languages | page_type | name | description | products | urlFragment | ||||
---|---|---|---|---|---|---|---|---|---|
|
sample |
ASP.NET Core minimal web API that makes a request to the Graph API as itself |
This ASP.NET Core minimal web API sample demonstrates how to issue a call to a protected API using the client credentials flow. A request will be issued to Microsoft Graph using the application's own identity. |
|
ms-identity-docs-code-app-csharp-webapi |
ASP.NET Core minimal web API | Web API | Web API that accesses a protected web API (Microsoft Graph) | Microsoft identity platform
This ASP.NET Core minimal web API issues a call to a protected web API (Microsoft Graph) by using the OAuth 2.0 client credentials flow. The request to the Microsoft Graph endpoint is issued using the ASP.NET Core minimal web API's own identity.
$ curl https://localhost:5001/api/application
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "00aa11bb-cc22-dd33-ee44-ff55ee66dd77",
"deletedDateTime": null,
"appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"applicationTemplateId": null,
"disabledByMicrosoftStatus": null,
"createdDateTime": "2022-02-23T21:35:20Z",
"displayName": "active-directory-dotnet-minimal-api-aspnetcore-client-credentail-flow",
"description": null,
"groupMembershipClaims": null,
"identifierUris": [],
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": null,
"notes": null,
"publisherDomain": "contoso.onmicrosoft.com",
"serviceManagementReference": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"defaultRedirectUri": null,
"certification": null,
"optionalClaims": null,
...
}
- A Microsoft Entra tenant. You can open an Azure account for free to get a Microsoft Entra instance.
- .NET 8.0 SDK
First, complete the steps in Quickstart: Register an application with the Microsoft identity platform to register the web API.
Use these settings in your app registration.
App registration setting |
Value for this sample app | Notes |
---|---|---|
Name | active-directory-dotnet-minimal-api-aspnetcore-client-credentail-flow |
Suggested value for this sample. You can change the app name at any time. |
Supported account types | Accounts in this organizational directory only (Single tenant) | Suggested value for this sample. |
Platform type | None | No redirect URI required; don't select a platform. |
Client secret | Value of the client secret (not its ID) | It's shown only once (when you create it). |
ℹ️ Bold text in the tables above matches (or is similar to) a UI element in the Microsoft Entra admin center, while
code formatting
indicates a value you enter into a text box in the Microsoft Entra admin center.
Open the ~/msal-client-credentials-flow/appsettings.json file in your code editor and modify the following values values with those from your app's registration in the Microsoft Entra admin center:
"ClientId": "Enter_the_Application_Id_here",
"TenantId": "Enter_the_Tenant_Info_Here",
"ClientSecret": "Enter_the_Application_CLient_Secret_Here"
...
"RelativePath": "Enter_the_Application_Object_Id_Here",
Execute the following command to get the app up and running:
dotnet run
Once the app is running and listening for requests, execute the following command to send it a request.
curl -X GET https://localhost:5001/api/application -ki
If everything worked, you should receive a response from the downstream web API (Microsoft Graph, in this case) similar to this:
$ curl https://localhost:5001/api/application -ki
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "00aa11bb-cc22-dd33-ee44-ff55ee66dd77",
"deletedDateTime": null,
"appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"applicationTemplateId": null,
"disabledByMicrosoftStatus": null,
"createdDateTime": "2022-02-23T21:35:20Z",
"displayName": "active-directory-dotnet-minimal-api-aspnetcore-client-credentail-flow",
"description": null,
"groupMembershipClaims": null,
"identifierUris": [],
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": null,
"notes": null,
"publisherDomain": "contoso.onmicrosoft.com",
"serviceManagementReference": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"defaultRedirectUri": null,
"certification": null,
"optionalClaims": null,
...
}
This ASP.NET Core minimal web API has a single route (/api/application) that supports anonymous access. When a client app calls the anonymous route on this API, the API requests its own application object from Microsoft Graph and then returns that data to the client.
This web API uses Microsoft Authentication Library (MSAL).
This project is configured to acquire an access token using the client credential flow, caching the resulting token in memory. Provided an access token was previously cached, the subsequent calls against /api/application will attempt to reuse the cached access token, refreshing it if nearing expiration. The MSAL is logging informational entries that state when a new access token is being acquired, cached, and re-used.
If you can't get the sample working, you've checked Stack Overflow, and you've already searched the issues in this sample's repository, open an issue report the problem.
- Search the GitHub issues in the repository - your problem might already have been reported or have an answer.
- Nothing similar? Open an issue that clearly explains the problem you're having running the sample app.
⚠️ WARNING: Any issue in this repository not limited to running one of its sample apps will be closed without being addressed.
For all other requests, see Support and help options for developers | Microsoft identity platform.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.