We have an API which we use for our .NET application, but we also want to make calls directly from postman. The current setup uses the Authorization Type OAuth 2.0 build in functionality of postman. Which opens a popup of our Azure AD B2C sign-in screen.
We are using custom policies to sign-in here as well.
My question is, is there a way to simply use postman (preferably in 1 request) to get the access token without having to use the browser and sign-in manually?
I tried to reproduce the same in my environment and got the below results:
As mentioned by Jas Suri, you can make use of ROPC Flow to generated access token without browser interaction.
I created an Azure AD B2C application and enabled Allow public client flows option:
Please note that, if you do not want to enable Allow public client flows , you can create client_secret and give the parameter in Postman while generating the token
Now I created ROPC User flow like below:
I generated the access token using ROPC flow via Postman with parameters like below:
POST https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token
grant_type: password
client_id: appid
scope: https://tenant.onmicrosoft.com/web_api/api.read
username: yourusername
password: *****
Response:
When I decoded the token, I can find the scp claim successfully like below:
Related
I want to authenticate a valid Azure Directory user from my application. So the output that I want is the user is valid or not?
I use this API https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token with following urlencoded body like client_id, scope, client_secret, username, password, grant_type the for the authentication but this API is working only when the user disabled their MFA, but I want to authenticate even the user has enabled MFA.
You have hit one of the limitations of the ROPC flow.
It is not possible to authenticate a user with MFA enabled with that flow.
The solution will be to change your application to use an interactive flow like Authorization Code flow.
This will require that your app forwards the user to Azure AD to sign in, and then your application gets access tokens in exchange.
Pros:
You don't need to handle passwords
All the security features of Azure AD can be used, including MFA
Cons:
Complexity will increase (libraries help here)
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
If you have a Javascript front-end app, you can use MSAL.js to handle the authentication.
Other OpenID Connect compatible libraries can also be used.
I have integration tests running with newman in Azure DevOps pipelines. I was using client_credentials flows to authorize Api requests, until recent changes when move to AD B2C and Authorization Code with PKCE.
In postman I was able to retrieve access token using implicit flow and authorization code with PKCE, but it does not work for newman pipeline.
Is there a way to get access token without user interaction? Is there an alternate way to get access token from newman? All reference and documentation refers to postman but can´t find anything related to newman.
https://learning.postman.com/docs/sending-requests/authorization/#implicit
Thanks in advance
• You can try setting the authentication in the second script in newman to ‘No Auth’ and create a header. The header key was Authorization, and the value is Bearer {{OAuth_Token}} (note that there were 2 space chars after 'Bearer'...). Also, you can set the token as an environment variable and then add it as authorization header which should also work.
• In this way, client credentials and password are passed with required token grant types which donot require user interaction. You can also test the generated access token in newman, select ‘Bearer Token’ type in the app, copy and paste the value of generated access token there and export json to run in newman. And instead of end-user authentication method, use app authentication method, e.g: - API key or client credentials flow in Azure AD B2C.
• Hope the above methods should help you retrieve the access token from newman without user interaction. Also, please find the below github thread discussion links for more information: -
https://github.com/postmanlabs/newman/issues/2615
https://github.com/postmanlabs/newman/issues/1224
I would like to use the Resource Owner Password Credential Flow of Azure AD for my function app. The function app is up and running. Once I configure Azure AD authentication for the app, my requests get rejected with a 401 Unauthorized but with no further details on the error.
I should also emphasize that I can obtain new tokens from the authentication endpoint for my tenant. It's just that these tokens get rejected when I try to call the function from curl. When I login with the browser and the same credentials, I can access the function.
Clarification: Obtaining tokens via the API works but these tokens are then rejected by the function app's AAD authentification. Going through the browser, I obtain tokens that can log me into the function app.
What I did:
Create a function app
Basic GET request, works with either no authorization or with authorization through the browser.
