So I'm trying to implement a SPA on an Azure App Service and was asked to use MSAL.js 2.0 for PKCE. I'm reading the documentation but I'm confused about the built-in auth from the Azure side and applying custom authentication. Can Built-in Auth be used for login and not rely on MSAL.js 2.0 anymore? Or is it something you apply both, like a Built-in Auth with MSAL.js 2.0 on code?
I'm expected to apply MSAL.js 2.0 but they're also saying I should use Built-in Auth. We've applied the App Registration for Built-in Auth but it's an Implicit Grant so I'm thinking it will not satisfy the requirement of using PKCE. So I'm confused if it's 2 separate things that shouldn't be done together or if they are dependent on each other.
Related
Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
So I recently started exploring Azure Identity Platform for this user authorization use case I'm trying to implement. After a bit of research I came across using Graph API and creating ROPC flows to handle SingUp and Login via REST API from my application. My requirement is also to allow users to use login credentials from another app (I'm not sure yet if it implements a SAML based Identity Provider method) to use services in my application. This is a typical SSO requirement, but I'm not sure if it is possible to implement alongside username-password based authentication using Azure AD B2C.
I would appreciate any leads. Thank you.
Edit: To be more precise, I am working with Java-Spring. The demo application mentioned in Azure AD documentation (Woodgrove groceries) is exactly what I'm trying to achieve. A quick google search for the same provides me with github repos with sample code that uses .Net I believe. Are there any Java sample codes that demonstrate the same?
ROPC does not support SSO if that's what you want to achieve.
I have an Azure Functions app and in Azure Portal I have configured Easy Auth -> Azure Active Directory.
The requirement is, that the API must support both AAD and some custom JWT Authentication, so that the consumer can Authenticate either using AAD or JWT.
How can I support multiple authentication mechanisms in Azure Functions?
As Easy Auth is actually an IIS module, I believe you'll need to receive the token in your Azure Function and programatically validate against the support providers.
Do it the same way you would do it in an ASP.NET Core application by using this package: DarkLoop.Azure.Functions.Authorize for Functions V3+, or DarkLoop.Azure.WebJobs.Authorize for Functions V2.
You can read this blog post for more information.
It will allow you to configure as many authentication protocols for authentication with the power of policies for every individual HTTP triggered function.
I have a Web App (VueJS + ASP .NET Core backend) hosted on Azure App Service and I use Azure AD B2C for authentication. I also have a Functions App that I want to call from the client code but I’m not sure what’s the best way to flow the auth to the Functions.
I can register the Functions App in B2C and set Easy Auth but how do I flow the already authenticated user from the client to the Function?
I can create a custom JWT token and be done with it but is it possible to flow a B2C token to the Function? If so, how do I validate the token?
If Easy Auth didn't work for you, there is a workaround and yes it is a manual task.
Send B2C token in header while calling Azure Function
Read the token at the function level and validate the JWT token.
You can easily validate JWT token by decoding/ writing simple code
Check Validate JWT SO post
This manual validation also secure and safe to use.
You can handle Azure B2C validation the same way I did here Github
There are several problems to handle:
1. Load token from valid b2c policy
2. Validate it depending on rules set.
3. Setup Validation on Startup/Attribute in order not to create boilerplate code.
4. Currently AF 2.0 does not support invocation short circuits, so you need to properly handle your 401 codes.
I wrote a little server in node.js and deployed it to Azure WebApp. I want to add service-to-service authentication using Azure AD OAuth (like this flow). I alredy did this in another WebApi sevice using Katana.
So, I found the official library for this, and it work great. The only problem is that the library use the ursa module, which is a native module. And, like explained here it is not easy to deploy a WebApp with native modules.
So, my question is - what is the best approach? How I could accomplish authentication using Azure AD OAuth?
Thanks,
Omer
Take a look at the Authentication / Authorization feature of Azure Web Apps. It allows you to do OAuth 2.0 service-to-service auth flows using Azure AD, no code changes necessary (also, it works with any stack, not just node.js).
More high-level info here: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
The post is a bit dated and doesn't mention the recently added support for APIs, but if your client can acquire an OAuth token from Azure AD, you can send it to your node.js server as a bearer token in the Authorization header of your HTTP request and have the authorization just work.
Two things to be aware of if you go down this route:
Authentication / Authorization currently blocks ALL unauthenticated access to your node.js API. You won't be able to say that some APIs are protected and some are not.
The JWT token that you send to your node.js API must use the client_id GUID value as the value for the "aud" claim. Using the app URI (as shown in some Azure AD samples) will not work.
Give it a try and see if it works for you.