Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: JSON Web Token (JWT) Authentication
Lecture: Secure authentication with self-signed certificates

Login or purchase this course to watch this video and the rest of the course contents.
0:00 In Chapter four We build a console app that used client credentials to authenticate to azure
0:06 active directory. Since client credentials are nothing else than a user name and password in the form of a client id and client secret,
0:13 they are inherently insecure. The recommended way to authenticate to Azure Active Directory is via certificate authentication. In this module,
0:22 we will look at the steps necessary to create a self signed certificate using either open
0:27 SSL or Power Shell, update the Azure Active directory app registration to use the new
0:32 certificate and finally configure our app to use the certificate to authenticate and acquire an access
0:38 token. While certificates are certainly more secure, self signed certificates should be avoided and only used for demos or during the development phase
0:47 In production, certificates are usually managed by
0:51 IT teams with strict rules and developers only consume certificates issued by an approved certificate
0:57 authority. In this module. We will use openSSL However, if you are interested in using power shell then these are the commands that you would
1:06 use to create a certificate. This first command would set up available to hold the
1:11 certificate name. This command will generate a certificate and mark it as exportable.
1:16 And if you're on Windows, this command will also install the certificate in your personal
1:21 store. So it can be accessed from code the cert variable in the previous commands
1:26 stores your certificate in the current session and allows you to export it export the certificate to allocation on your machine.
1:34 This command exports the certificate in a CER format and you can also export it
1:39 in other formats supported by Azure Active Directory including pem and cert next we need to create a password for the certificates,
1:47 private key and we'll save it in variable. And finally in this last step we export the certificate in a PFX format.
1:57 However, to make this accessible to everyone, we will use open ssl instead an open source cross platform tool.
2:05 We're working with certificates. This command will generate an rsa. Next we need to generate a certificate request.
2:13 We'll give it a name console app and the request will be console app again.
2:17 The open ssl command line tool will take us through the process of setting app set and settings that are required for our certificate request here.
2:25 You can enter dummy values or you can enter actual values that make sense to your
2:29 project. And finally, this last command will generate the certificate for us.
2:38 The duration of the certificate will be one year As the noted in days 365 will use the request that was before and we will also sign the key.
2:50 The exportable value will be a PEM file. There you go. And then if we list the files in this directory now. So we have three different files,
2:59 a console of CRT, the CSR and the PEM. Now that we have our certificate. We can update our Azure Active Directory app,
3:07 registration accordingly. So let's head over to the portal, find your application registration, Open it up and then head over to the certificates and
3:18 secrets tab select certificates and upload. Certificate browsed the location of the certificate would just create it and upload the CRT file
3:29 make sure to press add and now we have a certificate uploaded here. We need to capture the thumbprint which we will use in our code and that's all
3:40 we have to do inside Azure Active directory. Let's open our console app to update the code to use the certificate.
3:47 The confidential client defined in the msal for Python library works with both client secrets and certificates. We saw clients secrets in action.
3:56 This time we'll use certificates to authenticate. The first thing we want to do is that there are config.json instead of using
4:03 a client secret, We will configure two new properties in our json file. one is our certificate And the next one is a thumbprint.
4:15 Make sure to save your file before you move on to the next step and before
4:19 we move on there's something that we need to discuss about these two settings here.
4:22 These two bits of information are the only things needed by our confidential clients.
4:26 However, if these two bits of information were to fall in their own hands then they could be used to compromise our solution.
4:33 Therefore we need to take the appropriate steps to protect the certificate and the thumbprint.
4:37 My recommendation would be to use a service like Azure key vault or some other service
4:42 that allows you to securely offload sensitive information and moving outside the source code. If you don't have access to a service like key vault,
4:49 you could install the certificate in the operating system and move the thumbprint of the thumbprint
4:54 value to an environmental variable. That way our source code is still secure.
4:58 However, for the purpose of this module will make them available via the config file
5:02 And another thing that we need to note here is that the value of our certificate needs to be fully qualified path.
5:09 In this instance the certificate is in the same location as our code.
5:13 However, if you were to export and install or replace the certificate in a different location then you will need to point the allocation.
5:20 You will need to use a fully qualified path. Now here in main.py. I again we want to replace this with an object
5:29 that represents our certificate and this object consists of two properties in the thumbprint which we
5:35 will retreive from json file. And finally we need to populate the private key by reading the contents of our certificate file there.
5:44 Let's save this. I've commented out everything that has to do with a call to
5:47 the Api because we just want to prove that we can acquire the token and we'll
5:51 print it out here. Remember avoid printing out tokens because it is sensitive information.
5:57 Let's run it successful execution as always let's validate our token using 'jwt.ms' and there we
6:07 have it. We have our application authenticating successful against Azure Active Directory and acquire an
6:13 access token with the appropriate roles like before But this time we're avoiding the use of client secrets and instead,
6:20 we're using a certificate, which is way more secure.


Talk Python's Mastodon Michael Kennedy's Mastodon