in this demo we are going to create two web api applications both are protected by azure id authentication and authorization here one api is client to the other api we are going to test our changes with postman tool postman will call operation agent api and operation agent api will call members info api and returns the response which is shown over here before we start please subscribe to azureteach.net channel for more videos on azure and dotnet this demo is based on the applications that i have worked on for a us based healthcare client let us understand the use case we need to understand this diagram from right to left here we have members apa this is an enterprise level api and a centered place of storing members information of the client members are the people who are insured from the client if any application needs members information it has to call this api here we have operations agent apa this is application level api that is it is consumed by the same team who developed the user interface no other applications access this apa here we have the user interface in one of its pages we are displaying members basic information and also member agent history over the period of time the members can contact different agents and we are preserving the interaction history and displaying the same on the ui to access operations agent apa get member agent history endpoint the user must have operations agent role and to access members apa get member info endpoint the user must have members read-only role so the user must have both of these roles otherwise this entire flow will not work please note that these apis has other endpoints too but for our demo web api with azure ready calling another web api with azure id this information is enough let's start with the developing the apis in this demo we are not going to use ui to access the web apis but instead we are going to use postman tool to access them so here we have two web api applications so we have to create two app registrations on azure here i'm in portal.azure.com and i'm going to azure active directory clicking on this add and here i'm selecting app registration and i'm giving the app name as operations agent apa app and here i want to go with the default settings i'm clicking on register we need to tell azure that this app registration is related to an apa so that we can do by going to expose an apa and here we have to set application id url so i'm clicking on set and clicking on save over here after that here we have to add a scope and i'm giving the scope name as operations agent dot all and i want to choose here admins only i'm copying this and pasting it all here here and i'm clicking on add score using scopes we can divide our apa into granular pieces and we can give permissions on them like if your application has multiple clients and you want to restrict those clients and give certain permissions to certain clients only you can do that using the scopes now go to the default directory and create the second app registration so here i am choosing app registration and here i am naming it as members api app click on register now again go to exposing api and here click on set click on save click on add scope and here i'm giving the scope name as members apa dot all and i'm copying this and pasting it over here here if you want to provide different display name and descriptions you can do that as well but i am copying the same content clicking on add scope if you want to add multiple scopes you can do that as well if you have multiple permissions to give on the clients you can do that but i'm just adding all over here and now this members api app is consumed by operations agent api app so here we have to add that as a client application so i'm clicking on this add a client application button and here we have to provide the client id here i'm in azure active directory and going to app registrations and here going into operations agent api app and here we can take this client id and i am pasting it over here and i'm choosing the scope if you have multiple scopes you have to select the appropriate scope that is required for that particular client application as i have only one i have choose that one clicking on add application now click on app roles and here create app role here i am giving the role name as members dot read only i am copying it i want this to be assigned to users and groups only and pasting it over here and here and clicking on apply now again i am going to operations agent app going to app rules and here i am choosing create approval and giving the role name as operations agent i'm copying it i want this to be assigned to users or groups and pasting the value as operations agent over here description also the same clicking on apply here i am creating a new asp.net core web api project clicking on next and here i'm giving the name as members info apa clicking on next and here i'm choosing dotnet 5.4 and if you want to choose a different version you can do that as well clicking on create here the project is created i'm double clicking on this connected services and here i'm clicking on this plus symbol and i am choosing microsoft identity platform clicking on next it has to install this dotnet ms identity tool and this tool helps the visual studio to decide the type of project so here i am clicking on finish now again we have to click on this plus symbol and go to microsoft identity platform click on next here it will display all the app registrations those are created by the user who is logged into the visual studio we can create the app registrations by clicking on this plus symbol as well but i don't recommend that approach because if we create like this we can't assign the role to the users using the enterprise application so that's the reason we have created the app registration first on the portal.azure.com and later we are using them over here so here i am choosing members api app clicking on next and here we are not going to call any other api from this api so i am not choosing these check boxes clicking on next and here i am clicking on finish it will add the code and get packages and it will update the app settings.json and also it will update the azure id clicking on finish button clicking on close this step will add the configuration to app settings.json here is the configuration related to the azure id and also it will add the code required for adding azure ready authentication in the startup.cs class so here if you see here we have services.add authentication and here we have add microsoft identity web api and here it is referring to the config section that it is added over here we do not need this we can remove this because it has an overload that takes the configuration and if you see here we have a default parameter that has the config section name as azure ready itself this api has a scope that is members api dot all so you can find that over here if you build this project it will not build because here we have the default weather forecast controller and it has these classes and we do not have these classes in the packages that the visual studio added when we configured the microsoft identity so what we have to do is we have to upgrade these packages to latest so here i am clicking on manage nuget packages let us upgrade these packages so here i'm choosing this and i'm choosing the latest one