The other day I was trying to troubleshoot an issue where I needed to know what the content of an ID token coming from AAD was for a mobile application. The application was setup to use code flow with PKCE and using fiddler to troubleshoot this didn’t work since AAD is protected with SSL pinning so trying to have fiddler be the man in the middle didn’t work out. It helped me figuring out what request was sent to the server but not the content of the response.
We have been delivering developer training on the Microsoft Identity platform around the world. We finally managed to hit the studio and get some of these recorded. One of the big changes we made over time is to steer away from protocol details more towards concepts and APIs. It’s like why explain how NTFS works while you only want to write a file to disk with an API. The entire series from me and my colleage Kyle Marsh are worthwhile watching.
This has caused me a ton of confusion and my customers keep getting confused as well. Azure Active Directory has been around for some time now. Some time ago we added a new endpoint (V2) which is more standards compliant and supports both AAD and MSA accounts and for example features like incremental consent. Still people get confused about our numbering scheme and I totally understand why. Let me try to explain a little bit how this all works.
The other day I needed a test application to try something with SAML support in Azure Active Directory. I started looking how to configure an ASP.NET Core webapplication to support SAML. It’s very easy to set it up for OIDC authentication but I found out ASP.Net (core) doesn’t support SAML out of the box. Google to the rescue and ignoring the blogpost from my colleague Christos (he’s wrong, it’s WS-Fed not SAML he’s using in his blogpost) , I found a few 3rd parties who build support for ASP.
Wow that’s the longest blogpost title I have ever used. Hopefully this will help finding this page if you are searching for a solution I am describing here. One of our customers came to us with a question how to integrate our B2C product with Realm Cloud. I had looked at this product before but didn’t know what technically was possible for integration with B2C. The request was to use B2C tokens with the custom JWT Authentication Realm cloud supports.
For a training we are delivering I tried to create a little sample where I show how to create an API and protect it with our Microsoft Identity Platform. We have 2 kind of permissions we can support with our consent and permissions framework. User delegated permissions and application permissions. This is what we use for MS Graph as well. User delegated permissions are used if you want to grant the app running the permissions in name of the user.
This took me way to much time to figure out since there is a ton of old information on the internet. I wanted to change the default behavior when people are logging in to my ASP.NET Core website using Azure Active Directory (or Microsoft Identity Platform). After some searching I figured out how to change this setting. You have to add the following piece of code to the ConfigureService method in your Startup.