►
From YouTube: Securing Services with MSAL
Description
It’s common for web, desktop, or even mobile applications to require access to protected resources in their environment. This may be custom Web APIs, Microsoft Graph or some other third-party service.
In the episode, Principal PM Kyle Marsh joins Christos to give us a better understanding on how we can use Microsoft Authentication Library (MSAL) to secure our daemon services with the OAuth 2.0 client credentials flow.
[01:07] - What is MSAL?
[02:26] - How does MSAL compare to ADAL?
[05:07] - MSAL Language support
[05:44] - What is the definition of a service?
[07:55] - Granting access scopes and permissions to a service
[15:07] - Differences with other app types and dynamic scopes
[17:17] - MSAL demo
Overview of Microsoft Authentication Library (MSAL)
https://docs.microsoft.com/azure/active-directory/develop/msal-overview?WT.mc_id=ondotnet-c9-cephilli
Microsoft identity platform and the OAuth 2.0 client credentials flow
https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow?WT.mc_id=ondotnet-c9-cephilli
Acquire a token and call Microsoft Graph API using console app's identity
https://docs.microsoft.com/azure/active-directory/develop/quickstart-v2-netcore-daemon?WT.mc_id=ondotnet-c9-cephilli
Client Credentials grant sample code
https://github.com/azure-samples/active-directory-dotnetcore-daemon-v2?WT.mc_id=ondotnet-c9-cephilli
A
A
B
So
amsol,
the
microsoft
authentication
libraries
are
a
series
of
libraries
that
we've
created
to
make
the
to
take
away
the
drudgery,
if
you
will,
of
implementing
protocol
level
work
in
order
to
talk
to
an
identity
provider
like
microsoft
identity.
So
it's
our
library.
If
you
will
it's
actually
not,
we
don't
like
to
refer
to
it.
This
is
a
protocol
library.
It
does
a
whole
lot
more
than
just
that.
A
A
B
You
know
what
access
do
I
need,
how
do
I
authenticate
this
user
etc
and
take
away?
You
know
all
of
the
nitty
gritty
details
that
go
into
these
protocols
that
not
only
are
quite
detailed
and
long
they're.
They
have
a
huge
amount
of
work
that
you
have
to
do
to
follow
the
standard,
make
sure
you're
up
to
date
with
the
standard
and
so
on.
So
we
want
to
take
all
of
that
work
away,
so
a
developer
can
focus
on
their
user
experience
and
what
they
really
need
to
implement
with
respect
to
access,
et
cetera.
A
Sweet,
so
I
don't
have
to
hand
roll
my
own
artisan
library
to
authenticate
and
talk
to
us
ready.
I
just
download
the
amsoil
package
and
I'm
good
to
go
exactly
exactly
love
it
simplicity.
Now,
one
important
thing
right,
amstel,
is
the
new
version
of
a
previous
library
we
had.
Is
that
correct?
So,
yes,.
A
B
Microsoft,
authentication
libraries
isn't
just
about
azure,
but
rather
an
azure
id
it's
about
any
microsoft
identity,
so
both
users
with
corporate
identities,
from
azure
ad,
as
well
as
identities
from
our
consumer
side
of
the
house,
what
we
refer
to
as
microsoft
accounts
that
could
be
outlook.com
or
skype.com
or
xbox.com,
etc.
So
anyone.
B
A
B
We
did
there's
two
things
that
we
are
deprecating
over
the
next
couple
of
years.
The
first
thing
is
the
adel
libraries,
so
we
obviously
aren't
doing
any
new
work
in
there.
There's
no
features
going
on
there
in
a
dollar
and
that's
been
the
case
for
quite
a
while,
but
we
will
be
deprecating
that
and
wanting
the
developers
to
move
to
msol.
The
other
thing
we're
also
deprecating
is
something
called
the
azure
active
directory
graph
right.
B
So
not
only
can
you
get
users
and
groups
and
apps
you
can
get
mail
and
the
calendar
information
and
onedrive
and
sharepoint
etc.
So
it's
a
much
broader,
much
more
powerful
api
than
just
the
the
focused
azure
ad
graph
api.
