From the course: Microservices: Security

Register client applications

From the course: Microservices: Security

Start my 1-month free trial Buy for my team

Register client applications

- [Instructor] The final OAuth building block that we'll check out in Microsoft Entra is the client. You'll recall the client is some application or service that wants to access the resource owners protected resources, which are held by the resource server, and that's our microservice. Now, clients are also registered as app registrations in Microsoft Entra, similar to how our microservice was. However, there's a few configurations that differ. Let me show you what I mean. We're going to begin registering our client by creating a new app registration. The first thing we'll do is give our client a name, so I'm going to call it microservice-client. We'll leave the single tenant option selected for the account type, and then we need to provide this configuration for the redirect URI. This is a URI that's going to be used during OAuth flows to exchange information between the authorization server, Entra, and the client. The first thing we need to do for the redirect URI is select the type of platform. In this case, it's going to be web, and then here we provide the URI. Now we're going to be conducting our OAuth flows on our local workstation, so I'm just going to specify localhost here. All right. Once that's in place, we can go ahead and click this button to register our new client application, and you'll notice that it also gets an application or client ID. This will be important during our OAuth flows. Now we're going to add some permissions to this client application to allow it to access the scope that we created on our microservices. To do that, we come over here to API permissions, and then we click on this button to add a permission for our app registration. This will open a panel that displays all of the applications used within our organization's tenant. Now, to find our microservice that we registered previously, select this API's my organization uses option, and then here, just type chat, and that will filter to our chat microservice. Now, once we select that, we can see the scope that we created on that microservices app registration. So click on this and hit add permissions, and now you'll see that scope appear within the API permissions of our clients. Now, for this permission, I'm going to consent as an administrator for all of the users within the tenant by clicking this grant admin consent button. Once I do that, it's going to allow this client application to access the chat messages of all the users within this organization. The final configuration we'll need to put in place is a client secret. It's a credential this client is going to use to authenticate with the authorization server. To put that in place, we'll click on the certificates & secrets blade, and then we'll click this button to create the new client secret. It's going to open this dialogue over on the right hand side, and we can add a description for the secret. I'll just say it's the client secret, and then we can go ahead and click on the add button and the secret will be generated for us. Now, you'll notice the value for this secret is displayed right here. At this point, you want to copy this secret because you will not have access to it. Again, this is a credential and it should be handled securely. Let me go ahead and store that away. All right, so that covers the final building block of OAuth and how it works within Microsoft Entra. Let's move on to our next lesson where we'll see the role that these building blocks play when we orchestrate OAuth flows.

Contents