►
Description
This month's community call included an introduction to Microsoft.Identity.Web, the new authentication & token management experience for .NET. We'll show how it fits within the existing landscape, look at demos of using the library in new apps, and strategies for upgrading older apps.
Speakers: Christos Matskas, John Patrick Dandison
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
A
Patrick
or
jp,
I
have
many
wake
words.
I
guess
I
have
to
listen
for,
and
I've
been
called
much
worse,
so
just
feel
free
to
shout
in
my
general
direction
and
I'll
try
to
answer
you.
I
am
a
principal
program
manager
in
the
identity
division.
With
my
partner
christos,
we
work
on
helping
developers,
use
our
platform
and
be
successful
in
it.
The
the
breadth
of
the
identity
platform
is
our
oyster.
A
I
suppose,
and
one
of
the
things
that
we
wanted
to
come
and
talk
about,
was
some
some
new
changes
that
we
were
seeing
in
our
libraries
to
make
consuming
the
identity
service
that
much
easier,
especially
if
you're
a
net
developer,
and
so
that's
what
we're
going
to
look
at
today,
we're
going
to
talk
sort
of
about
what
it
is
and
why
it
is
the
way
it
is
and
then
just
go
into
some
demos
about.
A
So
here
you
see
christos
and
I
discussing
the
new
identity.web
as
we
normally
do
in
the
subway,
just
like
everybody
does
when
they're
at
work,
obviously
as
they
they
talk
to
their
friends
about
new
hot
libraries
that
they're
seeing
the
first
thing,
and
this
audience
probably
doesn't
need
to
worry
too
much
about
why
they
should
use
an
external
identity
provider,
but
it
is
still
it's
still
an
important
sort
of
topic
as
well.
Why
shouldn't
I
just
do
this
myself?
A
There
are
lots
of
reasons
why
you
shouldn't
do
it
on
your
own.
Many
of
these
reasons
are
popping
up
on
the
screen.
Right
now
is
that,
generally
speaking,
people
are
not
terribly
good.
Developers
are
not
terribly
good
at
maintaining
maintaining
databases
full
of
sensitive
user
information,
and
so
it
tends
to
be
a
good
idea
to
let
somebody
else
deal
with
it.
Let
somebody
else
handle
the
trouble
of
how
do
I
reset
my
users
passwords?
How
do
I
store
them
securely?
How
do
I
make
sure?
A
A
That's
all
extra
work
for
you
right
and
instead
it's
much
easier
to
hunt
that
down
the
street,
to
delegate
that
off
to
somebody
else
for
a
fairly
reasonable
fee
and
let
them
let
them
deal
with
it
on
their
own.
So,
of
course
you
see
these
numbers
here
over.
You
know
almost
10
billion
accounts
that
have
been
hacked
or
released
to
the
internet
in
some
form
or
fashion
that
came
from
havonpon.com,
and
that
was
as
of
last
december,
so
the
number's,
probably
even
higher
by
now.
A
There
are
some
that
a
lot
of
them
work
here,
for
example,
in
our
division,
but
generally
speaking
a
developer,
an
enterprise
or
a
commercial
software
developer
identity
is
a
part
of
what
they
need
to
do,
but
it's
not
the
end
goal.
The
end
goal
is
not
to
have
a
bunch
of
identity
related
code
to
assign
users
in
or
to
access
apis.
A
The
goal
is
to
do
some
other
sort
of
business
task
or
to
solve
a
business
problem,
and
identity
is
one
of
the
requirements,
a
foundational
requirement
to
actually
go
and
get
there,
and
so
what
we
hear
over
and
over
and
over
again
is-
I
just
want
this
to
work.
This
is
super
complex
and
there
are
all
sorts
of
protocols
that
I
need
to
worry
about
and
which
ones
are
secure
and
which
ones
are
not,
and
I
don't
know
what
a
jwt
is,
and
I
don't
know
how
a
signature
gets
made.
A
I
don't
know
what
to
do
and
we
hear
this
quite
frequently,
so
the
whole
point
of
our
new
libraries
is
making
it
easier
for
us
to
sort
of
fall
into
the
pit
of
success
to
use
a
cliched
term
of
I
just
need
to
add
authentication
to
my
application.
I
just
need
to
call
an
api,
and
I
need
to
be
confident
that
in
doing
that,
I'm
not
going
to
be
in
the
news
one
day
right
and
so
you'll
notice.
