Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: Building a Secure API
Lecture: Creating your first application registration
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
Before we start provisioning our very first application registration,
0:04
it's important to understand what they are and why we need them. When developers need to
0:10
interact with Azure Active Directory for authentication and authorization purposes,
0:14
they need two things firstly, we need to create an application registration or App registration in Azure Active Directory to show our intent.
0:24
This app registration is similar in most open ID connect systems if you ever had to use google or facebook to authenticate users,
0:31
you know that you need to create an application. This application captures important information, such as the type of the application we're using or
0:39
the type of accounts we want to authenticate, for example, organizational or external users and the open ID connect scopes,
0:47
for example, the user information we want to include in our tokens as well as
0:51
extra configuration settings. This application registration can be created in the portal or we can
0:58
programmatically set it up using Microsoft graph API's. And this concludes the Azure Active directory configuration.
1:04
Next we need to add some code in our application to initiate the signing and to
1:10
handle the responses send by Azure Active Directory When working with Azure Active Directory,
1:16
you can use the MSAL library which is available for most languages and frameworks out there or any other of Open
1:22
ID connect library, open or closed source. Since Azure Active Directory is built on top of open standards,
1:28
it uses Open ID connect certified endpoints and therefore any compatible library is acceptable.
1:34
In some cases you may have to go back to Azure Active Directory to configure app registrations for Web API's. In our case we need to do that for our
1:45
FastAPI. In terms of supported identities as Azure Active directory works with any work or school accounts, for example,
1:52
your company's email, personal or MSA accounts like your exports account and external identities, facebook Gmail and what have you.
2:02
So let's go ahead and create our very first application registration that will be used by
2:06
our secure FastAPI to expose the necessary permissions to client applications and validate incoming access
2:13
tokens. To the Azure AD portal. To get back to your Azure Active Directory portal type the following URL in any browser. aad.portal.azure.com.
2:24
You may already have a signed in account or you may need to use your admin account to get back into the portal. In this instance I'm already signed in,
2:32
I'm skipping the two factors indication and we are in under Azure Active directory.
2:38
You want to find the app registration tab and here we want to create a new registration. We can name it FastAPI.
2:49
We're going to leave the default accounts in this organization directory and we'll hit heads there This takes a couple of seconds.
2:57
There's some important information here that we will need to use to configure our code later on this information is your application,
3:06
ID your client I D, Your directory, your tenant id and your domain name, which if you can't remember how to find it.
3:14
You can always go back to the overview page and this is your domain name here Back to our application registration.
3:24
We need to configure one more thing to expose an api remember this is an app registration
3:30
for our api, personally it said the application ID URI and this is the default name.
3:36
It will give a good name but you can always override that to have a meaningful name. And with that application.
3:42
ID URI . We can now go and add scopes to our api since this is for our weather api we need to create scopes that have some kind of meaning to
3:54
our application. So we'll start with the weather.read permission will allow admins and
4:01
users to create that and we need to give it a consent display name for that We're going to use allow users to read weather data.
4:11
I tend to be lazy so I copy paste that information across the other 2 3 or four fields and we may need to make sure that it is enabled and we add
4:19
the first scope. We also need to add one more scope which will be for writing data. Well, again,
4:26
click the add scope, give it a weather.write permission again. Admins and Users in this instance we want to say allow users to write weather data
4:39
again copy paste, there's nothing wrong with that ensure that the state is enabled and
4:45
add scope and this is all it takes to configure an api app registration. Next, we will look at what it takes to create a client app registration to
4:56
authenticate and test the secure FastAPI. Let's go.