Adam Larsen - Tech

In my post about getting the Azure AD JWT via Postman , we kind of skipped over the part on what the resource is when requesting a token.  Basically, its the Application Id URI of the app you will be calling, not the app you are login in as.  Let's talk through a scenario, using the https://github.com/Azure-Samples/active-directory-dotnet-daemon sample from my post on Service to Service auth. You would create two applications in Azure AD, and they don't even need to be in the same AD (we will cover that at a later date).  The service that is going to consume the API (TodoListDaemon) is the one that would be using the method I described to get a bearer token, and it would have its own Application as we would use its App ID for the Client Id.  Then the service hosting the API (TodoListService) would also have its own Application, but we don't need to generate an Application Key, as we are not logging on as this application.  But in TodoListService we would p...

In my last post, I reviewed how to use Azure AD for service to service authentication.  But sometimes, you may want to test your API directly.  So let's review how to get the token via Postman. We are going to be using the OAuth2 endpoint, and going for a "client_credentials" grant type.  So you are going to need to know a few things from your Azure portal. Application Id : This is used for the Client Id. Application key : This is used for the Client Secret.  You have to generate this from the portal, and it will only give it back to you once.  If you lose it, you will have to generate a new one. Application ID URI : we will use this as our resource.  This is the Application ID URI for the app we are going to be calling, not the one we are login on as.  (See What is the Resource in Azure AD for more information) (optional) Tenant Id : This is used to figure out where the Token Endpoint is.  The new Azure portal calls this a Directory ...

One of the things I like with the newer services from Azure is the use of Azure AD to authenticate. Azure Keyvault is a perfect example, I can request a JWT from Azure AD and I just pass that to Keyvault in the Authentication header and I am in. Bringing me back to the good old days when we would use Windows AD user as service accounts, you change your password in one place and it's updated everywhere. But this time, you can have more than one password, so your services don't crash as you try to cycle the passwords. (I think I hear angels singing from heaven...) So, how do we make use of this for our own services? So glad you asked. Let's start by pointing you to Microsoft's documentation for  Authentication Scenarios for Azure AD , it's a very good read, and you really should know this stuff before starting this.  The scenario we are looking for is "Daemon or Server Application to Web API", particularly looking at how Web APP 1 ( TodoListDaemon ) and ...

So I have been doing a deep dive into Azure CosmosDB for a project. One of my objectives was to learn its performance characteristics when uploading a few million records an hour, and doing a cost analysis of CosmosDB vs other technologies already in use.  I put together an app that's able to push a few hundred records in at an acceptable rate.  So I do what I inevitably always do. From my laptop on hotel internet, I "dial it up to 11, and see what brakes", what could go wrong? Well, it worked, and as expected, throttled when it hit the RU (Request Unit) limit.  I increased the RU allocation, and it pushed more documents per second.  Cool? NO, I was pushing 10,000+ RU/s and only getting a few hundred documents a second.  So I did what I should have done to start with, ran the sample from a VM in the same datacenter as my DB.  BINGO, it easily surpassed 1,000 documents per second. But for the same RU/s? What's going on? Well after a bit of testing, I sus...

If you have spent any time looking at the documentation for Microsoft CosmosDB / DocumentDB, you will see a lot of examples where the data model has a property named "Tags" that is a list of strings.  But you don't see many times they query on something in that Tag property...  One example I saw a query on Tags[0] = "some value" I don't know how often I will need that, but you know, good to know you can do it. After looking through the SQL syntax reference .  The 2 ways I most likely query the Tags would be to use a join on the Tags property or use the ARRAY_CONTAINS function. Side note; the performance of the two methods are basically identical, leading me to believe the query optimizer generates the same instruction sets for both. So unless you have an array of complex objects, just use ARRAY_CONTAINS. Cool, we know how to query for documents that have our tag on them now... One small problem, when you load a million, or even a hundred thousand do...

So recently I started looking at using WebAPI2, and well, the documentation on what's really going on here, sucks.   My goal here is to allow a user to log-in via OAuth2, pull the access token and the refresh token and handle them safely. This post is really just a place for me to take notes as I dig into this. Firstly, this is none trivial in Microsoft's implementation.  After digging into this, I must ask if they even thought about how this would be done.  From what I can tell, they are expecting that if you want to get extra information from a provider that you do it in the OnAuthenticated method on the AuthenticationProvider, and then add it to the claim.  And if that's all you need, by all means, do that. Step one: Requesting the Token For Google we need the include the access type of offline in our request.  It was talked about on the Katana Project at   GoogleOAuth2Authentication never really get RefreshToken So given that bit of info we know...