search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
684 stars 217 forks source link

[Documentation] No example for a background service calling a Web API #1755

Open wertzui opened 2 years ago

wertzui commented 2 years ago

Documentation related to component

Microsoft.Identity.Web

Please check all that apply

Description of the issue

There is an example for a Web API calling a downstream Web API on the users behalf. However an example for a Background Service running in an ASP.Net Core Host calling a Web API is missing.

When a Web API calls another Web API, it can just pass on the token, it received. However in a long running Background Service, the token has to be aquired for the App itself (using client credentials or a certificate) and has to be kept up to date, because it might expire. The token has to be added to all/some (maybe named) HttpClients using IHttpClientFactory.

Is there an example, that I'm unable to find, or is this example missing?

The closest, I could find is a deamon console app which calls a Web API. However that is not using the ASP.net Core DI ccontainer and does not automatically renew the token when it is about to expire. https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/

jmprieur commented 2 years ago

Thanks for the heads-up wertzui

luismanez commented 2 years ago

Yeah, and would be great if we could do something like this in the Az Functions Startup:

services.
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddDownstreamWebApi("Api1", "Api1")
                .AddDownstreamWebApi("Api2", "Api2")
                .AddMicrosoftGraph()
                .AddDistributedTokenCaches();

Directly from the ServiceCollection, all ready for App permissions, and without changing the Auth Schema (imagine an HttpTrigger that fires a Durable orchestrator and returns the Durable admin URLs provided by the framework. These URLs are Authorized using Function Code in query string, and won´t work if the Auth Schema is changed)

Thanks!

jmprieur commented 2 years ago

@jennyf19 : FYI: this would be available with the new DevEx ...

aKzenT commented 2 years ago

I'm having the same issues. All examples are focussed on calling web APIs while also enabling authentication for the web app itself. I did not find any good solution that would allow me to call web APIs from a web app directly on the apps behalf using HttpClientFactory. It seems impossible to get an ITokenAcquisition instance without calling AddAuthentication. Did I miss something?

EnricoMassone commented 1 year ago

I am looking for the very same example. Basically I would like to use the IDownstreamApi service from a worker service implemented by using the generic host approach.

Can you please point me to any available example for this case?