Azure APIM - OAuth 2.0 - Internal Service API Authentication Issue - azure

I need to expose an internal service API which runs on a server of our domain. The service is written in Java and is a SOAP service supporting basic auth. I need to implement Client Credentials flow via OAuth 2.0 and expose it via APIM (Azure API Management). The service will be used by external client applications (daemons).
What I've done so far is to create 2 Azure App Registrations: 1 Client App and 1 Proxy App.
App Roles have been defined in the proxy app and the client app has permissions on the proxy app.
In the client app I have setup Client Secret.
In the APIM initially I created a static http 200 response (via inbound policy) in order to test the service. Works fine.
<return-response>
<set-status code="200" />
<set-header name="content-type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>{
"status": "200",
"message": "OK"
}</set-body></return-response>
Then added an inbound JWT validation policy. I request a token from MS via Postman, pass the Bearer token to the API endpoint call and the token is being validated. Works fine.
Then I need to "route" the request to our internal service. We have already setup Azure Application Proxy, so I edit the Internal Url of the proxy enterprise app and set it to the internal service Url. I also remove the inbound static 200 response policy in order to allow the request to reach my internal service.
In such case if the proxy enterprise application "pre authentication" is set to passthrough it works fine but if it is set to "Azure Active Directory" it doesn't - I get a 200 response but requests to sign-in (html).
In case I leave the 200 reply from APIM (not reaching my endpoint) it works no matter if the enterprise application is set to "Passthrough" or "Azure Active Directory".
Any ideas?
Thank you in advance,
Dimitris

Related

Azure Function App (Backend) 401 Error when accessing from Azure App Service Frontend

we have a problem and i dont see anything which i can do for now. I've already followed for example this article but i does not work for now: Azure Function App as Backend
Azure AD Authentication is configured in our Azure Function App and with postman i can connect with a bearer token to the function app.
Function App Authentication is configured with error 401 for apis
I can see in the browser that there is always this error when we open the frontend app. There is no access to the Azure AD secured backend function app from the frontend: Failed to load resource: the server responded with a status of 401 (Unauthorized)
i exposed the api from the app registration of the backend function app and gave them invoke delegated rights to the frontend app registration like in the blog article. CORS is configured too.
App Reg Invoke Config
is there anything i can do? We login to our Frontend App Service with Azure AD credentials and this token should give access to the backend service function app too so there is nothing unprotected in the public internet. But frontend get always this 401 error.
I tried to reproduce the scenario from my end :
When you decode the bearer token ,
Check issuer url and audience received
Also if issuer url has v2 endpoint ,Make sure the accessTokenAcceptedVersion is set to 2 other wise null or 1
Manifest:
{
"id": "4axxxxxxx039",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
...
}
Try including function app url https://kafnapprepo.azurewebsites.net
in allowed audiences. Along with the clientId of the app and AppId uri
and make sure the permissions are granted admin consent.

How to implement On behalf of flow in Azure Ad?

Net core application. I have three applications registered in azure ad.
React SPA application
Web API Gateway application
Protected API application
Whenever user logs into SPA application, Redirecting to Azure AD with implicit flow to get access token.
I have received access token as below and used to access apis from gateway layer
{
"aud": "7851c317b-87e7-4cb3-95f0-37cb52b6f873",
"family_name": "alex",
"given_name": "fernandes",
"hasgroups": "true",
"roles": [
"Admin"
]
}
In the above token aud is client id of the spa application and other few details I added but not all the details.
Now I want to call Protected API application from Web API Gateway application
I am trying with sample http request in postman as below.
Request - https://login.microsoftonline.com/45fgh-f30d-4596-gt67-7045b338485a/oauth2/v2.0/token
Body
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
"client_id": "" //unknown client id of SPA or API GateWay or Protected API
"client_secret": "" //unknown client id of SPA or API GateWay or Protected API
"assertion": "Above token"
"scope":"" //unknown
"requested_token_use" : "on_behalf_of"
}
Along with above confusions, just wondering Is there any configurations required in azure ad in order to generate token for Protected API. One more thing is the token generated to access Protected API does that token have user details and role details same as above token generated by SPA?
Can someone help me in configuring On behalf of flow? I am struggling here to get this done. Any help would be appreciated. Thank you
As the following diagram shows, Client App means React SPA application, Web API 1 means Web API Gateway application, and Web API 2 means Protected API application. For more details, see this blog.
Steps of On-Behalf-Of flow:
Add API permission of Web API Gateway application to SPA application.
GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?scope={permission for Web API Gateway application like api://1108f6-xxxxxxx-9f622/test} openid
&redirect_uri={redirect_uri of SPA application}
&nonce=123
&client_id={client-id of SPA application}
&response_type=id_token token
Add API permission of Protected API application to Web API Gateway application.
It calls Microsoft Graph API in the official document, so the scope is 'user.read' in this step.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={client_id of Web API Gateway application}
&client_secret={client_secret}
&assertion={access token from previous step}
&scope={permission for Protected API application}
&requested_token_use=on_behalf_of
Call Protected API application with the access token

LEGACY EDGE ONLY: HTTP request is unauthorized with client authentication scheme 'Negotiate'. .'

