We are done with all those tedious configuration screens and replacing of keys. Excited? But before you hit F5, set ToDoListService and ToDoListWebApp as startup projects. Once this is done, we can safely run our application and be greeted with the landing page of our application. If you click on the Sign-in button, you will be redirected to login.microsoftonline.com; this represents the Azure AD login. Once you are able to log in, you will see the landing page as follows:
You can observe network traffic and URL redirection when you log in to the application to study a detailed exchange of ID tokens and get an access token. If you explore the application through the ToDoList menu, you will be able to access the ToDoList screen as well as add items to ToDoList. This is where our TodoListService microservice is getting called, as well as getting authorization permissions from the TodoWebApp web application. If you explore the profile menu, you will see the ID token return along with your first name, last name, and email ID, which shows OpenID Connect in action.
If you want to explore the code in detail, TodoListController.cs in the TodoListService project, Startup.Auth.cs, and TodoListController.cs contain interesting bits of code along with explanatory comments.
In this example, we used OAuth and OpenID Connect to secure a browser-based user interface, a web application, and a microservice. Things might be different if we have an API gateway between the user interface web app and microservice. In this case, we need to establish trust between the web app and API gateway. Also, we have to pass the ID token and access token from the web app to the API gateway. This, in turn, passes the tokens to the microservice. However, it is not feasible to cover the discussion and implementation in this chapter's scope.