A
Here,
of
course,
these
people
are
looking
at
a
map
of
midwest
central
united
states,
but
they
were
able
to
delete
so
much
code
using
identity.web
that
they
felt
like
they
needed
to
present
it
to
their
whole
org.
So
here
they
are,
and
of
course
even
bob
can
figure
it
out
right.
The
whole
point
of
our
library
is
to
make
it
much
easier
to
to
be
successful,
so
identity
for
all
developers
is
sort
of
a
common
theme,
common
thing
you're
going
to
hear
from
us.
A
So
today,
if
you're
doing
asp.net
and
yesterday,
if
you're
doing
asp.net
and
really
back
for
quite
a
quite
a
decent
period
of
time,
you
sort
of
had
these
two
really
discreet
experiences.
One
side
was
the
asp.net
configuration
via
asp.net
framework
or
asp.net
core
or
on
with
asp.net,
where
you
had
to
configure
a
sign
in
operation
or
some
sort
of
way
to
get
your
users
to
authenticate,
and
that
was
somewhat
discreet
from
well.
I
also
need
to
get
data
from
apis.
How
do
I
get
a
token
to
go
and
do
that
right
if
I'm
on
prem?
A
This
is
all
happening
behind
the
scenes,
because
I'm
on
a
domain
join
machine
and
that
domain
join
machine
has
iis
and
it's
running
our
app
and
it's
talking
to
say
sql
server
or
another
api
using
a
service
account,
and
so,
if
you're
a
developer,
you
never
really
had
to
worry
about
it.
A
But
once
you
move
into
the
sort
of
new
world
of
of
using
external
identity
providers
and
in
particular,
azure
id
suddenly
all
these
protocols
are
sort
of
right
in
your
face
and
the
identity
community
as
a
whole
loves
to
have
all
of
this
really
specific
and
esoteric
vocabulary.
That's
really
hard
to
navigate
if
you're,
new
or
really
hard
to
navigate.
A
A
Experiences
of
I've
got
my
open
id
connect
stuff
that
I've
configured,
but
I
need
to
hook
into
specific
events
in
order
to
get
insole
configured
or
eight
out
configured
correctly,
and
it's
it's
super
confusing,
and
especially
if
identity
is
not
something
you're
doing
and
building
with
every
day,
it
has
a
tendency
to
get
even
more
confusing,
because
there
are
all
sorts
of
different
events
that
happen
in
the
sort
of
overall
life
cycle
of
of
an
open
id
or
an
oauth
request,
and
so
that
was
very
difficult
and
we
have
noticed
for
years
of
the
developers
struggling
with
knowing
exactly
when
to
do
the
right
things
and
which
foot
to
put
where
at
just
the
right
time
in
order
to
make
sure
they
had
what
they
needed.
A
A
That's
talking
to
a
backend
api,
and
now
we
need
that
back-end
api
needs
to
support
oauth
2
tokens
or
it
needs
to
know
the
user
is
authorized
to
use
that
to
use
that
service,
and
then
we
get
into
the
discussion
around
scopes
and
token
validation
and
what
does
a
valid
token
mean,
and
so
that
was
something
you
use
the
jwt
bearer
middleware
for
which
was
again
somewhat
somewhat
of
a
of
a
bifurcative
experience.
A
We
had
the
jwt
bearer
middleware
for
web
api
and
asp.net,
but
we
also,
if
you
needed,
a
token,
to
call
another
service
which
is
of
course
fairly
common.
Now
you
also
had
to
go
and
configure
them
selling
them,
so
the
identity.web
library
aims
to
essentially
abstract
all
that
away.
All
the
complexity
of
configuration
of
which
thing
goes
where
at
which
point,
and
I
have
to
copy
400
lines
out
of
a
doc
or
a
sample
in
order
to
make
this
work.
The
identity.web
library
aims
to
do
the
majority
of
that
work.
A
For
you,
with
some
tasteful
defaults,
while
still
managing
to
give
you
enough
extensibility
points
and
enough
ejection
points
to
do
more
complex
work
as
you
need
to
right
now.
One
of
the
big
ones
here
is
the
the
fact
that
all
of
the
open
id
connect
middleware
that
runs
asp.net
all
of
that's
configured
for
you
all
of
the
ui
bits
that
you
need
for
redirecting
your
user
over
to
sign
in
for
receiving
those
tokens
when
they
come
back.
All
that's
wired
up
for
you
automatically
the
audience.
A
If
we
look
at
the
the
openid
connect
configuration
data
that
comes
out
of
azure
ed,
if
you're
not
using
a
tenanted
url,
if
you're
not
using
a
an
azure
id
specific
url,
you
end
up
in
a
position
where
you
have
to
validate
that.
