Is there an API endpoint to check what a certain token granted scopes are?
In order to perform an action for example user delete, the manage all token scope is needed. For better implementation, if we can check the token scopes and only send request when the needed scope is given.
You can check out the below link documentation from OneLogin.
In case of only Users, you can select Manage Users and for managing all other objects, select Manage All. For other scopes refer to the document.
https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
Related
I have an AzureAD application registration for my front end SPA. I am using Angular with Microsoft’s #azure/msal-angular v2 authentication library. My app registration has all the necessary redirect URIs and configured for proper OAuth2 OpenID Connect using authorization code flow with PKCE. My app is using the Microsoft Graph API with only the User.Read scope. I can authenticate just fine. If my app, however, is only available for one group of people, defined by an AD group and assigned to the Users and Groups section in Azure, what is the best way to validate the logged in user is authorized? I’ve tried enabling optional group claims for the access token, but those don’t come through for some reason. I then tried adding roles-I have an “admin” role, which is the only one I need. This role is assigned to the AD group I mentioned earlier. The roles claim does come back, and I can use that, but this seems silly when I should be able to just validate if the logged in user is in my AD group. The roles approach does have the nice feature of just assigning users different roles to validate authorization for development purposes, but not sure if there’s a better way.
At some point there will be an API I need to plug in. Would it be best to get the claims from that and use that for validation?
Is there a scope or setting I’m missing? Am I achieving this all wrong? Thank you to all who reply.
At this point, you have a SPA that calls a MS 1st party API, which is MS Graph.
Since you are acquiring an accessToken to MS Graph, this accessToken can not be changed - it is meant to be decoded and validated by MS Graph itself, so you will not be able to add any extra claim on that token since you do not control the resource.
Also, your client should treat the accessToken as an opaque string, you should never rely on any claim from the accessToken on the frontend.
You can read more about it here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
If you want to do some sort of authorization on the frontend, like deciding which routes your user will have access to, you need to rely on the idToken. For the idToken, you can enable the Groups claim and get a list of groups that the user is a member of.
If, as mentioned, later down the line you need to create a custom API and call it from your SPA, then, on that scenario, you can indeed add the Groups claim to the accessToken, because it will be a resource that you control, and then authorize the requests that hit your API based on that claim
MS has a sample that shows exactly how to use security groups for access control, using an Angular frontend with a .NET Core Web API. Give it a check here:
https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/5-AccessControl/2-call-api-groups/README.md
I've an Azure AD app setup, the Rest api's under scope: user_impersonation works but I also need user profile info from some GET API request (with same scope as I cannot have two scopes under one access token). I could not find a suitable API for it.So, any help in this regards will be highly appreciated.
Thanks in advance!
As you are making requests to different APIs, you will need to request separate access tokens for this information.
In the case of user profile information, you will need to request a token for the Graph API resource with the User.Read scope.
Depending on the type of application, you can either request this information on behalf of a user or as a service. When requesting as a service, you need to grant the User.Read.All permission instead (docs.
You can use Profile API in Microsoft Graph to retrieve yourself and another user profile.
Using Profile API use for retrieve the sing-in user profile information together Azure AD or account information. This information we can use in application as requirements and we can store as requirements.
when you use these API you will need to valid permissions to access profile information.
Example : https://graph.microsoft.com/beta/me/profile/
More information about Use the Profile API read these official document by Microsoft Documents.
I need to give permission for one application to access some data from another account. I do OAuth2 authentication, but in the v2.0 we need to pass not resources, but scopes. For example I want to start/stop VirtualMachines, or just List them, what would be the proper scope for this?
I have found just this reference but I guess it is not valid for new flow https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftaad
If you are signing in as yourself (i.e. with a signed-in user), then the scope value you want to request is https://management.azure.com/user_impersonation. After signing in (and granting consent, if needed), access to Azure resources will be dependent on the permissions the signed-in user.
If instead this is a secure server doing unattended access, then you simply use the "place-holder" scope parameter value https://management.azure.com/.default (as a way of indicating that you want an access token to https://management.azure.com).
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
I log the user in while asking him to consent to some permissions (for both API's and on first login only)
I request a token in the background for the Graph API scopes
I request a second token for the Azure Management API scopes
I'm trying to use the MSAL.js library to sign in Azure AD and Microsoft account users. Right now, I use acquireTokenPopup() which requires me to pass scopes for an API. I'd like to just sign in the user without getting access tokens.
Anyone know how I can do this?
MSAL.js provides login methods to sign in users. The loginRedirect() and loginPopup() methods take scopes as an optional parameter in case you want to request scopes ahead for user consent. But it does not require you to pass scopes or get tokens for an API.
You can read more about MSAL.js usage here.