What's the preferred way to authenticate to an Angular app which is using Azure AD authorization code flow with PKCE?
I intend to run the E2E tests in AzureDo.
I've found ROPC but the page urges against using it and mentions that "more secure alternatives are available and recommended" but doesn't link to any documentation about these alternatives.
I've found a page describing a bunch of Azure AD authorization flows, but it's confusing to someone not well familiar with the subject matter.
Related
All the Microsoft guides, tutorials and samples that I find on B2C and Authorization Code Flow use Implicit Grant Flow or refer to another guide that uses Implicit Flow.
Here is an example of their outdated Implicit Flow guide for B2C:
Register a web application in Azure Active Directory B2C
This guide is linked to (or an almost identical guide is used) in all the Auth Code Flow guides I have found.
Do any of you know if Microsoft has a guide, that honors the subject of the guide "auth code flow b2c" and actually shows how to setup Auth Code Flow in Azure B2C?
Maybe I am overlooking something obvious?
It does, the page you've linked to there is the basic tutorial, what you actually need is the Authorization code flow page which also includes some info about PKCE for SPAs and links off to sample apps showing the use of MSAL.
There's also a page about creating an app registration for SPAs that highlights the difference between using code flow with PKCE and implicit, recommends code, and walks you through the same kinds of steps as in your linked page but targeted at SPAs.
As mentioned in that second link, if you want to enable the implicit flow for your app registration then under Implicit grant, select both the Access tokens and ID tokens check boxes. Because you don't want to enable implicit flow then don't check those two boxes and your app registration will only support code flow. If you do check those boxes then it will support both implicit and code flow.
Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
So I recently started exploring Azure Identity Platform for this user authorization use case I'm trying to implement. After a bit of research I came across using Graph API and creating ROPC flows to handle SingUp and Login via REST API from my application. My requirement is also to allow users to use login credentials from another app (I'm not sure yet if it implements a SAML based Identity Provider method) to use services in my application. This is a typical SSO requirement, but I'm not sure if it is possible to implement alongside username-password based authentication using Azure AD B2C.
I would appreciate any leads. Thank you.
Edit: To be more precise, I am working with Java-Spring. The demo application mentioned in Azure AD documentation (Woodgrove groceries) is exactly what I'm trying to achieve. A quick google search for the same provides me with github repos with sample code that uses .Net I believe. Are there any Java sample codes that demonstrate the same?
ROPC does not support SSO if that's what you want to achieve.
After scouring the internet, I've found a variety of answers to this question, but nothing is clear. With an Azure AD app, it looks like Yammer Delegate permissions are included so I would imagine that I could use then ADAL token from the app, to interact with Yammer APIs but have been running into issues. Has anyone else got this working? Is there any way to silently authenticate with yammer in SharePoint online?
The Yammer Delegate permissions are a preview feature. Long-term we plan to integrate fully with the O365 developer experience, but aren't quite there yet. Today, Yammer supports a number of scenarios that don't align with O365. Once the product better aligns it's going to be possible to provide much deeper integration (not just limited to developer APIs.) One limitation of the delegate permission is that it won't work with networks that are using Yammer Identity. Another is that some endpoints might not accept the tokens.
The supported authentication flows for Yammer are documented on the developer site and these support users with all authentication types for Yammer. With these APIs you'll end up juggling an additional Yammer-only token. It is possible to use impersonation to silently authenticate users without them being prompted to authorize the Yammer app. There is a blog post providing an overview of how this can be used in combination with the Yammer JS SDK, but the tokens could be used from other clients.
I wrote a little server in node.js and deployed it to Azure WebApp. I want to add service-to-service authentication using Azure AD OAuth (like this flow). I alredy did this in another WebApi sevice using Katana.
So, I found the official library for this, and it work great. The only problem is that the library use the ursa module, which is a native module. And, like explained here it is not easy to deploy a WebApp with native modules.
So, my question is - what is the best approach? How I could accomplish authentication using Azure AD OAuth?
Thanks,
Omer
Take a look at the Authentication / Authorization feature of Azure Web Apps. It allows you to do OAuth 2.0 service-to-service auth flows using Azure AD, no code changes necessary (also, it works with any stack, not just node.js).
More high-level info here: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
The post is a bit dated and doesn't mention the recently added support for APIs, but if your client can acquire an OAuth token from Azure AD, you can send it to your node.js server as a bearer token in the Authorization header of your HTTP request and have the authorization just work.
Two things to be aware of if you go down this route:
Authentication / Authorization currently blocks ALL unauthenticated access to your node.js API. You won't be able to say that some APIs are protected and some are not.
The JWT token that you send to your node.js API must use the client_id GUID value as the value for the "aud" claim. Using the app URI (as shown in some Azure AD samples) will not work.
Give it a try and see if it works for you.