The
audience
of
your
token
is
correct,
but
you
don't
necessarily
know
which
audience
or
you
don't
necessarily
know
which
tenant
your
user
may
be
coming
from,
and
so
now
there's
a
there's,
an
audience.
A
Those
are
all
still
available.
So,
instead
of
having
to
build
your
own
msl,
cache
or
urinate
out
cache
for
storing
tokens
for
further
use
or
for
later
use,
all
that
happens
for
you
and
if
you've
configured
a
distributed
cache,
we
will
use
that
sort
of
automatically
we'll
pick
that
up
for
you
and
then,
of
course,
for
api
developers.
It's
very
similar.
A
And
today
you
have
something
called
the
the
android
ui
library,
the
android.
U
lot,
ui
library
is
sort
of
a
first
pass
at
a
an
attempt
to
make
using
azure
80
a
little
bit
easier,
but
it
uses
the
v1
endpoints,
which
of
course,
that's
been.
A
big
thing.
That's
coming
up
is
it's
using
v1
and
we
want
everybody
to
start
moving
to
v2,
especially
with
the
deprecation
of
adol
to
msl,
on
the
horizon
and
just
under
two
years.
A
A
So
these
were
wrapped
up
into
this
azure
edui
library,
but
you
still
have
to
deal
with
themselves
separately,
and
so
now
we
have
identity.web
to
sort
of
come
underneath
the
whole
thing
and
give
you
a
new
sort
of
api
surface
to
work
with
the
primitives
are
all
still
there
all
of
the
sort
of
basics
that
you
know
and
love
and
are
familiar
with
today
in
asp.net
and
asp.net
core
they're,
all
still
there
they're
just
abstracted
away
from
you,
so
that
you
don't
have
to
necessarily
have
300
lines
of
code
in
your
startup.cs
in
order
to
configure
msl
and
get
users
signed
into
your
app.
A
So
just
to
take
a
quick
look
at
what
that
kind
of
looks
like
you'll
things
like
this
ad
authentication
at
azure
ad
have
been
replaced
with
things
like
add:
microsoft,
identity,
web
app
authentication.
A
Most
of
these
are
chained
calls.
So
when
we
get
to
m
cells,
when
we
see
the
big,
the
big
improvement
here,
you're
responsible
for
creating
an
msl
client
and
then
handling
authorization
codes
and
handling
token
caching,
here
we
give
you
one
extra
chained
call
to
your
ad
microsoft
identity.
Web
app
authentication
called
enable
token
acquisition
to
call
downstream
api,
and
so
now
you've
got
in
your
config.
A
You
have
two
objects
or
two
things
that
you
need
to
do.
One
is
to
enable
sign
in
which
is
the
first
one
and
the
second
one
is.
I
need
and
sell
with
the
token
cache
please
go
and
create
it.
For
me,
we
haven't
forgotten
about
api
developers.
They
have
the
same
the
same
new
experience
as
well,
where,
instead
of
having
to
configure
all
of
the
different
pieces
for
getting
msl
tokens
and
for
configuring
themselves
cache
instead
api
developers
get
the
same.
Really
quick
and
easy.
A
A
The
intention
is
for
it
to
be
extremely
easy
to
use
and
to
not
require
you
as
the
developer,
to
have
any
sort
of
ultra
deep
understanding
of
protocols
of
tokens
specifically
of
of
what
it
takes
to
sort
of
enable
oauth
and
open
id
connect
on
an
app.
It
doesn't
require
you
to
have
a
whole
lot
of
really
deep
knowledge
in
it.
A
We
want
you
to
understand
it
enough
to
configure
it
and
to
sort
of
know
what's
happening,
but
not
have
to
be
a
really
deep
expert
to
feel
confident
that
you're
that
your
app
is
going
to
be
secure,
so
christos
is
going
to
show
us
what
that
looks
like
when
building
a
new,
a
net
new
application.net.
Today
the
library
itself
is
still
in
preview.
It
should
be
coming
out
into
ga
relatively
soon
so
he's
going
to
step
through
what
it
looks
like
to
add
this
to
a
new
app
so
christos
I'll.
A
Let
you
take
it
away.
B
Exactly
thank
you
for
the
intro
and
I'm
probably
going
to
blow
your
minds
today,
because
it
did
blow
my
mind.
