Context
I have a white label application with multiples partners and each partner can create multiples "web apps". Each web app has your own "auth database". Ex: A partner created a web app A and a web app B. If his user creates an account in web app A, he can't login into web app B, just in web app A.
How I will do that
I am using firebase authentication. And I will do that using multi-tenancy (https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart). Each partner will have a firebase project associated with his account and each web app will be associated with a a sub-project (tenant). Each tenant will need to setup many social login providers, like facebook and google.
The Problem
I can setup the social provider via console. But I can't find how can I do that programatically using API. I just found how can I setup social providers via api without using tenant (https://firebase.google.com/docs/projects/provisioning/configure-oauth)
It is possible to setup social providers with multi-tenancy programatically using API?
I believe one way would be using the Identity Platform API:
https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.tenants.defaultSupportedIdpConfigs/create
You just find the parameters for the Supported IDP you're adding.
The list of supported IDPs you can find here:
https://cloud.google.com/identity-platform/docs/reference/rest/v2/defaultSupportedIdps/list
Related
I'm new to the Microsoft Graph API and Azure. I'd like to seek advises to which Microsoft Graph API version I should go with and whether I should be using the "Web API on-behalf-of flow" for my scenario.
I'm building a web services which can store access tokens of multiple Office 365 users from different organisations. This web services can then create web hooks via the Microsoft Graph API to get notifications about calendar appointment changes in these users' accounts, in order to sync these changes to the corresponding appointments stored on our own server.
So it's a mass Office 365 calendar syncing web service in a nut shell.
I have gone through a lot of their GitHub sample projects and managed to create web hooks with the v1 graph subscription API and was able to interact with the calendar of my dev account, all in a sample APS.NET MVC project.
But I'm very confused about the following parts:
Because this web service does not directly provide a UI, so the login UI would be presented by a separate desktop (WPF) client, and I believe when this is done on the client side, I can forward the authenticated access token to my web service to create the web hooks? This sounds like the "Web API on-behalf-of flow" scenario Microsoft described here: https://learn.microsoft.com/en-au/azure/active-directory/develop/active-directory-v2-limitations.
Because this web service needs to create web hooks to multiple Office 365 accounts from different organisations. I'm not sure if this counts as the a multi-tenant scenario. If this is the case, it looks like I can only use the v1 API because the v2 API only allows the web service to receive tokens from an application that has the same application ID (also described in the page linked above).
Microsoft Graph and Azure AD developers could you please shed some light on this part for me? Microsoft isn't doing the best job when it comes to documenting these parts.
Because this web service does not directly provide a UI, so the login UI would be presented by a separate desktop (WPF) client, and I believe when this is done on the client side, I can forward the authenticated access token to my web service to create the web hooks? This sounds like the "Web API on-behalf-of flow" scenario Microsoft described here: https://learn.microsoft.com/en-au/azure/active-directory/develop/active-directory-v2-limitations.
Yes, the scenario is on-behalf-of flow and this flow is not supported for the v2.0 endpoint at present.
Because this web service needs to create web hooks to multiple Office 365 accounts from different organisations. I'm not sure if this counts as the a multi-tenant scenario. If this is the case, it looks like I can only use the v1 API because the v2 API only allows the web service to receive tokens from an application that has the same application ID (also described in the page linked above).
You can only use Azure AD V1 endpoint, because the V2.0 endpoint doesn't support on-behalf-of flow. And here are some steps for using V1 endpoint for your reference:
register 2 apps, one for the WPF(native app) and one for your web service(web app)
enable the multi-tenant for the app for web service
grant the relative Microsoft Graph permission to the web app
set the knownClientApplications for the web app using the clientId of the native app
grant the relative Microsoft Graph permission and web app to the native app
After that, when the users login-in in WPF first time in different tenant, the users can conesent the two apps at same time. And then the service principals of two apps will be register to users' tenant. After that the web service can use the on-behalf-of flow to get the access_token for Microsoft Graph based on the token from native app.
More detail about multi-tenant developing, please refer below:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
And the code sample below also be helpful:
Calling a downstream web API from a web API using Azure AD
We have a Web API intended to serve multiple business partners, each of which will be customizing a white label version of our native app client.
We also have a Web API offering common functions to different apps.
We would like to use AD B2C as the identity and auth system, but cannot see how or if it is possible to use AD B2C to secure a common API for multiple apps. Is this achievable?
It depends on how you want to your partners usig the account login-in. If you expected that the partners login-in using the consumer account or local account in the Azure AD B2C you own, the answer is yes.
The Azure AD B2C supports the Access Tokens from March 23, 2017(refer here). And it supports many types of clients, including web apps, desktop and mobile apps, single page apps, server-side daemons, and other web APIs.
It is same to develop an web API server for one native app or multiples apps, you only need to register the multiple apps in your B2C tenant. More detail about acquring the access token for the Azure AD B2C, you can refer the link below:
Azure Active Directory B2C: OAuth 2.0 authorization code flow
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.
I'd like to connect multiple UWP apps and have a single Mobile App in Azure that uses Authentication / Authorization using a Microsoft Account. It looks like you can only associate the Mobile App to a single app registered in the Microsoft Account Developer Center / Application Registration Portal.
Is there any way around this to "funnel" multiple UWP apps to authenticate through a single registered app in the Microsoft Account Developer Center and single Mobile App in Azure?
Use a custom authentication scenario. Basically, you submit the token you receive from the MSA identity provider to a custom API. The custom API will validate that the token is valid and comes from a recognized app, then it mints a new token for accessing the mobile app and returns it to the client.
I have a need to move an older style Azure Mobile Service to a new Azure Subscription. In the new subscription, you are no longer allowed to create an older style Mobile Service and are required to create one of the newer Azure Mobile Apps. I have already moved the database (fixed changes with the column names, etc.), and have the easy tables and easy API migrated and working based on a NodeJS back-end. The only thing that is left is to add authentication to the mobile app to secure the back-end. The way the app was originally developed is that the mobile client SDK passed a secret key along with the endpoint URL in the MobileServiceClient constructor and a custom username/password form passed the user entered credentials to a mobile API method that would validate the user contained in the database. The updated client SDK now only accepts the endpoint URL.
Everything that I see online for the new Mobile Apps wants to authenticate with AAD, Facebook, Twitter, Microsoft Account, or Google. We do not want to change our authentication. How can I easily add the same type of authentication to the new Mobile App without having to use Facebook, Google, Twitter, etc?
The easiest method is to implement some sort of custom authentication, just like you did in your Azure Mobile Service. The same principals apply - you submit the username / password to the backend. The backend generates a JWT and then the client submits that information for the rest of the session.
I covered Custom Auth in node early on in my blog series: https://shellmonger.com/2016/04/08/30-days-of-zumo-v2-azure-mobile-apps-day-5-custom-authentication/ - that one uses Auth0 to handle the actual user database, but the same principals apply.