# Secured Web API
This template will add a ASP.NET Core Web API that validates the JWToken passed by the UWP application.
The protection ensures that the API can only be called by:
- Applications that on behalf of the user request the right scopes.
- Users that have the right application roles.
After adding this service to your app you'll need to register a ClientId for the Uwp App and the Web API and update the configuration:
-
Register Web API: Follow the steps from https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app to register your Web API. Update the appsettings.json file with the ClientId, TenantId and Audience.
-
Expose scopes on and roles: Follow the steps from https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-expose-web-apis to expose scopes and roles on your Web API. Update the appsettings.json file with the configured Scope.
-
Configure the app role OrdersReader following the steps on https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.
-
Assign users to your Web API follow the steps on https://docs.microsoft.com/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.
Register your own Client app following the steps on https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app to be able to access the Web API and configure the Client App to access the Web API following the steps from https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis.
Make sure you configure urn:ietf:wg:oauth:2.0:oob as a redirect uri as described in https://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.client.applicationoptions.redirecturi?view=azure-dotnet
Update the App.config's IdentityClientId, ResourceId (WebAPI's ClientID) and WebApi Scope
This feature uses Forced or Optional Login from the Identity Service Group. Learn more about using identity in WinTS generated apps.
The ServiceCollectionExtensions adds a AddJwtBearer Middleware to validate the token passed by the UWP App. It is configured to validate Token Issuer, Audience and LifeTime.
JwtBearer exposes two events:
OnAuthenticationFailedwhich is invoked if there are errors during the authentication failedOnTokenValidated, which is invoked on successful authentication
The ItemController has two Authorize attributes that check the Claim and User Roles. For more information on claims and role-based authorization see
https://docs.microsoft.com/aspnet/core/security/authorization/claims?view=aspnetcore-2.2 https://docs.microsoft.com/aspnet/core/security/authorization/roles?view=aspnetcore-2.2