The
first
time
I
actually
had
to
use
the
library
and
fun
fact
is
probably
I
was
the
first
one
to
download
the
nougat
package
when
it
came
out,
so
very
fresh
beats
back
in
early
june
or
late
in
early
july,
so
the
library
has
been
out
there
for
a
while.
B
Now
we
have
0.4
version
running
and
we're
heading
fast
for
our
ga,
which
is
coming
very
very
soon,
but
we
do
have
support
for
the
preview
beats
and,
if
you're
looking
to
get
started,
there's
a
github
repo.
B
If
you
search
for
microsoft.web
you'll
land
here
it
contains
all
the
documentation
as
well,
so
you
can
start
with
a
conceptual
documentation
and
then
start
drilling
into
the
advanced
topics.
We
also,
I
have
a
lot
of
samples
that
cover
not
just
the
simple
scenarios
of
I
want
to
just
authenticate
a
user
which
is
great
but
also
authenticating
users
and
calling
into
graph
or
authenticated
users
or
calling
other
apis
api
to
api
on
behalf
flows.
And
what
have
you
so
make
sure
you
check
out
the
samples
and
start
working
through
there?
B
What
I'm?
What
I
have
here
in
front
of
us
is
a
very
simple
app,
so
it's
a
file
new
project
and
I
did
not
add
any
authentication
out
of
the
box,
because
the
templates
have
not
made
it
into
the
visual
studio.
Yet
the
the
preview
bits
are
already
in
place,
so
it
will
be
landing
very
very
soon.
In
fact,
they
might
be
announcing
that
at
ignite
I
don't
know
exact
timing,
but
even
even
so
the
cli
and
the
visual
studio
templates
will
be
updated
very
very
soon.
B
If
you
want
to
get
started
with
templates
today,
and
you
want
to
do
a
file
new
project,
there
are
actually
templates
what
about
template,
maybe
here
and
you
can
download
the
template.
So
if
you
want
to
do
file
new
project
through
the
cli,
it
allows
you
to
go
and
quickly
create
a
project.
But
what
I
want
to
focus
today
is
the
code.
There
are
two
things
that
you
need
to
do
two
or
two
three,
three
things
that
you
need
to
do
to
work
with:
the
new
authentication.
B
The
first
thing
is:
go
into
your
project
if
I
open
that
one
just
reference:
the
microsoft.web
library
and
the
ui,
if
you're,
creating
a
front-end
or
a
user
kind
of
interface
and
then
inside
your
startup,
if
you're
working,
with.net
core
you
just
come
in
here,
you
need
to
reference
the
library
and
it's
a
one-liner.
It's
literally
a
one-line
configuration
that
you
need
to
do
to
implement
the
authentication
in
your
app.
B
You
pass
the
configuration,
so
we
do
have
defaults.
So
as
long
as
your
app
settings
have
an
azure
id
with
the
appropriate
information
here,
then
the
startup
will
pick
it
up
and
will
run,
and
then
you
can
do
all
the
customizations
you
want.
But
the
whole
point
is
that
it's
a
one-liner
to
add
everything.
Now,
if
you're,
obviously
you
need
to
call
the
ui.
B
So
you
need
to
add
that
into
your
controllers,
whether
you're
working
with
blazer,
razer,
mvc
and
web
api,
they
all
support
the
same
libraries
and
they
all
support
the
new
library,
so
you're
good
to
go.
And
then
you
need
to
make
sure
that
you
call
the
authentication
or
use
authentication
here.
Then
inside
your
controllers,
you
just
do
the
authorize
or
you
force
authentication
across
the
board.
This
is
a
one-liner.
B
If
you
are
calling
an
api,
then
you
just
have
to
say
you
know
what
I
want
to
enable
token
acquisition
here
and
then
because
you're
calling
another
api,
you
want
to
have
a
cash.
So
out
of
the
box,
you
have
in-memory
classes,
you
have
distributed
cases
and
you
have
session
cases
so
they're
all
out
there
for
you
this
is
it
a
one-liner?
You
don't
have
to
have
any
in-depth
knowledge
about
open,
idc
connect.
You
don't
have
to
worry
about
endpoints
or
anything
else.
B
Next,
I
want
to
jump
to
an
api
again
in
a
very
similar
manner.
You
have
your
app
settings
in
your
api.
Let
me
make
it
slightly
bigger,
so
everybody
can
see
this.
I
haven't
configured
my
api
settings
here.
That
is
it's
fine,
but
if
I
jump
into
my
startup,
it's
the
same
expectation,
the
configuration
should
include
an
azure
id
section.
