)
on GitHubAuth
librariesAuth flow .NET Core • Call Microsoft Graph
• Call web API
• Using managed identity to call MSGraph
• Using managed identity to call an API
• Worker role calling an APIMicrosoft.Identity.Web Client credentials grant
public async Task<string> ITokenAcquisition.GetAccessTokenForAppAsync(string scope, string? tenant = null)- The value passed for the
scopeparameter should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value ishttps://graph.microsoft.com/.defaultThis value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the /.default scope, see the consent documentation - The
tenantparameter is optional and should only be used in the case where your application needs to access resources in several known tenants. If you use this parameter be sure to pass a tenantId (GUID) or a domain name, but notorganizations,commonorconsumers, otherwise you'll get an ArgumentException (IDW10405) see below.
- "IDW10405: 'tenant' parameter should be a tenant ID or domain name, not 'common', 'organizations' or 'consumers'.": means that you have passed a value to the
tenantparameter, that does not uniquely describe a tenant. You need to pass-in null, or a GUID or a domain name. - "IDW10404: 'scope' parameter should be of the form 'AppIdUri/.default'." The value of the scope you passed-in does not end with "/.default". See the scope parameters above.
Your controller or Blazor page or Razor page will inject a IDownstreamWebApi instance, and call:
public Task<HttpResponseMessage> CallWebApiForAppAsync(
string serviceName,
Action<DownstreamWebApiOptions>? downstreamWebApiOptionsOverride = null,
StringContent? content = null);-
serviceNameis the name of the service registered in the Startup.cs by a call to AddDownstreamApi. -
downstreamWebApiOptionsOverrideaccepts a delegate that enables you to override default values passed-in to the underlying token acquisition interface -
contentis the input sent to the web API you call.
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities