So I am writing a .NET 6 Core Web Api using Azure AD as authentication for the API.
Now when using Graph API as example, you need to setup Graph API scopes in the App Registration. Lets use a delegated "user.read" permission for this example.
I use Postman to receive the access token for the application by authenticating as an user against Azure AD for the API. I would expect to receive a consent-screen so I can consent to the usage of "user.read". This does not happen though.. I get logged in and receive a valid access token. In the Backend though, it will throw an error because the user / admin did not consent to the application.
How do I get around this? Why don't I get asked to consent the permissions set up in the app registration? Neither in Postman, nor in a Swagger oAuth Flow..
My current workaround for this is to use a React application and sign in over the frontend application. Using the frontend application, I get asked to consent to the permissions. After consenting, I can use postman without getting the "user didn't consent" - error.
Any ideas? What did I miss?
Let's focus on the user-consent page first. When we created an azure ad app then add api permission for it, then use this azure ad app to make your .net 6 app/react app integrate azure ad to use azure authentication, and we go to the microsoft sign in page and successfully sign in, we will see a dialog which indicating that this app require you to consent a list of permissions. The permissions are correspond to the api permissions you set for the aad app. After consent once, then it won't ask you to consent again when sign in next time.
This consent only happened when users are signed in. Let's go back to the flows used to generate access token in Azure AD. Since you used delegate permission, then you may used the recommend Auth code flow(Another flow called ROPC flow can also generate delegate access token but not recommended). When we used auth code flow, we need to sign in first, the login url should look like this:
https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=azure_ad_app_id
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=user.read
&state=12345
We need to use it to get the auth code, then we can use the code to generate access token, per my test, I created a new azure ad app and when I directly hit this url in the browser and sign in, it still required me to give the consent. So I'm afraid the reason why you didn't see the dialog when test in post man is that you've consent it when test in react app, or you don't use auth code flow.
Related
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
I've been searching for a couple days, and I can't seem to find a straightforward guide on how to set up Authorization (AuthZ) between an AAD App and my AAD Web API set up in App Service. I've tried things like this official guide, but I can't seem to get calls with a Bearer token from the client app to work.
Has anyone done this successfully? Is there a step by step guide out there that could help?
Please let me know if there are any questions!
To implement your requirements, you need to expose an api in your AAD Web API first.
Then go to your AAD App which used to request the token, add the permission to it.
Click "Grant admin consent for *" button.
After that, we can request the access token successfully (below I provide a sample use password flow for your reference)
In your Web API app, you need to parse the access token and get the scope permission from the access token. And then determine whether the request has permission.
I have a web api as backend and a mobile app that users can sign up and sign in and call web api(protected) methods to post and get some data from user. I am using Azure AD B2C to authorize and authenticate users with policies. After a user has sign up or sign in, mobile side has an access token and use this token in request to web api.
But in my scenario, mobile side will send username to web api and I will use microsoft graph api to create user with username and default password.(First request is without user token because there is no a user at this time or can be special token that both sides know.) After I created user in server-side I want to get access token using objectId that came response from create request or I want to know how to get access token.
When I have token, I will send this token to mobile and then mobile send requests to web api using access token that come from server.
I wonder this scenario is possible and can be implemented.
Architecturally, If i understand correctly You want to protect your Mobile app and web api using Azure AD B2C which is clearly possible.
You need to do the following:
Create a AD B2C tenant.
Configure a sign-up or sign-in policy
Use the steps in the Azure AD B2C documentation to create a sign-up or sign-in policy. Name the policy SiUpIn. Use the example values provided in the documentation for Identity providers, Sign-up attributes, and Application claims. Using the Run now button to test the policy as described in the documentation is optional.
Register the API in Azure AD B2C
In the newly created Azure AD B2C tenant, register your API using the steps in the documentation under the Register a web API section.
After the API is registered, the list of apps and APIs in the tenant is displayed. Select the API that was previously registered. Select the Copy icon to the right of the Application ID field to copy it to the clipboard. Select Published scopes and verify the default user_impersonation scope is present.
After adding authentication to your web api , you can test it using Postman.For that you have to register postamn under your B2C tenant.
Since Postman simulates a web app that obtains tokens from the Azure AD B2C tenant, it must be registered in the tenant as a web app. Register Postman using the steps in the documentation under the Register a web app section. Stop at the Create a web app client secret section.
The newly registered web app needs permission to access the web API on the user's behalf.
Select Postman in the list of apps and then select API access from the menu on the left.
Select + Add.
In the Select API dropdown, select the name of the web API.
In the Select Scopes dropdown, ensure all scopes are selected.
Select Ok.
For calling a web api you need to get the bearer token before calling actual web api request.
To make an authenticated request to the web API, a bearer token is required. Postman makes it easy to sign in to the Azure AD B2C tenant and obtain a token. Taking postman as an sample tool.
- On the Authorization tab, in the TYPE dropdown, select OAuth 2.0. In the Add authorization data to dropdown, select Request Headers. Select Get New Access Token.
- Complete the GET NEW ACCESS TOKEN dialog as follows:
- Select the Request Token button.