Then
it's
a
one-liner,
so
we
say
add
microsoft,
identity,
web
api
authentication
and
that
will
do
all
the
token
validation
and
make
sure
that
you
have
the
appropriate
information
in
your
tokens.
B
And
then,
if
you
jump
into
a
controller,
then
again
the
authorization
is
a
one-liner.
So
if
you've
ever
done
any
token
management
in
the
past
or
you
had
to
check
scopes,
you
know
that
you
had
to
roll
out
your
own
code
to
look
into
the
token
and
make
sure
they
had
the
right
scopes.
So
here
all
I
did
is
add
the
authorize
attribute,
which
is
the
consistent
one
or
the
the
one
that
has
been
brought
back
from
dot
net
core
and
then
check
this
out
in
http
context.
B
We
actually
have
a
call
that
calls
the
verify
user
has
accepted
scopes,
and
then
you
pass
the
scopes
in
here
and
that's
that
does
the
whole
job.
So
if
the
token
comes
in
and
they
don't
have
the
appropriate
scopes
for
the
api,
then
they
get
bounced
back.
So
again
with
three
lines
of
code,
I
was
able
to
implement
some
very
complex
logic
that
is
hidden
behind
some.
You
know
behind
the
library,
so
we
obstructed
a
lot
of
stuff
and
people
are
loving.
B
It
so
much
now
that
they're
asking
for
the
same
library
or
the
same
rocker
around
the
msl
and
the
authentication
to
be
available
for
other
languages
like
php
node
java.
And
what
have
you
and
that's
the
end
of
my
demo,
because
you
know,
I
think
I
want
to
finish
here
with
the
highlight,
which
is
show
a
few
lines
of
code
to
achieve
so
much.
A
A
So
a
lot
of
the
configuration
I
had
to
do
on
my
own
and
if
we
look
at
this
configure
services,
it's
fairly,
it
may
be
fairly
familiar,
especially
if
you've
had
to
do
openid
connect
or
do
any
azure
id
app
work
on
your
own.
So
we
have
all
the
configuration
that
happens
here.
Of
course,
all
this
is
coming
out
of
configuration
on
our
own
and
then
we
have
to
add
a
cookie
and
that
cookie
comes
back,
but
then
we
have
to
go
and
configure
our
events
right.
A
So
in
our
events
and
our
authorization
code
received
event,
for
example,
this
is
when
we're
creating
our
new
our
new
msl
objects,
and
these
new
mso
objects
are
what's
happening
to
handle
the
authorization
code
swap
and
then
caching
that
token,
so
that
we
can
go
back
and
use
it
later
on.
In
a
controller
action,
for
example,
so
we've
got
a
couple.
A
This
is
the
extent
of
it
right.
So
we've
got
so
now
we're
configuring
our
app
here
with
this.
We
need
to
enable
token
acquisition
to
call
a
downstream
api
and
we
want
to
add
a
cache.
So
I
I'll
use
it
in
memory
cache
for
this
one,
and
now
we're
done
so.
We
can
go
back
through
and
delete
all
of
this
code
that
we
had
for
configuring
all
these
extra
services
and
cut
out
nearly
100
lines
of
code
and
get
to
what
is
essentially
an
identical
level
of
functionality
right.
A
The
best
part
about
this
demo
is
it
doesn't
really
take
much
because
there's
not
because
all
we're
doing
is
deleting
code.
Of
course
anytime.
We
can
delete
code,
that's
a
good
day,
but
so
we
managed
to
take
a
significant
amount
of
code.
That
requires
a
significant
amount
of
sort
of
specific
knowledge
around
what
the,
how
the
flows
work
of
well,
what
is
an
authorization
code
flow
and
how
does
that
work
and
then
what
does
it
mean
to
say
redeem
that
authorization
code
and
then
how
do
I
cache
a
token
securely?
A
We're
super
excited
about
this.
Coming
out.
We
also
christos-
and
I
have
worked
on
doing
this
with
blazer,
and
so
we've
managed
to
get
this
working
with
with
blazer
server
side
and
blazer.
Client
side
is
a
little
bit
different
because
there's
sort
of
a
higher
level
wrapper
that
goes
around
the
whole
thing,
but
this
absolutely
works
and
blazer
server
side
and
will
be
a
part
of
the
part
of
the
templates
later
on
closer
to
release,
so
that
is
sort
of
the
net.
A
What
we
wanted
to
look
at
today
are
there
any
any
sort
of
questions
concerns
before
we
move
on.
