Azure AD with ASP.NET Core (On-Behalf-Of User)

The On-Behalf-Of flow is used in the case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate user identity and permissions through the request chain.

Protocol Diagram

At this point, the application has an access token for API A( token A) with the user’s claim and consent to access the middle-tier web API (API A). Now the API A needs to make an authenticated request to the downstream web API (API B).

Now, I’d like to create web application that will retrieve the user’s profile from Microsoft Graph.

1 App Registration

Certificates & secrets

API permission

If not, click Add a permission button. Select Microsoft Graph icon in the popup page. Then select Delegated permission type for you permission.

After clicking Add permissions, don’t forget to grant admin consent for your tenant.

2 Code configuration

Create project

Pay attention to the ClientSecret key and DownstreamApi section.

Modify the Startup.cs file

You need to install Microsoft.Identity.Web.MicrosoftGraph package firstly.

Install-Package Microsoft.Identity.Web.MicrosoftGraph -version 0.4.0-preview

Add Controller

GraphServiceClient takes most responsibilities of work. It will be injected by the runtime.

Hit the Debug button or press F5 key, run this application. you will see this as follow.

A software developer in Microsoft at Suzhou. Most articles spoken language is Chinese. I will try with English when I’m ready