You expose a Web API and you want to protect it so that only authenticated users can access it. You want to enable apps authenticating users with both work and school accounts or Microsoft personal accounts (formerly live account) to use your Web API.

Later you enrich your Web API by enabling it to call another Web API such as the Microsoft Graph

This repository contains a progressive tutorial made of two parts:

Sub folder	Description
1. Desktop app calls Web API	This first part, presents an ASP.NET Core 3.1 Web API protected by Azure Active Directory OAuth Bearer Authentication. This Web API is exercised by a .NET Desktop WPF application. This subfolder contains a Visual Studio solution made of two applications: the desktop application (TodoListClient), and the Web API (TodoListService)
2. Web API now calls Microsoft Graph	This second part presents an increment where the Web API now calls Microsoft Graph on-behalf of the user signed-in in the desktop application. In this part, the Web API uses the Microsoft Authentication Library for .NET (MSAL.NET) to acquire a token for Microsoft Graph using the on-behalf-of flow
3.-Web-api-call-Microsoft-same-client-id	This third part presents an increment where the Web API now calls Microsoft Graph on-behalf of the user signed-in in the desktop application, but with an alternative architecture. In this part, the Web API also uses the Microsoft Authentication Library for .NET (MSAL.NET) to acquire a token for Microsoft Graph using the on-behalf-of flow, but the client ID of the desktop app and the Web API are the same
4. Console app calls Web API - with PoP	This part, presents the ASP.NET Core Web API protected by a Proof of Possession Authentication (Pop) token. This Web API is exercised by a .NET Desktop console application. This subfolder contains a Visual Studio solution made of two applications: the desktop application (TodoListClient), and the Web API (TodoListService)

Note: Even if you'll probably get the most of this tutorial by going through the part in the proposed order, it's also possible to jump directly to the second part or third part.

The Web API (TodoListService) maintains an in-memory collection of to-do items per authenticated user. Several applications signed-in under the same identities share the same to-do list.

The WPF application (TodoListClient) enables a user to:

• Sign in. The first time a user signs in, a consent screen is presented letting the user consent for the application accessing the TodoList Service.
• When the user has signed-in, the user sees the list of to-do items exposed by Web API for the signed-in identity
• The user can add more to-do items by clicking on Add item button.

Next time a user runs the application, the user is signed-in with the same identity as the application maintains a cache on disk. Users can clear the cache (which will also have the effect of signing them out)

The second phase of the tutorials modifies the Web API so that the todo-items also mention the identity of the user adding them.

The experience in the third phase is the same as in the second phase, but users can sign-in with their personal Microsoft account

The desktop application is a console application

• Install .NET Core for Windows by following the instructions at dot.net/core, which will include Visual Studio 2017.
• An Internet connection
• An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant
• A user account in your Azure AD tenant, or a Microsoft personal account

From your shell or command line:

git clone https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2.git aspnetcore-webapi
cd aspnetcore-webapi

Given that the name of the sample is pretty long, that it has sub-folders and so are the name of the referenced NuGet packages, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.

• Start by the first part 1. Desktop app calls Web API where you will learn how to protect a Web API with the Azure AD v2.0 endpoint.
• or if you are interested in the Web API calling another downstream Web API using the on-behalf-of flow, go directly to 2. Web API now calls Microsoft Graph

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal dotnet].

If you find a bug in the sample, please open an issue on GitHub Issues.

To provide a recommendation, visit the following User Voice page.

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

• Other samples for Microsoft identity platform are available from https://aka.ms/aaddevsamplesv2
• The conceptual documentation for MSAL.NET is available from https://aka.ms/msalnet
• the documentation for identity platform is available from https://aka.ms/aadv2