I want to set up an OAuth2-compliant Identity Provider with Azure but am unable to find any useful links, earlier i was able to set up the same for Okta using the below steps
To configure Okta as Identity Provider:
Sign up for a free developer account at developer.okta.com
In Okta Developer Console, create an application: Applications ->Add Application ->Service ->Done.
Add default scope: API -> Authorization Servers ->Select “default” ->Scopes -> Add Scope. Enter name, and description, and check “Default scope”.
is there any way in azure so i can achieve the same.
in other words, how to setup OpenID connect with Azure
The same can be achieved in Azure with Azure Active Directory. You would have to register an application and configure the same from the Portal UI for your application like exposing app specific scopes.
The linked how-to docs from the official docs cover various other aspects like signing in users, app roles, tokens, claims, etc.
Related
I am looking into using Azure AD B2C to support external identity providers. It looks pretty simple to set up HRD and have the domain route to the correct provider (https://github.com/azure-ad-b2c/samples/tree/master/policies/home-realm-discovery-modern).
I'm getting confused if there is something within B2C or even within Azure that will support customers registering their own IDPs to our B2C tenant? Or it it's something I need to build myself. I may have 100s if not 1000s of customers using their own providers so I want to avoid manually upserting them.
I saw some companies had apps in the Azure App Gallery (ex: Dropbox, Salesforce, etc) that handled setting up SSO and registering an identity provider.
The Apps gallery is for Azure AD, not B2C.
You would have to do something yourself.
Given that it's just an XML file, you could have a config. file that contains the parameters and then write code that adds the technical profiles, adds the domain to the list as per the sample etc.
It would take into account that some are OIDC and some are SAML.
You would also have to add the client secrets etc.
This script from #JasSuri shows an example of how to do that.
I've done some reading in regards to Azure AD, but I still can't wrap my head around it. The confusion might be there also because of how my company tries to standarize how a azure project should look like.
Imagine I have two things: SPA app (served by App Service) and API (on this App Service, ASP.NET). The approach that the company is suggesting is that both of those should have their App Registrations.
Now, I'd like the API to have access to Ms Graph. In order to do that, looking at other projects, I updated my AppRegistration to request for Ms Graph roles, Admin gave consent, and in API I used ConfidentialClient to reuse my Client Id/Secret to get token and then access MsGraph.
Why the hustle? Why not just use Managed Identity of my API and grant needed permissions using New-AzureAdServiceAppRoleAssignment?
Why do I need App Registration here? Do I need both? Should I access Ms Graph using my App Registration and confidential client in my API? How does my App Service relate to my App Registration in code?
Let's take a step back and define a few things that will make things easy to understand:
Your app service: this is just a compute environment, just as Azure Functions, Logic apps or VMs. This is where your code executes.
Azure AD App registration: this is an identity that you can use in your code to identify your service and get access to resources you need. The Azure AD app registration has several capabilities:
build an app in one tenant and used in multiple tenants (multi-tenant app)
consent framework, allowing you to request permissions and the owner to grant it
define roles and permissions, so that you can configure who is allowed to call your API
3-legged OAuth flows which allows you to act on behalf of the user
confidential client flows which allow the app to act on its own (like a service account)
Azure Managed Identities: this is also an identity that you can use to identify your service and get access to resources you need. It only has a subset of the capabilities of Azure AD app.
confidential client flow which allows the identity to act on its own (like a service account)
credentials managed for you by the platform
Depending on what you are trying to do, you can use one or the other identity: rarely if ever you will need both.
In your case, you need an identity to act on its own. So either app registration or managed identity will work. Your API may benefit from using an app registration if you want to define roles and permissions. The primary advantage of using an app registration in your scenario is that the consent model is simpler to use and understand. The disadvantage is that you need to manage credentials for the app. This pro/con is reversed when using a managed identity.
You don’t need both at a time. These are two ways to get the access of MS graph for your API. They are used for different purpose.
Managed Identity (Using System Identity)
· Use the Managed Identity if you don’t require your API to be authenticate from any provider.
· A managed identity from Azure Active Directory allows App Service to access resources through role-based access control (RBAC), without requiring app credentials
· It known as safe way to give your web app access to data is to use a system-assigned managed identity
· Currently, there's no option to assign any permissions(MS graph) through the Azure portal for Managed Identity
· When we do Manged Identity of any application its show only for Enterprise application.
Reference : Tutorial - Web app accesses Microsoft Graph as the app - Azure App Service | Microsoft Docs
App Registration.
· To set the authentication and authorization of your app from different provider its need your app registration id.
· It’s required to configure a service and get a token from the Microsoft identity platform endpoint that service can use to call Microsoft Graph under its own identity.
·In this using portal you can add permission (MS Graph) for your application.
Reference : https://learn.microsoft.com/en-us/graph/auth-v2-service
I am quite new to the wonderful world of Azure development. I currently work on a Xamarin.Form project with an Azure backend. After researching a lot, I found this post: https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-xamarin-native/
that explain how to do signIn in Azure from XF2.4.
But I am a little bit lost in all the portal offered by Microsoft. I create my backend on the portal.azure.com and at first I create the application in the portail.azure too. But I rapidly understand that I need to use the new apps.dev.microsoft.com to create the application. Now I am able to Singin from my XF project correctly.
My question: it is the correct way to do that? Now I try to add some Admin and "Normal user" application roles, then assigned roles to users. But the application created in the apps.dev.microsoft.com is not listed in the AzurePortal and the configuration available in apps.dev.micorosft.com is very simple.
How I can do that? Thanks
To register an app that works with the v2.0 endpoint, you must use a new app registration portal: apps.dev.microsoft.com . And refer to document :
The v2.0 endpoint does not support issuing role or group claims in ID tokens.
The workaround would be add users to different groups , use microsoft graph api in you application to get user's group membership , then model Role based access control on top of Security Groups.
In addition .If you want to use Azure AD B2C , you should register the app in b2c application blade . And refer to this thread for how to manually retrieve these claims the group claims(need register a separate application) and inject them into the token.
I have enabled two identity providers i.e: facebook and google in my azure ad b2c tenant, but when I test them from within the portal with Run Now on the signup sign-in policy, only email option shows up, I've also tried and linked it up with my web app .NET CORE 2.0 app and there as well only email option shows up.
I followed official docs to create and save identity providers in my tenant, please let me know if there is an extra step which I don't know about. Following is a link to google + identity config
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-goog-app
Ensure that you have config the social identity data provider in the policy that you used to login. Refer the link below:
Azure Active Directory B2C: Built-in policies
I have created a API app in Azure portal. Then after I have configured Azure Active Directory and Facebook for Authentication/Authorization in Azure Portal (Portal -> My API APP -> Authentication / Authorization). Now my requirement is some API should be Allow Anonymous and other APIs should ask for Authentication either from Azure Active Directory or Facebook.
Same issues like my case: Question-1 Question-2
Please help !!
I think, your solution may benefit from using other authentication broker service called Azure Active Directory B2C. Basically, you configure the providers you want on the backend side, then integrate it into your application. Then, you are able to use mechanisms like policies, etc, in your app. For WebApp integration with AD B2C - tutorial.
I would do that in your situation because i believe that it would be better to offload authentication boilerplating to the backend instead of doing a lot of custom things in the application.
Other way of doing that would be to use custom attribute that will add the capabilities to authenticate, cache user information, authentication context (regarding your question about how to detect if someone is logged in) etc.