So
that's
also
been
deprecated
and
we're
asking
developers
to
move
to
microsoft.
Graph.
A
Right,
you
got
two
years.
Folks,
don't
worry
you
don't
have
to
start
writing
your
code
now,
but
we
give
you
enough
runtime
to
make
sure
that
you
get
there
on
time
and
we're
gonna
have
donald
miller
coming
to
the
show
as
well
to
talk
to
us
about
ms
graph
and
how
you
can
use
it
within
your
applications
and
all
the
goodness
that
is
around
there.
A
B
Services
just
just
to
talk
a
little
bit
about
services,
specifically
the
first
thing.
I
often
want
to
think
about
the
properties
of
of
the
application.
If
you
will
that
that,
in
my
mind,
makes
it
a
service
right
first
off,
of
course
it
has
to
run
on
a
protected
environment.
I
can't
be
doing
this
on
a
phone
regardless
of
how
powerful
my
phone
might
be.
That
allows
develop
someone
to
be
able
to
get
at
the
secrets
of
these
applications
services
right
work.
B
Without
a
user
present,
they
use
secrets
and
confidential
information
and
have
are
more
powerful
than
the
ones
that
can
be
limited
to
just
a
single
user.
So
the
application
must
run
in
protected
environment.
There's
no
and
there's
never
a
user
in
front
of
it.
Directing
a
service.
A
service
is
being
run
on
its
own
logic.
If
you
will-
and
it
always
acts
on
its
own
behalf,
now
the
way
that
a
service
identifies
itself
is
it
uses
something
called
the
client
credential
grant
flow
from
oauth.
A
B
And
it
has
all
of
the
problems
that
a
username
and
password
has,
but
nowadays,
as
enterprises
try
to
move
into
new
security
models
where
they
don't
even
have
passwords
these
kinds
of
applications.
The
service
app
account
can
be
really
problematic.
So
I'd
like
to
warn
developers
to
start
thinking
about
how
they
will
start
moving
to
a
client,
credential
flow
type
of
application
that
we're
going
to
talk
about
today
for.
A
A
A
B
A
B
Regardless
of
how
smart
or
done
the
service
itself
is,
it
already
knows
who
it
is
right,
because
it
has
its
own
identity.
If
you
will
so
we
never
give
a
service
an
id
token
that
says
here
service.
Here's
who
you
are
right,
so
we
don't
so.
Instead
we
only
give
services
access
tokens
and
those
are
there,
obviously,
so
that
they
can
call
apis
in
an
authorized
way.
We.
B
To
worry
about
any
of
the
intricacies
that
come
in
with
the
other
flows
like
refresh
token
tokens
and
and
authorization
codes,
because
the
token
endpoint
that
a
service
talks
to
using
the
credential
client
credential
flow
doesn't
require
any
user
interaction,
no
no
web
services
or
anything
like
that.
When
your
access
token
expires,
you
just
make
another
call
to
the
endpoint
to
get
another
re
access
token.
You
don't
need
this
whole
process
of
caching
refresh
tokens
and
when
do
they
expire
and
all
that
stuff,
you
don't
need
anything
like
that.
Right.
B
So
the
real
question
is:
how
does
a
service
authorize
well
first
off
the
service
has
to
be
able
to
say
I
am
this
service
right,
so
it
provides
if
you
will
an
application
identity
right,
so
that
is
it
two
components
to
that.
The
first
is
a
client
id.
We
know
your,
you
know
who
who
you
are
based
on
a
client
id
you
get
that
out
of
your
app
registration
and
then
you
have
to
provide
your
credentials
in
one
way
or
the
other.
B
Now
we
do
have
the
support,
because
it's
required
by
the
standards
to
support
a
secret,
a
secret
key.
If
you
will
it's
really
just
a
string,
it
has
the
same
problems
as
an
application
as
a
password
does
yeah-
and
you
know,
especially
given
the
nature
of
these
client
credential
flows
very
nature
starts
with.
I
got
this
string
I'll
mail
it
to
the
developer
or
I'll
post
it
in
a
in
a
spreadsheet
somewhere.
I
actually
had
a
customer
one
time.
Here's
all
these
keys,
we
use
it's
like
really.
