Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 days ago.
Improve this question
I created a new ASP.NET Core MVC 6.0 web application >> and i define it to use Azure AD for authentication, as follow:-
then i were asked to create owned application, so i created one named "ad" as follow:-
and inside my application's appsetting i got these settings:-
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
so seems visual studio did all the work for us. but when i accessed the "ad" application inside Azure >> i got that this application does not have any client credentials, so is this fine, as follow:-
Second question, if i want to define credentials, seems i have 2 options; create a client secret or certificate. so what are the differences between them? and if we add a client credentials then do we need to update our asp.net application accordingly ?
Thanks
Note that: Client Secret and certificate is kind of password to the Azure AD Application and can be used to authenticate the Application.
I tried to reproduce the same in my environment and got the results like below:
You can create the client_secret while creating the Application as below:
The appsettings.json file looks like below:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"ClientSecret" : "***"
"CallbackPath": "/signin-oidc"
},
Otherwise, you can generate the client secret manually in the Azure Portal like below:
For certificate authentication, refer this MsDoc.
To prove the application identity client secret or certificate is required while generating the token.
Certificate is more secure than client secret.
Certificate is more expensive than client secret.
While accessing the API, client secret is required.
Client secret or certificate provides security to the Application blocking anonyms access.
Related
I created a new ASP.NET Core 6.0 MVC web application using Visual Studio 2022, and I define it to use Azure AD for authentication, as follows:
Then I was asked to create an owned application, so I created one named "ad" as follows:
Inside my application's appsetting.json I have these settings:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
....
}
It seems Visual Studio did all the work for us.
But when I checked the "Certificate & Secrets" in the Azure portal for the generated Azure AD APP, I found that there is not anything assigned:
So now we are going to upload a certificate (.crt file), but i have those questions:-
Now the above ASP.NET Core MVC web application already have SSL certificate bought from Go-daddy, so can we use this certificate also inside our Azure Active directory App ?
Also, after uploading a certificate inside our Azure Active Directory App >> do we need to pass the certificate Thumbprint from our web application ? if the answer is yes, then what i need to do exactly , do we need to modify the Identity platfrom code?
If you used VS to integrate AAD and create resource for you, then the appsettings.json file should look like this. And it's also OK to add configurations manually.
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xxx.onmicrosoft.com",
"TenantId": "tenant_id",
"ClientId": "client_id",
"CallbackPath": "/signin-oidc",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
//"ClientCertificates": []//I comment this line
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"MicrosoftGraph": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "user.read"
}
}
=============================================================
Firstly, the client secret is used for calling API, for example Ms graph API. Then in this answer, I demonstrate how to integrate Graph API in the APP, then you can get the client secret which is already generated for you.
After finishing all these steps, your project has already set up, going to Program.cs you can see code below, and it already read the configurations including the secret.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
but you still need to go to appsettings.json to paste the client secret into "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",. You'd better to comment "ClientCertificates": [] because you are using secret but not certificate.
By the way, the client secret can exist several valid secret at the same time, this is designed for avoid app crash because of secret expired. So you can have 2 client secrets, if one of the secret is about to expire, you can create a new one in Azure AD then paste the secret value into your project. This means, for example, you used the Visual Studio to generate the secret, but you didn't store the secret, you also create another secret manually in Azure portal and use it in your app.
I have created a Blazor application that calls a Web API(.Net) and uses Azure AD B2C for authentication. This works fine on my local machine. I can authenticate via the login screen and call the relevant endpoint. Once I deploy the application to Azure I get this error on the browser:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user
Failed to load resource: the server responded with a status of 401 (Unauthorized)
On the Blazor(UI) side I have this set up:
"AzureAd": {
"Authority": "https://CarehomeRoomBookingTest.b2clogin.com/CarehomeRoomBookingTest.onmicrosoft.com/B2C_1_SignUpIn",
"ClientId": "77##############################",
"ClientSecret": "99#########################",
"ValidateAuthority": false
}
On the Web API side I have this set up:
"AzureAdB2C": {
"Instance": "https://CarehomeRoomBookingTest.b2clogin.com",
"ClientId": "16#############################",
"Domain": "CarehomeRoomBookingTest.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1_susi_reset_v2",
"SignUpSignInPolicyId": "B2C_1_SignUpIn",
"TenantId": "38#############################"
}
Why would this be happening when the application is deployed and hosted on Azure?
Please check if any of below is your case:
1.See if scope for your API that Your front-end app needs to use is correct. This way it will get an access token which is meant for your API. Register a
scope for your API app registration through the Expose an API
section and use the scope in your front-end app.
and grant admin consent :
Your scopes will be present this way
Please make sure to include the scopes exposed in the portal for your backend api in the auth in your code
Also please check if you have given proper permissons or if use of
delegated permissions is the issue .See
getting-401-unauthorized-error-StackOverflow
I have two applications -
public client application (.NET Core console app), in which user gets Microsoft identity access token
web API, which tries to call Microsoft Graph on-behalf-of user, using that access token
When I call Microsoft Graph from web API, I get a MicrosoftIdentityWebChallengeUserException, which inner exception states:
"The user or administrator has not consented to use the application with ID <...> named <...>. Send an interactive authorization request for this user and resource."
