Earlier this year the Microsoft Identity Platform team shared new guidance that recommends using the OAuth 2.0 Authorization Code flow for browser based web applications. The reason for this is that new browser security changes are going to cause problems for the commonly used implicit grant flow pattern.
Although I found plenty of great code samples and quickstart material for using the authorization code flow with graph API, it took me a while to figure out how to use it against an ASP.NET Core Web API. The goal of this post is to provide an end-to-end setup guide with source code for the protected web API resource scenario that uses RBAC roles.
Azure AD and the Microsoft identity platform have well established patterns and support for this workflow. In this blog post I will break down an end-to-end example that includes enabling this flow for AAD users with the following technologies: an Azure AD App configured with role-based access control (RBAC) claims, client side code leveraging React and ADAL.js, and server side code leveraging ASP.NET Core.
Why Azure WebJobs?
Azure WebJobs are a great resource included in Azure App Service plans. They provide a way for you to run binaries or scripts that perform scheduled or event-triggered job processing for work that isn’t suited to be done during a normal web request. Have a monthly cleanup task for your website? Sending a big batch of emails? Need to process some user uploaded files? These are all great examples of things you can throw into a WebJob.
.NET developers should be familiar with the classic web.config file used for storing web site options, application settings, and connection strings. When you deploy a .NET Web Application to Azure this file can still be used, however a new additional settings layer in Azure is provided.