You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -28,6 +28,54 @@ The file structure is as follows:
28
28
29
29
30
30
31
+
## Register server on Azure Entra ID
32
+
33
+
Before deploying our server we need to create an app registration that we have deployed our API to Azure Web Apps, we need to register it on Microsoft Entra ID.
34
+
35
+
### Create a new app registration
36
+
37
+
Navigate to the **App registrations** blade and click on **New registration** button in the top left tab
Choose a fitting name. Here I have set the name to "Hvalfangst Server" as the registration will be utilized by the API we just deployed to Azure Web Apps. The client which is to interact with our server resource will **NOT** be deployed. It will merely run locally. The fact that
42
+
both the newly deployed server and the not-to-be-deployed local client are both APIs may seem confusing, but this is just for demonstration purposes. We do not need to set up a redirect URI for our server as it merely validates token received in the authentication header and calls the underlying
43
+
service if the associated token had the necessary scopes. We will set the redirect URL for our client in later sections, as it will have to execute a callback from browser to a specified endpoint.
Once the app registration has been created, store the application and tenant id for later use. We will make use of these when setting up the CI/CD pipeline - which deploys the server API to Azure Web Apps.
We will now proceed to create scopes. Scopes are in essence fully customizable access right labels, meaning that you may are free to pick any name. It is, however common to conform to the following pattern: **{RESOURCE}.{ACCESS_LEVEL}**.
56
+
Say that you for sake of argument have implemented a CRUD API in the domain of wines. Since the domain is wine, the prefix would naturally be **Wines**. Access levels could be **READ**, **WRITE**, **UPDATE** and **DELETE**.
57
+
For instance, the scope **Wines.Read** grants you access to **read** wines - which in the API translates to the right to perform any **HTTP GET** requests, which commonly would be actions such as listing all heroes or to get a specific hero.
58
+
59
+
Click on the **Add a scope** button under the **Expose an API** section, which is accessible from the **Expose an API** blade under **Manage**.
It goes without saying that the chosen scopes are just simple examples that does not necessarily conform to best practices when it comes to naming and even usages of scopes.
73
+
Feel free to adapt the scopes in the app registration and code as you see fit. It is also important to mention, now that we venture into the more technical aspects, that
74
+
the newly created scopes are absolutely junk in and of itself. You **must** reference the scopes exactly as defined in your server code for it to have any effect whatsoever.
75
+
That is, you must implement logic in your endpoints which verifies the signature associated with the token included in the auth header, ensures that the
76
+
audience is the client id associated with the server app registration and that the scopes included in the claims (after the token's signature has been verified)
77
+
matches that of what is required by said endpoint.
78
+
31
79
## Set up CI/CD via Deployment Center
32
80
33
81
Now that we have our new Web App resource up and running on Azure, we may proceed to set up our means of deploying our code to the
@@ -56,7 +104,17 @@ For the CI/CD workflow script to actually work, we have to make some adjustments
56
104
which are located in their own directories. The autogenerated script assumes that the files are located in the root folder, which is not the case here.
57
105
Thus, we need to change the script to reference files located under the server directory, as we are to deploy our server.
58
106
59
-
The final pipeline definition should look like [this](.github/workflows/main_hvalfangstlinuxwebapp.yml).
107
+
We are storing configuration values for our API in a class named [AzureConfig](server/config/config.py). Notice how the values for fields **TENANT_ID**
108
+
and **SERVER_CLIENT_ID** are retrieved from the runtime environment - which means that these environment variables must be set somehow. When running the
109
+
API locally for sake of testing one should **NOT** hardcode the associated values due to the risk of accidentally committing to SCM. Instead, you should
110
+
either set the environment values on your system or retrieve them from an .env file, which, naturally, **HAS** to be added your .gitignore.
111
+
112
+
Proceed to add two new GitHub Action secrets. These should be your tenant ID and the client ID associated with your newly created **Hvalfangst Server API** app registration.
We now need to modify our GitHub Actions Workflow script to set the environment variables in our Azure Web App itself. We do so by the use of the az CLI
117
+
command **az webapp config appsettings set** where the associated values are retrieved from our repository secrets we set above.
60
118
61
119
## Deploy API
62
120
@@ -72,42 +130,72 @@ Navigate to the **Deployment Center** section of your Azure Web App. A new deplo
Click on the **Environment variables** section of your Web App to ensure that the App setting environment variables **HVALFANGST_TENANT_ID** and **HVALFANGST_SERVER_CLIENT_ID**
134
+
have been set. The environment variable **SCM_DO_BUILD_DURING_DEPLOYMENT** was set by our [Terraform script](infra/terraform.tf) when creating the Azure Web App. It instructs our container to
135
+
build the virtual environment based on our [requirements](server/requirements.txt) file on deploy as opposed to utilizing some pre-built virtual environment that has been transmitted.
Now that we know that it deployed successfully it is finally time to access the API. Click on URI associated with **Default Domain**
76
140
77
141
78
142
79
-
You will be prompted with the following default page, which indicates that the API is up and running.
143
+
You will be prompted with the following index page, which indicates that the API is up and running.
80
144
81
145
82
146
147
+
The index page is available for all users and as such is not protected by any token validation logic. What is protected by token validation logic is our [heroes route](server/routers/heroes.py).
148
+
This route exposes 4 endpoints: "POST /heroes/", "GET /heroes/", "GET /heroes{hero_id}" and "DELETE /heroes/{hero_id}".
149
+
Notice how one in each endpoint always start by awaiting a function called [authorize](server/security/auth.py), passing in a token and a scope.
150
+
The scope names referenced in aforementioned function call are exactly what was defined earlier. Hence, my little
151
+
rant about scopes in and of itself being useless unless there is logic in place in the server code to actually enforce
152
+
this. The token is a bearer token, which should be passed in the authorization header. The authorize function will first and foremost attempt to verify the signature associated with the token by
153
+
utilizing public keys by use of the keys discovery endpoint exposed by Azure. A handful of keys unique to our tenant will be retrieved when calling the discovery endpoint. The Key ID used to sign the token
154
+
is actually included in the header of the token (remember that clients calling the server API first has to get a token from Azure Entra ID authorization server)
83
155
84
-
## Register API on Azure AD
85
156
86
-
Now that we have deployed our API to Azure Web Apps, we need to register it on Microsoft Entra ID.
157
+
## Register server on Azure Entra ID
87
158
88
159
### Create a new app registration
89
160
90
-
Navigate to the **App registrations** blade and click on **New registration** button in the top left tab
0 commit comments