Wiki.JS authentication with Azure AD B2C (Generic OpenID Connect) - azure-ad-b2c

I am trying to configure Wiki.js to work with my Azure AD B2C authentication. My Wiki.js version is 2.5.296.
To achieve, this I am using the "Generic OpenID Connect / OAuth2" authentication option on the Wiki.js side.
This does not work. After signing in with this option, I receive a message stating "Invalid email/ username or password" from Wiki.js.
As far as I can see, I have configured everything correctly from the Wiki.js side, with all of the "standard" OpendID Connect endpoints in the right place.
Note: To achieve this in Azure AD B2C I had to use a custom policy to setup a new "UserInfo" endpoint. I have tested this endpoint using Azure AD B2C and Postman (to obtain the UserInfo) and it all works. I have also verified that I am returning the "email" claim (which Wiki.js is expecting):
I can't seem to find any logs in Wiki.js which could suggest what is wrong.
My question is: How to proceed?
Is there a way I can get any extra logs out of Wiki.js? Should I consider checking out the Wiki.js source code and debugging? Has anyone any experience of integrating with a generic OpenID Connect provider with Wiki.js?

Related

python3-saml and Azure AD - missing a point

Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library

Angular 2 - Windows Authentication - without .NET - Node JS API

My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,

Verify ADFS federation with Azure AD

In relation to this question:
Azure AD graph API using on-premise domain
I have set up an federation between the on premise ADFS and Azure AD using the Azure AD connect tool. In the last step of the verification I ran into this:
I believe that it is because the ADFS needs to somehow be exposed to the internet. Probably using an proxy server. In the Azure portal the Domain is now marked as federated. I have tried to do a post to https://login.microsoftonline.com/{domain}/oauth2/token, it works when I use xx.onmicrosoft.com users created directly an the Azure AD domain. When I use a user#{domain} user syncronized from the on premise AD I still get
""error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password....." like I did before I set up the federation. I would actually expect to be somehow redirected to the on premise login screen
So two questions:
Is it nessesary to have the ADFS exposed to the internet via a proxy for the federation not to fail?
How can I properly test logging in to Azure AD using the on premise user?
Thanks in advance :)
-Dan
As an answer to my own questions.
What I was trying to do was have my customers users in my azure ad domain. What that means is that the customer cant have their own Azure AD or office 365 as the domain can only exist once on Azure. So this is not at solution.
Use https://{domain}/adfs/ls/idpinitiatedsignon

Azure B2C integration with AWS Cognito Federated Identities

I am the process of integrating Azure B2C with AWS, namely setting up AWS Cognito with Azure B2C as a Federated Identity provider and using it for login purposes for a Mobile App.
For the most part, I believe I have configured everything correctly. This is what I have done so far
I have created a B2C Tenant and set up an "Application" in the tenant as well as a SignUpAndSignInPolicy. The Application has both the native and web clients enabled and also allowed implicit flow.
I have configured my Azure B2C Tenant as an Identity Provider in AWS and have created the necessary Roles for the IdP.
I have created an AWS Cognito Identity Pool and configured it to use the above IdP
I am using the MSAL library to authenticate with Azure B2C, specifically the MSALPublicClientApplication.init(clientId, kAuthority) method followed by acquireToken.
This presents an interactive login in the browser and returns a token to the app via a custom url. The token is valid and I've verified it with the JWT tool.
I then setup an AWSCognitoCredentialsProvider with the Cognito Identity Pool created in step 3 and a custom identityProviderManager which is a class where I have implemented the getToken and logins methods as per AWS documentation .
I then pass the token from step 5 to Cognito via the "return AWSTask(["providerName: "id_token"] statement inside the logins method.
After a ton of going back and forth, I have managed to get through most of the hurdles along the way, however I am now getting a token validation error from AWS, specifically:
error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8
"(null)" UserInfo={__type=NotAuthorizedException, message=Invalid
login token. Couldn't verify signed token.}
Googling that error really doesn't produce a ton of results, but from what I can make out, the sequence of events in the app is correct, however AWS is complaining about the validation of the token when it communicates with Azure.
There isn't a lot in AWS that can be configured the Identity Provider, such as secrets, scopes, or any of that, so I'm not really sure where to look.
I am hoping that to a seasoned OpenID pro, this error message means more than it means to me.
Some of the things I'm unsure about that may be relevant.
1. Azure B2C has a concept of "Keys" under an application which I am not currently using, because there is nowhere that I can specify a key of sorts in my implementation.
2. The MSALPublicClientApplication.init method returns an application instance that I then use to call application.acquireToken(forScopes: kScopes). I have no idea what to put for the scopes value because from what I've read, I only need "openid" and "offline_access", but when I try to specify those, I get an error that they're already included by default and that I can specify them in my API call. However, I am not allowed to leave this field blank so at the moment I have the Azure B2C Application ID (in the form of a GUID) which I'm not sure is correct.
Thanks a ton for your help!
Your set up looks correct. Not sure about MSAL library but when testing directly from Azure B2C console, you get different tokens depending on whether you mentioned your signin policy (using 'p' parameter) in the authorize URl. The one without this parameter works but the one with it does not. Something to do with how OIDC Discovery works and how it is configured in AWS IAM console.

Azure AD authentication fails with error message: "Error validating credentials. AADSTS50012: Authentication failed"

I've been working on a multi-tenant web application that uses Azure AD authentication, and authentication will intermittently fail with the error message: "AADSTS70002: Error validating credentials. AADSTS50012: Authentication failed." To be more clear, the steps I go through are:
Go to my web app, and click on link to go to Azure AD authentication
Enter valid user credentials for Azure
If this is the first time using my web app, Azure asks the user to grant permissions to their Azure AD information
After accepting the permissions, Azure redirects to the reply URL that I've set up in Azure AD for my application, but it replies with the aforementioned error in the URL string
The application itself is a Node.js web app that uses the Passport module for Azure AD authentication, although I don't think Passport is the source of the problem because the error I get is passed by Azure to the web application's reply URL.
I haven't had luck identifying the source, but I have seen posts from people with similar issues. I have a number of AD accounts that I use both personally and for work, and it seems that there is some remnant left in the browser's cache or local storage that causes this issue because I can switch to another browser or into incognito mode and the problem resolves itself.
I'd like to identify if this is a problem with Azure itself, the way my application handles authentication, or with my work/third party applications implement AD authentication.
I am trying to reproduce this issue using the code sample here in Chrome, however failed.
Based on the same issue link you mentioned, I noticed that the endpoint for he/she using was incorrect. To develop the multi-tenant app, we need to change the specific endpoint with common like below:
https://login.microsoftonline.com/common/
Were you using the specific endpoint? If not, would you mind sharing a code sample to help us to reproduce this issue?

Resources