We would like to use Azure client credentials flow to do authentication for our service accounts. The thing is our service accounts are just regular users in Azure AD. They are not registered apps. The way our company sets up Azure makes it very heavy to register apps, so we would like to avoid it. So the question is, can we use client credentials flow for regular users in Azure? We need this as in our CI/CD we cannot popup a browser and let users do device-based authentication. We need the user to be able to authenticate in an automated way.
You can't use client credentials flow where an Azure AD user is involved in the authentication flow.
Micrsofot Documentation - client credentials flow
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
But you can use one of the following supported authentication flow where a user is involved;
Micrsofot Documentation - authorization code flow
Micrsofot Documentation - implicit grant flow
Micrsofot Documentation - device authorization grant flow
Device authorization grant flow might work in your case?
Related
I have created a Microsoft Teams bot built using a Golang port of the Bot Framework. It is a multi tenant bot which lives in my infrastructure.
It is easy to add the bot as a "Teams Application" by selecting it from the marketplace (for free), however, to function correctly it needs additional Microsoft Graph permissions. Specifically read the title of a MS Teams Channel / Group Chat.
This seems to be a challenge for users as almost no one - even those 'in IT' seem able to correctly add the permissions required, even with documentation.
I've been helping them personally but it's not a commercial product so not viable in the long term.
I would like to find an OAuth2 flow which would allow a privileged user to authenticate with their Azure tentant and grant the necessary privileges for my application to do it's thing. Or, alternatively create the client registration in advance of installing the bot.
Every OAuth2 flow requires me to have (or know) my client_id before making the request. Given it's in the users Tenant, I don't have access to it; the users can authenticate against their Azure AD tenant though, so they must receive a bearer token which would allow them access to create or update permissions on an Azure Application.
There is chance to use the OAuth 2.0 client credentials. This grant is specified in RFC 6749. This grant is to access the web hosted resources. This resource will directly identify the application based on the identity of the application. In server-to-server communication we can use OAuth 2.0. This can be referred as "Service accounts" or "Daemons".
Microsoft identity platform and the OAuth 2.0 client credentials flow
I have the following requirement:
create a user on AD B2C.
using the credentials of that user, I need to get access token and refresh token to access an existing api(REST SERVICE).
Active directory here is Azure AD.
I am new in oAuth and Azure. Please suggest me the steps and configuration to achieve this. (I do not want any user interaction to get access token and refresh token).
creating a user is clear to me. but if it requires any specific type of user or any required permissions, please suggest those.
To me, it sounds like your use case can be better realized with a service principal. If you don't need a user context but, consider using an SP instead. See:
Microsoft identity platform and the OAuth 2.0 client credentials flow
If for whatever reason you want to stick to non-interactive user login, you can use the Resource Owner Password Credentials flow. But be aware that:
Microsoft recommends you do not use the ROPC flow. In most scenarios,
more secure alternatives are available and recommended. This flow
requires a very high degree of trust in the application, and carries
risks which are not present in other flows. You should only use this
flow when other more secure flows can't be used.
I ideally want to be able to have an admin grant application permissions for my app and login to said app in the same flow. Is this possible?
I currently use the code grant flow for authentication.
I then use the client credentials flow for authorisation.
Is it possible to combine the two into a single flow?
I have the first redirected immediately to the second if the client token has not be granted before, but it isn't the most appealing flow from a UX perspective.
If I could add an ID token to the the client grant response that'd be perfect (I just need the UPN of the admin that is consenting), but this doesn't seem to be possible.
A key requirement is the application permissions as my app makes changes to the entire org - obtaining the grantee's ID in the same flow is just a UX optimisation.
Perhaps this is possible with the OpenID Connect flow?
Is it possible to combine the two into a single flow?
No, these are two different authentication flow.
For the authorization code flow, It's used to perform authentication and authorization in the majority of app types, including single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user. This flow is usually used in scenarios with user interaction.
For client credential flow, it is that the administrator directly grants permissions to the application itself. When an application provides a token to a resource, the resource will force the application itself to have the permission to perform operations. This type of grant is usually used for server-to-server interactions that must run in the background and do not require immediate interaction with the user. This is generally used in daemons, which can only obtain access_token for accessing resources.
Perhaps this is possible with the OpenID Connect flow?
This is where a user is logged in. Generally, delegated permissions are used, so it is impossible.
So, in summary, you cannot obtain ID tokens when using the client credential flow because there is no user interaction in the flow.
i need to get Azure token in my app (C#) to perform Graph API operations on users, but without sign in all the time when app invoked (app must be full automate, working in timer job) so i have a question how to made process of token acquiring fully automate (without user)?
All that I found about this topic:
Get access without a user
But I failed to recreate it.
The OAuth2 flow you are describing is called the "Client Credentials Grant" and is in detail described here.
In short it is relevant in this case and works like this:
First, user interaction is not possible with a daemon application,
which requires the application to have its own identity. An example of
a daemon application is a batch job, or an operating system service
running in the background. This type of application requests an access
token by using its application identity and presenting its Application
ID, credential (password or certificate), and application ID URI to
Azure AD. After successful authentication, the daemon receives an
access token from Azure AD, which is then used to call the web API.
Have a look at this implementation to see how it is done in code.
Using OAuth On-Behalf-Of works exactly what you describe. Which On-Behalf-Of method, there is no user interaction to obtain the user's consent to access to the downstream API (e.g. Graph API). In other words, the user identity & permission is silently delegated in a full request chain. In a real-world corporate environment, your app would be normally authenticated by another identity provider (e.g. Active Directory) not Azure AD, which after then requests authorization to Azure AD OAuth endpoint.
When requesting access token, you must set its type is requested_token_use=on_behalf_of
Here is reference to POST to the endpoint https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-on-behalf-of
Here is the reference of SSO authentication with OAuth On-Behalf-Of https://learn.microsoft.com/en-us/outlook/add-ins/authenticate-a-user-with-an-sso-token
I'm working on integrating Azure AD authentication with various apps on different platforms.
Is there a way to get an authentication token id from a user logging in through a web api like 'azureadlogin.com/login?user=ted&password=passwordhash'
There seems to be ways of doing it through node or javascript or C# apps but I'd really like to just have a simple web request way of doing it as there are many different apps on different platforms that need to make use of this feature.
No.
There is a way to authenticate with username + password by doing a POST request and using Resource Owner Password Credentials flow, but I don't recommend it.
ROPC will not work if:
User's password has expired
User is MS account/federated from on-prem AD
User has multi-factor authentication enabled
You have a wide selection of authentication flows which work in all these scenarios too, and don't involve the user giving their password to you.
For example:
Authorization code flow
Implicit grant flow
Device authentication flow
You can use username/password authentication. But if your app has user interface, so it could popup the regular Azure AD login page, I would recommend not to use it. A major reason for using Azure AD (or other identity providers) is that the user doesn't want your app to know his password.
There's a sample which does what you want. The code in question is here.
The sample uses .NET and the ADAL.net library, but you can do similar stuff on other platforms.