In this video, add code to authenticate, and call Microsoft Graph with app identity.
- [Instructor] Next let me go ahead and write the controller for my users view. So in the Controller's node in your project right-click, add a new controller, and choose to add an MVC Controller and let's call it UsersController. Now, we want the user to be authenticated before you can call this controller. So the first thing I'll do is that at the top of the controller I will put the Authorize attribute.
The reason for this is that, yes, we are using the application identity but we want the user to be authenticated before this controller can be called. Next, here let's go ahead and reference the various properties that we have created. We pulled them from Azure AD, remember that? So, the clientID, appKey, et cetera. We referenced those using configs having that static string variables. Let's also go ahead and fix the usings for my project.
We're going to need all these usings. The globalization using I'll need when I create the authority. We will definitely need System.Http. We will need Http.Headers because we are going to modify the better authentication token, that header, so we need this. This is most likely going to be an async call. So let's go ahead and add references to System.Threading and System.Threading.Tasks, and finally, also let's go ahead and add a reference to Microsoft.IdentityModel.Clients.ActiveDirectory.
This is the ADAL part. Now let's come here and start focusing on the actual code. So it is most likely going to be an async call because, yeah, we'll be making HTTP requests so it'll be async. So instead of ActionResult, I'll say Task ActionResult, and let's go ahead and return the View index, and here at a high level I need to get the access token, which means authenticate as the application and be able to make the call to Microsoft Graph, and show the results.
So let's do that next. So the first thing I need to do is authenticate myself. Now, remember there was this authContext and authResult that you saw in the native client app. Well a web client app gives you the same principles. So step one, I'm going to create the necessary authContext and authResult variables, and I also format the authority just like the native client app. Step two, let's go ahead and get authentication out of our way.
Now you may have guessed how I'm about to do this, authContext.AcquireTokenAsync just like the native client app, except this time around there are two differences. Number one, I need to wrap that request in a retry loop just in case if Azure AD is busy, too many requests coming from lot of places. So we try three times with a little delay. Usually this works, and then I call AcquireTokenAsync, but I also pass in the client credential, which is a combination of the clientId, the unique ID for my web app, and the app key, the long string, the secret that we had generated from Azure AD, and we put that in our .config.
At this point hopefully authentication should have completed. So next I'm going to put a little gate check to make sure that the result, authResult, is not null. If it is, maybe Azure AD's busy, maybe it's down, unexpected error, let's go ahead and inform the user that it didn't work. But assuming it did work. So the next thing I need to do is simply craft up an HTTP client, make a call to the /users URL.
That is what we had given permissions to, and remember to put the access token on top. So that is exactly what I'm doing here. I am calling /users. In order for this to work, I've already granted permissions to user.read.all, and, of course, I have to remember to put the access token as you can see on line 65. Now once the response comes back, I simply need to show the user the results or, if in case there's a problem, we tell the user that, hey, it didn't work, sign him out, and say basically authorization required.
So the results do show up, we put them in ViewBag.Results, and remember this what I had data bound to the View so the user sees these results, but if there's a problem, we simply clear the authentication token cache and show the user that, hey, it didn't work, authorization required, and prompt the user to sign in again. That's it. So I got the access token, I made a call to Microsoft Graph, and I'm setting the results in my ViewBag.
Next, all that's left is to run the application.
- What is Microsoft Graph?
- Registering a web application in Azure AD
- Adding authentication logic and authentication UI
- Native applications calling Graph
- Reviewing scenarios where web apps involving Graph are useful
- Web applications with application identity and delegated identity calling Graph
- Daemons calling Graph