Create an app registration in Azure AD
Implicit grant: Access + ID Token
Supported account types: Single Tenant
Allow public client flow: Yes
In the manifest: "oauth2AllowImplicitFlow": true,
Scopes: Custom user_impersonation scope for my API
API: Here I added my function app with the user_impersonation scope
Configure the function app to authenticate user through AAD
Management mode: Advanced
Client ID: The client ID of the app registration above
Allowed Token Audiences: The URL of my function
Steps to reproduce:
Obtain a new access_token:
Issue a POST request to https://login.microsoftonline.com//oauth2/v2.0/token and the following parameters:
clientId: The client ID of the app registration in Azure AD
scope: user.read openid profile offline_access https://<my-function>.azurewebsites.net/user_impersonation
username: The e-mail address of the user
password: The password of the user
grant_type: password
This returns the access_token. I'm not going to post it here, but I can share details on request.
Call the protected API
Issue a GET request to https://<my-function>.azurewebsites.net/api/test with the following header parameter:
Authorization: Bearer <access_token>
Any help is greatly appreciated of course. It is important to note that users should not be able to login interactively anyway. I'm well aware of the pitfalls and shortcomings of the ROPC flow but this is the only way to solve this particular use case with Azure AD.
Here are some resouces I consulted before. I might have overlooked a critical point of course:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=app-reg-ga (Not using AAD B2C but is probably similar enough. However the steps mentioned here work.)
I seem to have fixed it. The solution was a lot of trial an error, maybe there is an easier way.
Azure AD App Registration
Only select the access token, we don't need an ID token anyway.
Set "accessTokenAcceptedVersion": 2 in the manifest
Use the suggested api://... Application ID
Function App
Set both the Client ID and the Allowed Token Audience to the Application ID from the AAD App Registration, but without the leading api:// scheme.
Obtaining the token
Specify the scope as api://.../user_impersonation
After going through all of the steps above, I can successfully authenticate before being able to access my function app. The next challenge will be to read the authenticated user name from the request. But that might be the topic of another thread on SO.
Is there a way either in powershell or Postman to get access of myself either through login to particular tenant. I see lot of samples around getting access token either client ID or secret. But I want to run either commands or make REST call to get access token once myself get authenticated.I tried looking into graph explorer but no luck .
The client id is required for AAD authorization.
If you want to get an access token including your own information, you should implement OAuth 2.0 authorization code flow. It will perform interactive login as #Gaurav Mantri-AIS mentioned.
We can simply get the access token in Postman like this:
After clicking on "Request Token", it will pop up a login window. Enter your username and password. Then you will get the access token.
When we log into Graph explorer, we will see the access token here:
In fact, Microsoft has registered an Azure AD application and provided the client id in the login request URL.
In short, we have to use the client id.
Ok, done I could finally setup my AD B2C with my web API and with Postman. To do so I followed instructions here.
Now, in Postman when I click "Get New Access Token" in Authorization tab the system redirect me to the HTML sign in/up page from Microsoft and I need to enter my credential. I don't want that. I want to use a predefined login, password because I want to simulate the sign in/up using API only. something where I use the body or header to send my credentials and get the token.
I think I should play with the Grant Type property. Is it correct?
---- EDIT 1 ----
I found this tutorial and I did this
But it is not working and I don't know what to put in Client Secret. Here is my Postman log
Also I wanted to show this in case this can be relevant:
Firstly, you must create a resource owner password credentials (ROPC) flow, which enables credentials to be POSTed from Postman to Azure AD B2C's token endpoint.
Also, you must register Postman as a native client application, so that it can use this ROPC flow.
Then, in Postman, you can enter the following settings:
Grant Type: Password Credentials
Access Token URL: https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/{your-ropc-policy-name}/oauth2/v2.0/token
Client ID: Set to the client identifier for the Postman application
Client Secret: Set to an empty string
Scope: openid {your-postman-client-id} {any-api-published-scopes}
Client Authentication: Send client credentials in body