A
So
obo
support
itself
in
b2c
is
the
larger
question.
So
I
would
say,
when
b
the
c
supports
over
properly
and
thoroughly,
and
it's
announced
that
that
is,
but
that's
all
supported
this
library
will
handle
it.
So
one
of
the
things
that
one
of
the
sort
of
focuses
of
this
library
was
specifically
that
you
could
switch
between
azure,
ed
and
venus
e
with
minimal
code
change.
It
may
be
as
it
is
as
minimal
as
a
configuration
change.
A
The
code
itself
doesn't
actually
have
to
change
if
you
were
to
add
a
b2c
authority
and
to
add
a
b2c
flow
for
sign
in
assign
an
or
signup
flow
once
those
are
added
to
the
configuration
the
library
handles
sort
of
toggling
over
to
use
to
use
b2c
yeah.
B
A
That's
right,
they
can
be.
There
are
specific
event
hooks
that
are
available
in
the
identity
web
authentic
web
app
authentication.
There
are
specific
hooks
there
for
including
your
own
openid
connect
events.
B
Yeah
one
question
again
and
that's
a
very
important
question
by
sorry
snare:
is
it
possible
to
use
this
library
on
legacy.net
framework,
4.7
apps,
and
do
you
want
to
answer
that
or
do
you
want
to
answer
that.
B
3-1
3-1
and
later
I
don't
think,
there's
plans
for
backporting
the
library.
Sorry
for
being
the
the
you
know
the
messengers
of
bad
news,
but
the
whole
point
is
to
make
it
easier
going
forward
and
I
feel
your
pain.
I
totally
feel
your
pain
but
yeah,
sorry,
no
support
for.
I
wouldn't
call
it
like
a
legacy,
but
I
would
say
the
all
dotnet
framework
is
not
supported.
Sorry
for
that
next
question:
is
there
any
chance
for
a
version
for
dotnet
framework
for
eight
again?
Sorry,
no.
A
Will
make
sure
that
the
we
will
make
sure
that
the
that
that
is
is
captured
and
bubbled,
because
we
certainly
the
you
are
not
the
first.
You
are
not
the
first
group
that's
asked
for
that,
so
we
will
make
sure
that
that
is
well
known.
B
Correct
somebody
else
has
asked:
how
does
this
fit
into
the
microsoft
identity
platform?
I
already
answered
that
in
the
chat,
but
for
people
that
are
not
monitoring
the
chat,
I
would
say
it
actually
sits
on
top
of
msu.
So
it's
not
a
new
functionality.
It's
not!
You
know
it's
not
something
new
or
a
new
version
of
the
authentication.
We
just
abstracted
the
pain
of
user,
signing
and
token
management
and
made
it
super
easy,
but
you
can
still
use
the
existing
amsa
libraries
if
you
still
want
to
roll
that
way.
Totally
up
to
you.
A
Yep,
that's
it
is
it's
intended
to
be
a
new
api
to
abstract
all
the
complexity
away,
because
there
is
so
much
complexity,
and
but
none
of
the
underlying
functionality
itself
is
changing.
It's
all
still
there
and,
of
course,
you're
welcome
to
use
it.
You
don't
have
to
use
identity.web.
All
of
that.
All
of
that
underlying
code
is
still
there
to
use.
A
A
So
if
you
were
using
an
adfs,
if
you
were
using
adfs
locally
adfs
would
essentially
be
a
separate,
it
would
essentially
be
a
separate
open
id
provider.
If
the
question
is
between
something
like
kerberos
like
a
straight
up
kerberos,
no,
this
library
would
have
nothing
to
do
with
with
interacting
with
kerberos
at
all,
because
that
would
be
primarily
as
like
an
is
side
setting
to
say
to
effectively
enable
kerberos.
A
There
may
be
some
ways
to
to
use
authentication
policies
or
authorization
policies
to
require
certain
to
protect
certain
parts
of
an
app
in
different
ways.
So
we've
done
that
before
with
say,
an
app
that
we'll
need
to
use
azure,
80
and
b2c,
for
example,
but
no
there's
there's
no
sort
of
hybrid
expectation
out
of
the
box
if
it's
direct
kerberos
and
if
you
were
doing
it
with
adfs
to
get
open
id
on-prem
you'd
have
to
set
it
up
as
a
separate
provider.
Yeah.
B
And
people
are
loving
the
library
so
much
that
now
are
asking
how
is
easy
to
connect
with
other
external
identity
providers,
and
I
will
take
this
one.
Unfortunately,
we
do
not
support
other
identity
providers.