B
Yeah
exactly
so,
we
kind
of
prefer
that
you
use
something
like
a
certificate,
because
certificate
management
tends
to
be
better
in
existence.
Right
people
have
know
how
to
manage
certificates.
Whatever
process
you
use,
we
really
want
to
see
where
you
don't
handle
the
secrets
with
people.
Some
automatic
process
puts
the
secret
in
the
right
place
for
your
process,
your
service,
to
use
whether
it's
a
certificate-
that's
been,
you
know
automatically
deployed
to
a
vm
or
something
or
even
a
desktop,
a
server
somewhere.
B
Those
are
the
kinds
of
processes
we
want
to
see
for
securing
these
credentials.
If
you
will
right
so
and
it's
a
certificate
there's
a
specific
way,
you
have
to
do
that
involving
signing
a
jot
token,
etc.
The
good
thing
news
here
is,
while
there's
a
lot
of
work
there
mso
looks
after
for
you,
so
you
really
don't
have
to
worry
about
the
the
nitty
gritty
details
of
how
you
do
that
certificate
authentication.
It's
very
straightforward!
That's
what
we'll
show
you
in
a
minute
right
awesome.
A
B
B
You
as
a
developer
and
your
I.t
folks,
don't
have
to
worry
about
secrets
or
keys
or
certificates
or
anything
else
we
handle
all
of
that
for
you,
and
in
fact
you
don't
even
have
to
worry
about
msol,
because
you
just
make
a
request
to
a
well-known
endpoint.
This
is
from
a
vm
where
I
simply
ask
hey
mr
endpoint.
Give
me
a
token
for
microsoft,
graph
and
off
you
go
right,
so
you
don't
even
have
to
do
much
coding,
it's
a
very
straightforward
process
and
a
higher
security.
B
Now
it
is
only
available
today
for
azure
resources,
so
if
you're
running
somewhere
else,
you're
running
on
a
server
in
your
enterprise
or
something
like
that,
you
can't
use
these.
But
if
you
are
using
azure
for
to
host
your
services,
I
I
strongly
encourage
you
to
take
a
look
at
that
as
a
great
way
to
to
have
a
more
secure
service.
A
And
to
interject
here
something
important
that
mass
identities
also
work
in
local
development
environments.
There
is
a
way
to
add
that
as
part
of
the
development
flow,
so
the
inner
circle
becomes
consistent.
So
when
you
move
from
development
to
production,
you
don't
change
your
code
or
you
don't
have
to
change
anything.
It
just
picks.
B
B
So
one
other
thing
that
the
application
needs,
of
course,
is
the
application,
needs
the
right
to
do
something
or
permission
to
do
its
operation.
Maybe
I
want
to
list
all
the
users
in
the
enterprise
or
I
want
to
find
out
all
the
mail
that
was
sent
yesterday,
so
I
can
throw
it
into
some
complicated
ml
thing
and
find
out
if
my
company
is
happy
or
sad
today,
I
might
have
all
kinds
of
different
needs,
so
the
application
has
to
state
here's.
B
A
B
Graph
we
have
user.read.all.
This
application
can
read
the
full
profile
of
all
of
the
users.
In
my
enterprise,
for
example,
then
the
application
developer
would
go
and
go
to
the
portal
or
possibly
use
a
graph
api
to
specify
for
their
their
app
at
the
registration
to
say,
here's
the
app
permissions
I
require.
A
B
So
they
would
be
listed
just
like
we
do
with
the
other
ones
user.read.all
great.
That
means
this
application
is
going
to
get
that
application
permission.
Remember
it
has
nothing
to
do
with
the
user.
Now
it's
the
application
and
therefore
all
users
can
be
read,
because
it's
not
a
specific
user
associated
with
this
app
right.
Then
the
tenant
admin
actually
has
to
grant
the
permissions
ahead
of
time.
There's
no
ui
here,
there's
nothing.
The
user
gets
to
see
because
there's
no
user
anyway
right.
B
So
all
of
the
the
granting
saying
yes,
I'm
allowing
this
service
to
read
my
mail
or
read
my
users
or
look
at
my
powerpoint,
my
sharepoint.