- Postman opens a new window containing the Azure AD B2C tenant's sign-in dialog. Sign in with an existing account (if one was created testing the policies) or select Sign up now to create a new account. The Forgot your password? link is used to reset a forgotten password.
- After successfully signing in, the window closes and the MANAGE ACCESS TOKENS dialog appears. Scroll down to the bottom and select the Use Token button.
- Now you can test your Web Api with the token, also if you want to save suer information before that you can do that. Also it's the Signup Policies job is to create a user for your when you hit a request.
Hope it helps , Please let me know if you need any help.
I have a single-page application written in TypeScript. It needs to call a middle-tier service, and the middle-tier service will, in turn, call the Microsoft Graph API.
In my SPA, I'm using the MSAL library and I log the user in by calling UserAgentApplication.loginRedirect()
I then call acquireTokenPopup and pass only one scope in the access token request parameter: the scope that is defined by my middle-tier service. Upon doing this, I see the popup but then it disappears (I never see any consent prompt). This successfully gets a token which the SPA then sends as a Bearer token on the Authorization header in an HTTPS request to the middle-tier.
The middle-tier then tries to get an OBO token by calling AAD with properties like this:
const grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer";
const assertion = userAccessToken;
const scope = "https://graph.microsoft.com/Calendars.Read " +
"https://graph.microsoft.com/Calendars.Read.Shared " +
"https://graph.microsoft.com/Calendars.ReadWrite " +
"https://graph.microsoft.com/Calendars.ReadWrite.Shared " +
"openid profile email offline_access";
const requestedTokenUse = "on_behalf_of";
It also has a client secret it sends along that is defined in the AAD registration for the midddle-tier. When this request is made to the AAD endpoint to retrieve an OBO token, it always fails with this error:
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '<ID of middle-tier application>' named '<name of middle-tier application>'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 39d9bace-03f0-402b-9310-c713aa990200\r\nCorrelation ID: edfbb88f-5c63-4cef-84c1-0de8457852b7\r\nTimestamp: 2019-05-22 22:25:24Z","error_codes":[65001],"timestamp":"2019-05-22 22:25:24Z","trace_id":"39d9bace-03f0-402b-9310-c713aa990200","correlation_id":"edfbb88f-5c63-4cef-84c1-0de8457852b7","suberror":"consent_required"}
I see the bit about consent being required and how I'm supposed to send an interactive authorization request -- but I'm not sure how to do that. In fact, I thought I was doing that when I called acquireTokenPopup initially (rather than acquireTokenSilent).
If calling acquireTokenPopup in the SPA client with the middle-tier defined scope is not the correct way to send an interactive authorization request, what is?
Possibly helpful information:
The ID of my SPA client application is listed both in the "Authorized client applications" section of AAD registration portal for the middle-tier AND in the "knownClientApplications" section of the manifest.
Thanks!
Firstly your usage of On-Behalf-Of flow for the scenario you describe looks good.
For the admin consent part (to get past AADSTS65001 error) you could try to do consent explicitly, in one of the two ways:
Use the Azure portal (works well for single tenant apps)
Go to Azure Portal > Azure AD > App Registrations > Registration for your app > API Permissions and then click on "Grant admin consent for [your AD]" button.
Use the Admin consent endpoint (works for single tenant or multi-tenant apps)
More info on Microsoft Docs here - Request Permissions from Directory Admin
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Only mandatory parameter here is client_id. You can skip providing other parameters and consent should still work.
On a side note, the part that you mentioned about knownClientApplications can help with a more advanced scenario, where you're trying to club the consent for more than one applications in a single interaction. Like multiple layers of the same logical app. If that is what you're trying to achieve, then you won't really need to consent separately for middle-tier API. You could still use approach 2 for Admin Consent endpoint in this case.
I'm trying to set up Azure AD B2C for my web app.
I've already created a tenant. I then created an app. According to articles I'm following, I should then be able to click "API Access" and add scopes. In my case, there's nothing under API drop down:
I already see "Access the user's profile" with the following selected:
Under "Published Scopes", again, I see nothing:
What am I missing here?
UPDATE:
After adding the App ID URI, I was able to move forward a bit but still not sure about published scopes. This is what I currently have:
And under API Access, this is what I have:
Basically, the behavior I'm getting on my frontend app which is built on ReactJs is that I hit the Azure AD B2C login. After entering my credentials, I get redirected to my app. I see id_token in the URL but the MSAL library I'm using doesn't capture the token -- I have a break point in my React code to see if I'm capturing the token. I get sent back to the login screen on Azure, then back to my app. On the third one, I actually see the token being captured but I end up with the following errors:
I'm using this library which is a wrapper for the MSAL.js library: https://github.com/jamesrandall/react-azure-adb2c
I'm pretty certain there are config errors. Just not sure what they are.
API access is used to assign access from a web app to an API app.
Published scopes is used to register the access scopes for the API app.
Before the access scopes can be registered for the API app, an App ID URI must be set as the resource identifier for the API app, as described by the Azure Active Directory B2C: Register your application article.