For
now
we,
if
you
feel
that
this
is
a
library
that
should
be
extended
to
you,
know,
to
work
with
other
providers.
Then
please
make
sure
that
you,
let
us
know,
but
remember
it's
built
on
top
of
amsoil
right
so
for
now
it
is
designed
to
work
with
azurity
and
b2c.
B
So
that's
the
limitation
here,
however,
it
does
support
working
with
a
third-party
apis,
so
I
did
mention
before
that.
We
make
it
super
easy
to
acquire
access
tokens
for,
say
things
like
graph
or
things
like
internal
apis.
Now
we
have
the
functionality
to
allow
you
to
call
any
other
api
without
really
having
to
that
gets
built
into
the
library.
So
that's
that's
a
major
win
there,
because
it
becomes
very
easy
to
call
other
apis
by
injecting
them.
A
What
it
handles
is,
so
it
doesn't
do
this
in
blazer,
there
are
incremental
dynamic
consent
methods
for
in
token
acquisition.
So
if
you
start
the
app
with
two
scopes
and
you
need
an
additional
scope
later
on,
the
library
will
handle
that.
So
there's
there's
a
mechanism
there
to
pass
in
the
scopes
that
you
need
just
like
just
kind
of
how
you
would
do
it
with
themselves.
A
You
say
which
scopes
that
you
need
and
then
the
really
most
of
the
work
is
delegated
down
to
impsal
and
mcil
goes
and
generates
the
generates
a
redirect
to
send
a
user
over
to
to
do
their
new
consents
and
then
comes
back
with
that
access
token.
That
reflects
that.
B
Yeah,
I
don't
know
if
that
answers
donald's
question
with
regards
to
the
middleware
handlers.
I
don't
know
if
you
specifically
need
to
do
something
when
those
goals
are
intercepted,
but
we
definitely
know,
and
we
have
tested
the
incremental
consent,
which
is
built
into
amsoil
and
v2
endpoints.
So
there's
that
the
next
question
is
for
the
ones
that
support
oidc
and
I
suspect
that
this
refers
to
identity
providers.
B
It
should
be
easy-
oh
that's
from
john
who
says
that
right
now
we're
focusing
on
integrating
with
azure
ad,
but
we
might
be
able
to
support
openid
connect
providers,
other
open
id
providers
in
the
future
next
question:
are
there
any
use
cases
and
shout
out
to
my
greek
body
over
there?
Are
there
any
use
cases
where
it
is
recommended
to
use
msu
instead
of
this
library?
B
A
A
If
there
may
be
specific
configurations
or
specific
levels
of
control,
where
you
would
want
to
use
this
over
m
cell,
but
the
the
token
acquisition
part
is,
is
sort
of
largely
abstracted
away
from
you.
So
if
you
need
low-level
m-style
access,
if
you
have
very
specific
sort
of
cache
before
access
and
after
accesses
that
you
want
to
manipulate
on
your
own
or
if
you,
if
you've
implemented
your
an
entire,
you
know
itokin
cache
on
your
own.
A
You
may
want
to
consider
waiting
a
little
bit.
There's
still
some
api
changes
going
on.
It's
not
100
locked
yet,
and
the
accessibility
of
the
msl
object
itself
is
still
a
little
bit
a
little
bit
of
a
question
mark.
So
I
would
say,
if
you're
just
doing
authentication
and
authorization
to
access
to
to
acquire
tokens,
it
would
be
a
good
place
to
start
if
you're,
if
you
are
really
heavily
manipulating
the
imcel
object.
I
would
certainly
take
pause
and
examine
exactly
what
you're
doing
before
jumping
into
this.
A
Okay,
great
and
so
so
lastly,
twice
a
week
christos-
and
I
do
this-
where
we
build
stuff
with
the
identity
out
web
or
we
build
stuff
with
them,
sound
browser
for
react
or
for
angular,
apps
and
so
we'd
love
to
have
you
come
and
join
us.
It's
at
7
00
a.m
in
pacific
10
a.m,
eastern
every
tuesday
and
thursday.
At
the
link.
That's
up
there
on
your
screen,
we'd
love
to
have
you
so
and
here's.
A
Here's
a
whole
sort
of
collection
of
links
related
to
the
rest
of
the
m365
developer
community,
and
I
believe
stephen
has
a
survey
for
you
to
take
as
well
as
to
how
relevant
or
helpful
this
was
and,
of
course
feel
free
to
reach
out
to
us
with
any
questions
or
concerns,
as
they
come
up.
