Coding Stephan

Speaking at ESPC23 - Protect your API with Entra ID

I got accepted to speak at ESPC23 the European SharePoint, Office 365 & Azure Conference in 2023. As a Microsoft MVP in Security, the topic has to be security related.

Me in front of this huge screen

Protect your API with Entra ID

The most important message from the talk was that you should not implement security as a final step before production. You should implement security from the start. Enable it during development and test it during development. This talk was about how to protect your API with Azure AD.

When I submitted the abstract for this talk it was still called Azure AD, but it’s now called Entra ID. My personal opinion about this name change is not important. I guess it might be called by it’s previous name for some years to come.

Demo API

I created a demo API that I used during the talk. It’s hosted in Azure and you can find it here. The source code is available on GitHub.

I showed how people previously did authentication with Basic Authentication and API-KEYS, please don’t use the code related to these methods!

Basic authentication in an API, why not

JWT authentication

Then I showed the second most important part of the talk, how you can enable JWT authentication in a few simple steps.

JWT and OAuth2

JWT in Swagger

To finish the talk with the most important part, how do you enable this during development. You have to configure swagger in such a way that it knows that you’re expecting JSON Web Tokens, and you can also prefill the details needed to actually get a token in the swagger UI.

Enable JWT in Swagger UI, very important!

Once you enable it this early during development, you’re not met with surprises when you want to release your application to production. You can even use the provided claim values.

Require certificate authentication

In the sample code I had a specific endpoint protected that it only allowed applications that authenticated with a certificate. In that case Entra ID will emit a claim called azpacr with the value 2. This is the value that you can use to check if the application authenticated with a certificate (or a managed identity, which uses a hidden certificate).

Bonus: Get a token with Windows Hello integration

Attendees to my sessions also got a bonus, I showed them how they can get a token with Windows Hello integration, right from a console application. This is a great way when you have a console application but which to connect to Microsoft Graph (or your local api for testing).

Check out the sample code for more details.

Code tour

CodeTour badge

In the demo repository I’ve created a CodeTour for Visual Studio Code to describe how stuff works. The ESPC23 conference was packed with all these nice sessions, so if you could not make it to my talk, but still want to follow along with the code, just checkout the repository in Visual Studio Code (it will suggest you to install the CodeTour extension) and start the tour.

CodeTour in Authentication demo repository

Code tours are a great way to explain code. I see us using this to document complex projects so other developers can get up to speed quickly, and we don’t spend extra time explaining it multiple times. It does cost some extra time to create those tours, but it’s worth it.

Want this security dude at your conference?

ESPC23 Speaker badge

If you want me to speak at your conference, please reach out to me on Twitter or LinkedIn. I’m always looking for new opportunities to convince developers that security is important and that it’s not that hard to implement.