What
have
you
that's
all
done
ahead
of
time
by
the
tenant
admin
again
an
api.
They
usually
use
the
portal,
but
they
go
ahead
and
create
that
they
they
effectively
grant
the
permission
to
the
application
ahead
of
time,
and
then
the
application
always
uses
what
we
refer
to
as
the
dot
default
scope.
So,
for
example,.
A
B
Yeah,
I
kind
of
like
to
think
of
the
dot
default.
I
can
use
this
for
any
application.
It
kind
of
says
why
don't
you
go
to
the
to
my
app
registration
and
do
what
I
would
refer
to
as
the
the
scope
or
permission
math
figure
out?
What
I
need
based
on
what
I'm
calling
and
maybe
I'm
calling
an
api
that
needs
another
permission,
etc.
Go
ahead
and
figure
that
out
all
that
out
for
me
and
give
me
what
I
need.
A
A
B
A
multi-tenant,
a
multi-tenant
application
developer,
I'm
selling
my
app
across
different
tenants.
Maybe
I
want
to
be
able
to
have
different
tiers
of
the
app,
so
maybe
I
maybe
I
have
an
app
that
only
needs
d3
three
permissions
for
a
big
chunk
of
it,
and
maybe
it
only
needs
these
other
three
in
particular
circumstances,
and
who
knows
maybe
that
my
cut
this
particular
customer
never
even
bought
those
other
three.
So.
A
B
A
B
Gonna,
this
is
what
I
need
right
now
and
maybe
that's
the
only
thing
I
sold
as
a
developer.
So
that's
why
a
developer
is
not
so
much
for
a
service,
because
the
service
is
kind
of
all
nobody's.
Looking
at
the
ui,
what's
the
application,
the
user
experience
for
the
server?
Well,
there
isn't
one,
so
I
don't
really
need
to
optimize
it
much.
A
B
If
I'm
a
user
in
front
of
it
and
I'm
using
what
we
call
delegated
permissions,
I
might
want
to
really
fine-tune
exactly
when
the
user
gets
prompted
for
for
permissions.
So,
for
example,
maybe
I
have
an
application
that
says
I'm
helping
you
manage
onedrive
and
the
first
thing
to
do.
If
the
app
started
up
it
says
I'd
like
to
write
to
your
calendar,
you'd
go!
Oh.
Why
would
you
do
that?
But
if,
at
some
point
in
time
I
pop
a
note
to
the
user
saying
hey,
I
noticed
that
you
know
x.
B
A
B
Told
you
a
few
minutes
ago,
you
don't
really
want
to
use.
So
let
me
try
to
do
this
in
a
little
bit
more
correct
way.
So
the
code
we're
going
to
run
through
in
this
case
is
obviously
I
need
to
read
the
certificate.
I'm
writing
this
on
my
local
machine
as
a
console
app
here
on
my
local
machine,
so
I've
already
distributed.
If
you
will
this
certificate
to
this
dev
to
my
machine
here,
so
I
just
need
to
go
and
get
my
certificate
out
of
certificate
storage.
B
A
A
B
Then
this
is
just
which
application
which
tenant
I'm
talking
to
so
in
this
case
I'm
talking
to
the
tenant
where
the
app
is
registered.
The
only
other
thing
I'm
going
to
do
is
we've
gone
ahead
in
our
configuration
here.
I've
said
which,
which
my
application,
the
app
I'm
calling
is
microsoft,
graph
right.
A
A
B
Nice,
what
we're
going
to
do
here
is
we're
just
going
to
take
that
app
url
the
api
url,
which
in
this
case
is
microsoft,
sorry
graph.microsoft.com
and
we're
going
to
add
that
dot
default,
which
is
what
we
would
always
do
for
a
service,
and
then
it
becomes
a
very
straightforward
process.
I
simply-
and
I'm
going
to
use
this
acquire
token
for
client.
It's
going
to
build
me
a
an
object
that
I
can
then
execute.
Asynchronously.
B
To
return
to
me,
the
the
the
response,
the
token
response,
I'm
going
to
take
a
a
quick
look
at
that
when
we
get
there.
So
actually,
let's
wait
for
that.