Stephen.
Yes,
thank
you,
john
patrick
and
christos.
A
So
if
you
can
take
a
few
minutes
to
fill
it
out
and
just
let
us
know
what
you
thought
of
the
call
or
if
you
have
any
suggestions
for
topics
that
we
can
cover
in
future,
calls
that
will
be
great.
B
A
Otherwise,
if
you
have
any
additional
questions,
feel
free
to
ask
them.
We.
B
Yeah
there
was
one
about
working
with
a
graph,
so
it's
like.
How
do
you
use
the
token
you
cast
with
the
graph?
You
don't
have
to
worry
about
that.
In
fact,
the
0.4
released
the
latest
one
added
support
for
adding
graph
as
a
dependency
or
or
registering
graph
as
a
service
into
your
service
containers
and
there's
a
nuget
package
called
a
microsoft
identity,
web.microsoft
graph,
and
with
that
you
can
call
graph
directly
from
your
controllers
without
really
having
to
worry
about
token
acquisition
or
passing
tokens.
B
Or
what
have
you
once
you
acquire
your
your
scopes,
then
you're
good
to
go
so
it's
pretty
cool
and
that
was
based
on
feedback
that
we
got
from
internal
teams
and
people
have
started
using
it.
So
it's
great
to
see
that.
A
There's
a
token
acquisition,
there's
a
token
acquisition
interface
that
you
can
inject
as
well
into
your
controllers
or
into
yours.
You
know
into
any
sort
of
downstream
classes,
so
once
they're
added
to
the
container
by
virtue
of
all
they
can
pick
up
front,
it
was
in
0.3
called.
I
token
acquisition,
I'm
not
sure
if
the
name
has
changed
for
0.4,
but
it's
it's
it's
an
interface
that
you
can
inject
so
take
a
dependency
on
the
interface
and
in
your
controllers,
and
you
can
get
tokens
that
way
for
whatever
scopes
you
need.
B
Yeah,
how
soon
will
it
appear
or
made
available
for
production
apps
on
the
29th
of
this
month,
we're
hosting
san
marc,
the
principal
pm
that
has
worked
on
this
library
make
sure
to
tune
in
our
show
and
ask
all
these
questions.
B
B
A
B
A
I
think
anyone
who's
had
to
build
with
with
it
as
it
is
today.
I
think
will
absolutely
appreciate
the
changes
that
are
in
identity.web
and
for
new
users
who
have
never
used
any
of
it
before
it's
an
extremely
short
and
quick
on-ramp
to
to
get
the
you
know,
80
of
cases
out
of
the
box
and
the
question
that
just
popped
up
in
the
chat,
the
token
cash,
so
we
out
of
the
box,
it
will
support
an
eye
distributed
cash.
A
If
so,
if
you
configure
an
eye
distributed
cash
for
asp
net
core
overall,
you
can
use
that
distributed
cash
with
with
themselves.
In
fact,
we
we
built
one
with
cosmos
just
a
few
weeks
ago
to
use
cosmos
to
be
as
one
yeah
the
only
out-of-the-box
default
ones
that
we
have
today,
I
believe,
are
the
in-memory
one,
and
so
just
you
know,
for
dev
and
test.
There
was
a
sequel
one,
but
I
don't
believe
that
one's
still
there.
I
think.
B
It's
still
there
so
all
right,
so
there
is
a
and
adding
memory
classes.
There
is
an
ad
session
talking
cases
for
session
management
and
then
there's
distributed
token
classes
that
support
ncaas
redis,
distributed
memory,
azure,
cosmos
db
and
sql
server,
so
anything
that
actually
implements
the
distributed
memory
cast
api
can
be
used.
If
you
have
your
own
custom
distributed
memory
cards
that
you
rolled
out
in
your
solution,
it
can
be
added
straight
into
our
api,
which
is
plug-and-play.
A
It
just
uses
the
distributed
cache
infrastructure
in
espnet
core,
instead
of
having
a
completely
separate
implementation
that
has
to
be
managed
separately.
So.
B
Yep
exactly
and
it's
a
one-liner
so
again
we
made
it
as
easy
as
possible
for
for
for
your
lot
to
work
with
it
very
cool,
more
code,
going
exactly
hey.
A
Well,
thanks
for
thanks
for
having
us
stephen,
we
really
appreciate
it,
and-
and
hopefully
we
can
we'll
talk
to
your
audience
soon
and
if
there
are
any
questions,
feel
free
to
to
forward
them
on
yeah.