which is available for dotnet file so i'm choosing this clicking on update doing the same for this and choosing 5.0.16 clicking on update and here on microsoft identity.web i'm choosing the latest table one clicking on update and for this microsoft dot identity dot web dot ui also i'm choosing the latest table one clicking on update we can ignore the swagger related package now if you see the error is gone the use of this class is if any client want to access this controller the client must have this particular scope now let us add one more controller add controller api api controller empty add i'm naming my controller name as members controller now let us create a model right click add new class i'm naming my class as member and here let us add few basic properties in interest of time i am putting the video pass here i have added member id first name and last name and address properties in real time we'll have so many properties and a complex object structure but for this demo i am keeping it simple for this demo i do not want to use entity framework just to keep this demo simple because our primary focus is on azurity not on the entity framework so here i'm hardcoding the members list so here i'm writing private list member members list is equal to press control dot over here and add system.collections.generic new list of member and here let us add to objects new member here i have added two members to the list and here i am writing public i action result get member info it accepts member id member id here i'm writing http get and i want to go with the action name and after that here i'm writing member id because i want to get the member id from the uri here i am writing where member is equal to members list dot first or default press control dot add this namespace here i want to use x dot member id equal to equal to member id f member is equal to equal to null return not found return ok of member now let us go to weather forecast controller and copy this and this statement also because we want to use the same scopes so i'm pasting it over here press ctrl dot for this add this namespace and press ctrl dot over here and add this namespace and also we have to copy this statement so i'm going over here and pasting it over here and here i'm copying this and here i am pasting this and here it should be the scope that we have added and of course we can read it from the app settings.json but i am just hard coding it over here now here am writing authorize rules is equal to here i am in members api app registration copying the role and pasting it over here that is all this is what we have to do on the members api let us test this using the postman i am running this before we test this code let me explain the steps that i have done before so here we have mentioned the scope that is required for accessing this controller and we need authorization for this controller so we have added this authorized attribute but of course here also we have added and we can remove that but for now let us keep it and here we have added authorized attribute and we mentioned that if anybody wants to access this action the user must have members dot read only role as we are going to test this application using postman postman is our client app so we have to create an app registration for that if you are using angular app or an mvc app for that also you have to create an app registration and let us do that now here i am in azure active directory i am clicking on new registration postman client app and here i am clicking on register app registration is created going to authenticate section add platform and we have to choose one of these platforms i am choosing single page application and here we have to give the redirect uri as we are going to use postman tool we are giving this uri to access our application from postman we have to login as a user so once we login azure will return the token and postman will look for this particular url and intercept that http call and take the token and use it for our testing we need to use the same url in the postman as well so here we have to choose these two check boxes clicking on configure now go to postman and here we have to give the uri so here i'm going to the api and it is our base url i'm pasting it over here and after that let me copy this entire thing and paste it over here and here we have to give the member id so here i'm going to the visual studio and taking one of the member ids and going to postman and giving it over here let us test this now we should get 401 unauthorized so if you see we got 401 unauthorized now i'm clicking on authorization here we have to choose what 2.4 and here it should be request headers and after that here we have to give the same url that we have used for our app registration and it is already there and here we have to give the authorization endpoint so i am going to the app registration and end points i am copying this and going to postman pasting it over here and here we have to give the client id so we can get the client id from here copying it over here and pasting it over here and we have to mention this codes so i'm going to default directory members api expose an api and here is the scope copy it and paste it over here and also we have to add this as a client application i'm clicking on add a client application and here we have to give the client id so i'm copying the client idf postman client tab and pasting it over here i'm choosing this scope clicking on add application now we have to do role assignment to a user so here i'm going to the default directory and going to enterprise applications going into members api app clicking on sn users and groups add user or group and here i'm selecting jessica clicking on select and we have only one role so the same is showing over here click on assign now i am in postman clicking on get new access token so here it opened the azure login page i am logging in as jessica it is asking us to open postman tool so here we got the token clicking on proceed use token and now here i'm clicking on send so here we got the response that means the azure id configuration that we have done on this api is working fine now here i'm creating a new web api for agent operation so here i am giving the name as operations agent apa clicking on next here i am choosing authentication type as microsoft identity platform clicking on create here we need to click on finish now click on configure over here it loaded the app registrations and here i'm choosing operations agent api app click on next and here we are going to access other api from this api so i am choosing this clicking on next clicking on next clicking on finish the process is done in interest of time i have already updated the packages of this application in the similar fashion that we have done for the first api if you go to appsettings.json file here we have the azure id configuration and also as we have added support for calling the downstream api the microsoft identity platform wizard will create this configuration also and here we have to mention the scopes of downstream api and also the base url and also it adds secrets so if you go to manage user secrets if you see here here we have a secret and the same secret is configured on operations agents api and if you go to certificates and secrets if you see here here we have the secret we need to