I've tried:
to pre-authorize client application in service application using Expose an API tab in Azure Portal
to add client application ID in knownClientApplications array in Manifest tab
to include the scopes, needed for Microsoft Graph (e.g. "User.Read"), in the access token, obtained by the user
but it seems that this does not work and I still get the same exception.
The question is - can I somehow avoid this exceptional situation by getting all needed permissions in a user access token, before calling the GRPC service, or if not, that how do I need to handle this exception to propagate it back to the user.
Full details here. Keep following the Next Steps.
Basically, you'll need to:
Include the Microsoft.Identity.Web and Microsoft.Identity.Web.MicrosoftGraph NuGet packages in your API project.
Set up a Client Secret or a Certificate in the Azure App Registration. Include that in your appsettings.json file:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "{YOUR-DOMAIN-NAME-FROM-APP-REGISTRATION}",
"TenantId": "{YOUR-TENANT-ID-FROM-APP-REGISTRATION}",
"ClientId": "{YOUR-CLIENT-ID-FROM-APP-REGISTRATION}",
"Scopes": "{YOUR-API-ACCESS-SCOPE-FROM-APP-REGISTRATION}",
"CallbackPath": "/signin-oidc",
"ClientSecret": "{YOUR-CLIENT-SECRET-FROM-APP-REGISTRATION}"
}
Include the following section in your appsettings.json file:
"Graph": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "User.Read"
}
Include the following code in your Project.cs file or Startup.cs file (depending on what version of .Net you're using):
Startup.cs:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration, Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("Graph"))
.AddInMemoryTokenCaches();
Project.cs:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(builder.Configuration.GetSection("Graph"))
.AddInMemoryTokenCaches();
From there, you just need to inject the GraphServiceClient into your controller or page constructor. The link above provides code for implementation in an ASP.NET API. I'm using this method in a Blazor Webassembly hosted app, so my implementation needs varied slightly from the instructions, but it's running/working as it should.
We are facing 502 bad gateway error on web portal which uses our client Azure App registration settings.
Client provided us the following details with single username / password form their domanin to test SSO
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXX.co.uk",
"TenantId": "xxxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx",
"ClientId": "xxxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx",
"CallbackPath": "/SignInVerify",
"SignOutPath": "/aad-signout"
}
We deployed website, tested everything using the user provided and all seems to be working for user client provided.
When more user tried to use this website, they get 502 bad gateway erorr but we can still use username/password provided to us without any issue.
Client is large corporate client could have multiple Azure tenant for Azure Active Directory and we don't know their user group structure etc.
What could be the cause of the issue for all user other than the one we can currnetly test/use?
Thank you for your help in advance on this.
Change the configuration to below format :
{
"AzureAd": {
"Instance": "[https://login.microsoftonline.com/"](https://login.microsoftonline.com/%22 "https://login.microsoftonline.com/%22"),
"Domain": "microsoft.onmicrosoft.com",
"TenantId": "xxxxxxxxxxxxxxxxxxxx",
"ClientId": "xxxxxxxxxxxxxxxxxxxx",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath": "/signout-callback-oidc"
},
And also check that you have selected multitenant
So I created an ASP.NET Core website with IdentityServer authentication and published it to my Azure Web App but it complains about the certificate. I'm just using the default basic 1 tier web app with no custom domain. The web app is signed by a certificate out of the box so can't I just use that somehow?
Do I really need to buy a custom domain and my own certificate for this to work? I would prefer if I can just keep using the web app without a custom domain.
In the diagnostics dump I can see the error
Couldn't find a valid certificate with subject 'CN=MyApplication' on the 'CurrentUser\My'
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.SigningKeysLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, DateTimeOffset currentTime)
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.LoadKey()
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.Configure(ApiAuthorizationOptions options)
Startup.cs
var identityserver = services.AddIdentityServer();
identityserver.AddApiAuthorization<ApplicationUser, AutheticationDbContext>();
identityserver.AddSigningCredentials();
services.AddAuthentication()
.AddIdentityServerJwt();
appSettings.json
"IdentityServer": {
"Clients": {
"MyWebProjectName.Client": {
"Profile": "IdentityServerSPA"
}
},
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=MyApplication"
}
}
When you deploy your webapp, you will get a url like: https://appname.azurewebsites.net.
Do I really need to buy a custom domain and my own certificate for this to work?
Then you can use powershell to generate self signed certificate. So you don't need to create a new domain or buy certificate.
After deployed app, you also need to upload your self signed certificate on portal, like Syarif Mathis's answer on below post.
How to configure key settings for IdentityServer in appsettings.json for aspnet core app running on IIS