We'll
go
here,
but
I
go
ahead
and
now
I'm
going
to
go
and
go
acquire
that
and
then
from
there
on.
All
I
really
need
to
do
is
call
my
apis
and
give
it
the
access
token,
which
is
in
the
response.
B
A
B
A
B
That
authorization
header
is
going
to
have
this
value
of
a
bearer
with
the
access
token
sweet
right.
So
I
passed
that
access
token,
that
I
got
from
microsoft,
identity
to
call
the
api,
and
if
I
call
this
th
this
api,
it
knows
how
to
check
to
see
if
it's
so
what
emsal
is
coming
in
for
me,
emsaul
is
basically
got
these
two
apis,
the
first
off
I'm
creating
the
m
cell
object,
yeah.
A
B
B
A
B
And
let
me
make
sure
it's
not
popping
up
on
the
other
monitor,
so
I
actually
didn't
want
to
oh.
So
this
is
just
checking.
You
know,
I'm
getting
my
certificate,
so
I
got
my
certificate
that
worked
fine,
so
I'll
just
go
ahead
and
let
that
go
so
now
I've
gone
ahead
and
acquired
a
token.
What
I
want
to
look
at
here
is
the
result.
B
Just
to
show
you
what
this
is
really
if
you
were
looking
for.
You
know
how
do
I
debug
I'm
getting
a
for
an
access
denied
from
my
oops
popped
up
on
my
other
monitor,
let
me
bring
it
over
here,
so
I'm
getting
an
access
denied.
You
know,
how
do
I
do
it
well.
The
first
response
for
most
developers
is:
oh,
I'm
just
going
to
take
a
look
at
the
token.
Surely
it's
just
a
jot
token.
I
can
just
look
at.
A
B
Even
though
you
can
do
that,
I'm
going
to
try
to
discourage
people
from
doing
that,
because
if
you
do
there's
there
may
be
a
point
in
time
where
you
will
no
longer
be
able
to
read
the
access
tokens
like
you
can
today.
So
if
we
start
putting
protection
on
those
access
tokens
that
debugging
technique,
you've
gotten
so
used
to
won't
be
there
anymore.
B
A
B
A
B
And
here
you
can
see
the
rest
of
the
information
that
I
see
in
the
token
response,
I'll
also
point
out
the
correlation
id
really
important
to
log.
If
you
want
to
log
anything
log
this,
because
with
the
correlation
id,
our
support,
people
can
go
and
look
up
that
transaction
with
the
hey.
I
ran
an
app
two
days
ago
and
it
didn't
work.
Could
you
tell
me
what
happened
we.
B
Well
tracing
those
down,
but
with
a
correlation
id.
We
do
that
great
and
that's
not
in
the
access
token
or
anywhere
else.
It's
right
here
in
the
correlation
id
of
the
response,
as
well
as
things
like
when
it
expires
and
so
on.
So
I
have
no
need
to
ever
look
inside
this
access
token.
This
access
token
was
issued
for
microsoft,
graph
they're,
the
only
people
who
should
be
looking
inside
of
it.
The.
A
B
B
B
B
B
B
What
you
do
need
to
do
is
you
have
to
authorize
why
you're
acquired
credentials
again,
if
possible,
use
imagine
identity
for
azure
resources,
it's
a
lot
simpler
and
more
secure
or
a
certificate,
preferably
because
there's
usually
management
around
certificate,
and
then
the
fallback
would
be
secrets.
But
we
really
really
really
hope
that
you
have
some
management
process
in
place
so
that
those
secrets
aren't
just
strings
that
are
passed
around
in
email
or
spreadsheets
on
the
server
or
check
just
checked
into
github.
A
B
A
Awesome
so
much
goodness
here,
especially
for
developers
that
work
with
net
and
dot
net
core,
and
these
days
you
know
you
can
run
on
linux
or
windows
doesn't
really
matter.
So
it's
open
source
there
there's
a
lot
of
potential
there
for
people
to
create
background
tasks,
using.net
core
and
it's
nice
to
know
how
to
do
it
right
and
securely
and
don't
not
expose
unnecessary
secrets
and
stuff
to
your
to
potential
attackers
so
kyle.
That
was
brilliant.