So the use case for this is I'd like all users to be able to read files from a storage blob. I wasn't able to find a way to use existing MSAL tokens that the user has without forcing them to hit a login page as they're already authenticated by this point in the application.
Here's a sample I found from Microsoft
Turns out InteractiveBrowserCredential is silent if the user is already logged in, it uses the currently active token or appears to as of the current version of msal-react.
Related
I have a question regarding an application that uses Azure Authentication using MSAL.
When using MSAL in an application (via typescript/ javascript) a popup/ prompt appears for the user the enter their username and password (similar to the screenshot below).
After providing the details, a number of properties are set in local storage. The significance of this is that when the user next logs into the application, they do no need to provide their username and password again, thus the prompt does not appear. This is a "acquiring the token silently".
One of the things I'm looking for is whether to acquire the token silently (i.e. to login via Azure) without the popup appearing, on the first launch of the application. Is there any way of achieving this via using MSAL?
thanks.
To disable pop-up login, you can use ROPC flow. That is, by sending an Http request, access_token and id_token are obtained.
Http Request:
Http Response:
Microsoft officially does not recommend this method, but some specific scenarios will need to disable pop-up login, so it is currently officially supported.
Related Posts:
1. Is there a way to improve the performance of MSAL-browser js login?
2. Could I sign into embedded PowerApp via Microsoft LiveID Account “quietly”?
Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi.
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials
How do I achieve this, and is there something wrong with this flow? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account. What other methods could achieve a better user experience? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around? Can I hint for azure to prompt the user even if they are logged in already?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed.
Ultimately the user must select their account every time, instead of just when the account is wrong. I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.
I would like to use Active Directory with a REST API Express backend: users would fill out a username and login form on the client side, and get authenticated with their Active Directory credentials, through the backend. Then, based on their user groups, they would see certain information. I have tried the node package passport-windowsauth, but I am not able to authenticate, possibly because I don't know what the bindDN or bindCredentials are. I have also tried node-sspi, and had better luck with this, but the issue with this is that it's only server-side, and as far as I can tell, I can't create a form that would then allow the user to authenticate from the client side. I am hosting this site on IIS, and using iisnode for the backend. How can I can achieve this Active Directory authentication with Node/Express server-side and a client-side login form, or in other words, not a .NET application?
Active Directory (AD) authentication is accomplished by binding to the Active Directory with credentials (not the credentials from the User form) supplied by your AD engineers. After binding, AD is searched for matching credentials (from the User form).
Basically you need to talk to your AD engineers about what you should use.
Then you need a /login/ route the user form sends to, the route accomplishes the login (AD bind, authentication) and returns to the client.
A simpler workaround can be to bind to AD with the credentials entered into the login form - a successful bind means the user is logged in. I would, again, talk to your AD engineers about how they prefer this to be done. I've run into problems in the past where it's taken a long time to authenticate users after binding so we used this as a workaround.
You might ask if your AD already has single-sign-on options - maybe they use Shiboleth or something similar.
You should try that package : https://www.npmjs.com/package/ad I'm not sure it will meet your requirements, but it's a very easy t work with Active Directory in a node/express back end.
I have written a script for refreshing access token in nodejs. But I am facing an issue, If I change my google password then also I can generate new access token using refresh token. Is there any way I can get some kind of flag saying this user has changed the password. In NODEJS.
I just need flow, no need of code. I can code myself.
Thanks,
Ajinkya
No.
The whole point of Open authentication is that you the user are granting an application access to your data. This is independent of your login and password.
The only way for an application to loose access is if the user revokes said access. Changing the password will not effect access.
No, there is no way of asking Google when the user last changed their password.
How to revoke a refresh token:
https://accounts.google.com/o/oauth2/revoke?token={token}
Apps Connected to your account
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.