have this secret to call the downstream api now let us go to startup.cs class and here we have to add few more things here after add microsoft identity web api here we have to call enable token acquisition to call downstream api this will enable the application to preserve the access token of the user and call the downstream api after that here we have to write add in memory token cache as we are going to store the token in memory and after that here we have to call add downstream web api and here we have to give a name to the api we are going to call members api so i am giving the name as members api and here we have to pass the configuration section of the downstream api so here i am giving configuration.getsection and here we have to give this configuration section name and paste it over here let us modify some configurations inside appsettings.json here i am in operations agent api app i am going to expose as an api and copying this scope and pasting it over here and now here we have to pass the base url of the second apa and copying the base url and pasting it over here after that here we need to have slash apa now here i am in members api app expose and apa and copying this scope and pasting it over here please note that for downstream api we have added entire path of the scope but here we have added the scope name only now here i am adding a new controller controller api api controller empty add i'm naming the controller name as agent controller and again we have to copy this and paste it over here press ctrl dot add the required namespaces here i am writing an action method public i action result get agent member history and it access the member id [Music] and here we have to add http get and i want to go with the action and slash member id as we are going to get the member id from the uri now i am going to weather forecast controller and copying this statement because for this controller also we want to validate the scopes i'm pasting it over here and going to the top and copying this statement and pasting it over here validating against these scopes are optional here i am copying the scope from the configuration if you want to read it from the configuration you can do that as well and i'm pasting it over here now let us define a model click add class agent member history i am adding one more class for deserializing the members api response so here i'm adding a class naming it as member and going to the first api going to the member class and copying these properties and going over here and pasting it over here we have to add one more class and this is the last model that we are going to add i'm naming the class as agent member history response and in this will have public member member info get set and public list of agent member history press control dot over here agent member history get set now in the agent member history class here i'm adding few properties public string agent name get set public string reason for call get set public date time interaction date get set press ctrl dot and add the name space as we are not going to use entity framework here i have hardcoded a list of objects but in real time we have to get it from the database here i am writing private read-only i downstream web api press ctrl dot and use this namespace underscore downstream web api now select this statement press ctrl dot and add the constructor here i am writing where member info is equal to underscore downstream web api dot if you see here we have many methods like get put and post here i want to use call web api for user async you can use the other methods based on your requirement i am expecting the output to be in member class format so i am writing member over here and after that here we have to pass the service name and we gave the service name in the startup.cs class as members api i am copying this and pasting it over here and after that here i am writing options and we can pass an action over here so here options dot relative path is equal to here we have to give the relative path of our second api so our controller name is members and the method name is get member info i'm copying this and here i'm pasting it so it should be members slash get member info and after that here we have to pass member id so here i'm writing slash member id if you see on options we have http method property if you want to mention the http method you can do that here but our api is a get method and the default http method is get so i am not mentioning anything over here as this is an async method we have to write a weight over here and now here i'm writing written okay of new agent member history response and inside this member info is equal to member info and agent member history is equal to we have hard-coded list over here and we are passing this we need to add namespace for the task press ctrl dot and add this namespace we have to add roles to this endpoint so here i am writing authorize press ctrl dot add this namespace and here roles is equal to operations agent i am copying this and pasting it over here now we are going to access this api using postman and this api will call members api and return the response now here i am in app registrations going into members api app and expose an api and removing this client application which is related to the postman because postman is not the direct client now instead we are using operations agent api click here and click on delete delete even if we keep that over here it won't impact anything but as the postman is not a direct client i have removed that now go back to default directory go to operations agent api app expose in api and here add client application and here we have to mention our postman app client id and we have the client id over here now go over here and paste choose this scope click on add application now run our api applications i'm running the members api and here i am running the operations agent apa we have to do the role assignments to the user on operations agent api app so here i am going to enterprise applications and here we have operations agent api app i am clicking on assign users and groups add user group and here i am selecting jessica select so now this user have operations agent role on operations agent api app and on the second app that is members api app this user has members read-only permission click on assign now let us test it with postman here i have changed the url from members api to operations agent api and here we have to change the scope to operations agent api scope so here i am going into operations agent api app and here we have the scope and i am changing the scope over here remaining thing stays as is i'm clicking on get new access token it opened the browser i am pasting the username over here click on next click on sign in login is successful and it is asking to open postman tool and here we got the token click on proceed use token let us test this clicking on send button it hit the first endpoint so that means the authorization is successful over here now f10 it hit the second end point that means the authorization is successful over here as well clicking on continue and here also i'm clicking on continue here we got the response that is all in this demo if this video is helpful to you please like this video and also subscribe to azureteach.net channel for more videos on azure and dot net thank you