I have an application that calls a wcf service, the application uses windows authentication and anonymous access is disabled. I am still getting the error in accessing the service:
'The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.' '
The odd part is that it is working fine in IE11 and chrome (v83), this issue is appearing on Windows 10 1809 version only.
Attaching screenshots from my IIS below.
Can anyone suggest what could be the possible issue?
try to set the below setting in iis:
open iis, Select Website
Select ‘Configuration Editor’
Select
‘system.webServer/security/authentication/windowsAuthentication’
useAppPoolCredential to True
Make sure both WCF and the .net application URL using the same protocol.
set the application pool user to the domain account.
at client configuration set below code:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
you could refer below link for more detail:L
401 Client 'Negotiate', Server 'Negotiate,NTLM' When Calling WCF Server to Server

Microsoft Bot - Authenticate exposed API endpoint (IDX10205: Issuer validation failed)

Trying to add authentication/authorization to an exposed endpoint by a Microsoft Teams Bot.
The bot is deployed on Azure; bot-things working fine so far.
It's exposing 2 endpoints:
/api/messages: this is used as BOT URL.
/api/notify: this is the endpoint I want to add authentication & authorization.
Context: the Bot is exposing /api/notify so an external service will call here making the bot to send activities to public channels.
Azure Configuration overall
The Bot Channel Registration is linked to a registered app on the Active Directory. This registered app has a will-never-expire secret. The src code itself uses this applicationId and secretId.
What I've tried
App service > Authentication: App Service Authentication ON/Login with Azure Active Directory
ClientId: the applicationId
Issuer URL: https://login.microsoftonline.com/{tenantId}
Authentication tab: I've added a Web platform:
https://{my-service}.azurewebsites.net/.auth/login/aad/callback
Supported account types: Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Enable Implicit Grant flow > Open ID tokens
not sure if I need to "Expose an API" and set as Application URI the base URL of the bot service (https://{my-service}.azurewebsites.net);
not sure if I need to register a second app in the Active Directory and have a tuple: "bot app"/"authentication provider" and re-think the whole thing
In the end, I want the external service to authenticate using a pair "clientId/clientSecret" and making HTTP requests to {my-service}.azurewebsites.net/api/notify;
no token -> 401
valid token -> ok
The problem
With this configuration the bot stops authenticating itself, if I - for instance - open the emulator and use the original applicationId + secret credentials, the initial POST to /api/messages receives:
{
"value": {
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: ..."
}
}

Azure API Managment Not Able to Authorize with azure b2c: Signature Failed

I have configured a backend application (api) and azure apim devportal (client app) in b2c. I have provided access to backend api from client app. I have
used this to configure oauth authentication in azure api management.
I am using authorization code flow. For token validation, I have used inbound policy:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" clock-skew="0">
<openid-config url="https://<domain>/tenantid/v2.0/.well-known/openid-configuration?p=signinsignup_policy" />
<required-claims>
<claim name="aud">
<value><appid for backend app></value>
</claim>
</required-claims>
</validate-jwt>
While trying from apim developer portal
I am getting below error while using the token received:.
JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys
I have configured backend api application id as resource and user_impersonation as defaultscope. Decoding token I can see same backend appid as aud. I also tried using appid uri as resource but see same error.
Any help is appreciated.
There are a couple of scenarios that can lead to this error.
Did you check below threads
Azure AD B2C error - IDX10501: Signature validation failed
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/issues/18
If above are not helped: I assume that you are using Custom Policies. While creating Signingkey and encryption you must follow the steps which are described at https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom.
If you skip or modify Key Type/ Key Usage while creating TokenSigning
& TokenEncryption keys there is a chance to get that issue.
Below steps I tried while integrating B2C with API Management. And it is working as expected
Created Web API and Integrated B2C (Followed https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-dotnet-webapp-and-webapi/)
Integrated Swagger
Created Azure API Management Service
Added API by using "OpenAPI"
Given OpenApi specification URL as https://xxx.azurewebsites.net/Swagger/docs/v1 and created API
While creating API Chosen valid products that are mapped to existing users to test
Navigated to APIM developer portal and tested
While testing added access_token as Authorize header bearer token and tested.
HTH

Resources