Episode #147​ – PnP Core SDK Authentication Models

Here you can find the transcript of Episode #147 of PiaSys TechBites.

Welcome back to PiaSys Tech Bites. Today we keep on talking about the PnP Core SDK library. And specifically, I want to introduce you to the authentication model of the library, which is based on an interface called IAuthenticationProvider. Well, you can implement your own authentication model simply by implementing that interface, or you can just leverage the out of the box PnP.Core.Auth NuGet package that we provide in which you can find a bunch of ready to go authentication providers. For example, you can find an authentication provider to use the Credential Manager based authentication, you can use another one to leverage the device code based authentication or the interactive authentication or the username and password one. But you can also work in app-only using these X.509 certificate based authentication or the On-behalf-of authentication, as well as an external provider, which can be, for example, leveraged when you use ASP.NET core to have an automatic and integrated authentication for users through Azure active directory.

Internally the Pnp.Core.Auth library uses the Microsoft authentication libraries, so MSAL, and as such, it is based on a really solid and open model for authenticating users in a token based authentication model. So let me move to the demo environment and let me show you how to play with PnP Core SDK and with users authentication. So here we are in a .NET Core console application. First of all, as you can see in this application, I have a dependency on the PnP.Core.Auth package, which I simply added to my solution, and for the sake of using the dependency injection inside my console application, I also have a dependency on Microsoft.Extensions.Hosting. Here, like we did in episode 145, I simply configured my host in the console application to add the PnP Core services and the PnP Core Authentication services. And then I can simply start the host and start using the PnP context factory object to get different context objects targeting different authentication models.

The authentication models that I am going to show you are defining the configuration file of my application. Of course, you can also use a fully code-based approach if you like. But personally, I think that a configuration-based approach is more flexible. So here in the credential section of the PnP Core configuration section, as you can see here, we have inside PnP Core the credentials section, I have the default configuration that I want to use so that for whatever context I will create without specifying a specific authentication provider, I will fall back to the credential manager one, which is the one defined right here in the collection of configuration. As you can see in the collection of configurations, I have an array of items where every single item defines a specific authentication configuration. I could define the username and password one, but I need to specify the client ID and the tenant ID of an application registered in Azure Active Directory and I have to specify the username and password that I want to use.

Be careful when you do that because your username and password will be stored in the settings. A good idea would be to use the Azure Key Vault to store those sensitive information. You can eventually skip providing the client ID and the tenant ID, and you will fall back to a default or multi-tenant application that we registered for you in our Microsoft 365 PnP tenant, to make it easier for you to develop a solution of your own. So you can even do that if you like. And then another option is to use the credential manager. In this scenario, you still can provide the client ID of the tenant ID of your own application if you like, or you can rely on the default one, and in the credential manager section, you specify the name of the credential manager item that you want to use to retrieve the username and password to use while authenticating. I will not dig into the On-behalf-of right now, I will do that in one of the future videos, but we do support On-behalf-of flow as well.

We have the interactive flow where you simply need to define the application that you want to use. We can have the X.509 certificate support through which we simply specify again, the application and the tenant ID, and then we specify the information about the certificate that you want to use for app-only certificate based authentication. The device code one will simply provide the redirect URI for the device called authentication flow, and the external provider will simply provide, for example, a credential manager as a reference or whatever else, it will be your target configuration in the external provider. But now I want to focus my attention on some of the settings. So for example, on the credential manager, as you see, on the interactive login, the X.509 certificate and the device code. As you can see here in this sites section, which is just following the credentials section, we have a set of sites configured.

And for every single site, we have a name, we have a site URL and an authentication provider name. Meaning that, for example, in order to access this site URL, we want to use this authentication provider called credential manager, which is the one configured here in the configuration file of my application, and the same applies for all of the other sites defined here. So that in my application, when I say contextFactory, create asynchronously, a new context, a new PnPContext object, and I provide this name, this will be the name of the site configuration that I want to use here. So for example, TestSiteInteractive means that I want to go here and use this configuration, which will target this site URL using the interactive authentication provider configuration in the credentials. Okay, so this one. Simple as that.

So we can use within the same application different configurations, so we can use the CreateAsync for different options configured in the settings or again, in the code based configuration, and for example, when you use a device code, as we will see soon, you have to provide a callback function that you will use to understand when you have the device code ready to go, and that’s what I’m doing here. So in the CreateAsync method, I’m using an overload which will provide me the authentication provider and will allow me to configure or provide additional settings for the authentication provider. In my scenario, the additional settings are actually the function that I want to execute in order to process the callback result. And here is just a function that using PowerShell will simply get the device code and we’ll copy the device code into the clipboard. So let me run this application to show you how it works in action. It is a console application. So here is my console window. It will start and we will be able to go through all of the configured steps that we have right here.

So for example, we will start with the interactive login. Let me show you, as soon as the app will be ready, and here it is. So now you see we have the interactive login model. So when I will press Enter, I will start the interactive login. And by doing that, I will see my browser prompting me for credentials, which are already saved in my browsing session, so I can simply select this item and that will be authenticated with the credential of the user in my current tenant. If I go back, I can see that I queried the title, the number of lists and the master page of the target site. Now I can start another step, with the credential manager authentication, which is this one. We use this configuration and we still get the same information out of the target site. So let me press enter again.

I will be brought to the target site and being the fact that I’m using the credential manager. I don’t need any interaction and simply reading the credentials from the credential manager. Now with the device code, I need to have an interaction with the Azure active directory infrastructure to provide the device code. So let me press enter. As you can see now I see the browsing window and I can provide the device code and the callback function that I defined and showed you before, simply copied into the clipboard, the device code that I requested. So now I have my device code I can click next and I can say that using the device code in using the current user, I want to access my target site using PnP Core. And again, you see here, we have just got the title, the number of lists and the master page again, or we can do that with an application only approach.

So I will click enter again, no interaction with the user, but we are retrieving an application only access token, and we are using the access token to consume the target site. So multiple options to do the same thing and to consume Microsoft Teams or SharePoint online using the PnP Core SDK. The key points of attention are the configuration of the credentials in the configuration file, as well as the mapping between the site that we target and the authentication provider that we want to use to access that specific site. Once you’ve done that in the CreateAsync method or you simply provide the name of the configuration of decided you want to use, and you will get an implicit authentication provider, or you will get the default one, if you will not specify a specific one. Simple as that. Like always thank you for watching this video. I hope you found it interesting and I am really looking forward to seeing you next week, and remember subscribe to this channel. Thank you.