Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: Building a Secure API
Lecture: Creating your first application registration
0:00 Before we start provisioning our very first application registration,
0:04 it's important to understand what they are and why we need them. When developers need to
0:10 interact with Azure Active Directory for authentication and authorization purposes,
0:14 they need two things firstly, we need to create an application registration or App registration in Azure Active Directory to show our intent.
0:24 This app registration is similar in most open ID connect systems if you ever had to use google or facebook to authenticate users,
0:31 you know that you need to create an application. This application captures important information, such as the type of the application we're using or
0:39 the type of accounts we want to authenticate, for example, organizational or external users and the open ID connect scopes,
0:47 for example, the user information we want to include in our tokens as well as
0:51 extra configuration settings. This application registration can be created in the portal or we can
0:58 programmatically set it up using Microsoft graph API's. And this concludes the Azure Active directory configuration.
1:04 Next we need to add some code in our application to initiate the signing and to
1:10 handle the responses send by Azure Active Directory When working with Azure Active Directory,
1:16 you can use the MSAL library which is available for most languages and frameworks out there or any other of Open
1:22 ID connect library, open or closed source. Since Azure Active Directory is built on top of open standards,
1:28 it uses Open ID connect certified endpoints and therefore any compatible library is acceptable.
1:34 In some cases you may have to go back to Azure Active Directory to configure app registrations for Web API's. In our case we need to do that for our
1:45 Fast API. In terms of supported identities as Azure Active directory works with any work or school accounts, for example,
1:52 your company's email, personal or MSA accounts like your exports account and external identities, facebook Gmail and what have you.
2:02 So let's go ahead and create our very first application registration that will be used by
2:06 our secure Fast API to expose the necessary permissions to client applications and validate incoming access
2:13 tokens. To the Azure AD portal. To get back to your Azure Active Directory portal type the following URL in any browser. aad.portal.azure.com.
2:24 You may already have a signed in account or you may need to use your admin account to get back into the portal. In this instance I'm already signed in,
2:32 I'm skipping the two factors indication and we are in under Azure Active directory.
2:38 You want to find the app registration tab and here we want to create a new registration. We can name it FastAPI.
2:49 We're going to leave the default accounts in this organization directory and we'll hit heads there This takes a couple of seconds.
2:57 There's some important information here that we will need to use to configure our code later on this information is your application,
3:06 ID your client I D, Your directory, your tenant id and your domain name, which if you can't remember how to find it.
3:14 You can always go back to the overview page and this is your domain name here Back to our application registration.
3:24 We need to configure one more thing to expose an api remember this is an app registration
3:30 for our api, personally it said the application ID URI and this is the default name.
3:36 It will give a good name but you can always override that to have a meaningful name. And with that application.
3:42 ID URI . We can now go and add scopes to our api since this is for our weather api we need to create scopes that have some kind of meaning to
3:54 our application. So we'll start with the weather.read permission will allow admins and
4:01 users to create that and we need to give it a consent display name for that We're going to use allow users to read weather data.
4:11 I tend to be lazy so I copy paste that information across the other 2 3 or four fields and we may need to make sure that it is enabled and we add
4:19 the first scope. We also need to add one more scope which will be for writing data. Well, again,
4:26 click the add scope, give it a weather.write permission again. Admins and Users in this instance we want to say allow users to write weather data
4:39 again copy paste, there's nothing wrong with that ensure that the state is enabled and
4:45 add scope and this is all it takes to configure an api app registration. Next, we will look at what it takes to create a client app registration to
4:56 authenticate and test the secure Fast API. Let's go.