I have created a custom identity provider in adb2c for my openid connect server but getting error while running it through User Flow -
Setps I did :
Created a new openId Connectprovider.
Created a new user flow for open-id connect provider :
I am not sure how to debug this through adb2c as that's a quite generic error and if I am missing any steps.
This issue may cause if your client ID is incorrect in the web.config file for the app
Try to Open Web.config file for the app
In Web.config file,try to find the app key ida:ClientId.
The client ID provided in the portal for your app should be used as the value of the app key.
The file's modified section looks like
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
Credits to MsDoc
Related
When I run signupsignin user flow in Azure B2C portal to test Open ID Connect (external Azure Tenant login), received below error.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 6744ccb7-eb8d-47f6-bb0a-bcd2f84f5771
Timestamp: 2021-08-04 04:10:53Z
ConnectionTimeOut: An exception has occurred.
This article describes a similar error that occurs when you try to sign in to an app that's set up for Azure AD B2C
Cause: The client ID may be missing or incorrect in the Web.config file for the app.
Resolution
To fix this issue, follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
References:
troubleshooting-with-application-insights
azure-ad-b2c-importing-in-users
Could be the case:
Make sure you are using the API Key and API Key Secret.
Not the ClientId and Client Secret
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-twitter?pivots=b2c-user-flow
I am using Azure Active Directory B2C in an application(Xamarin.forms). When i try to call the azure login page (which is a sign-in-policy), i am prompted with the following error:
"We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: xxxxxxx-xxxxxx-xxxxxx-xxxxxxx
Timestamp: 2021-01-28 17:08:40Z
AADB2C90011: The client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' provided in the request does not match client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' registered in policy"
i dont know what is going on, application id seems correct.
How do i fix it?
The client ID may be missing or incorrect in the Web.config file for the app.
You could have a try with follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
We have web application deploy on Azure App Service. Our database is also on Azure which is configured to use AAD authentication (We have assigned AAD Admin).
We are using below connection string in web app to connect to this server and database using below connections string.
Data Source=xxxxxxx.database.windows.net;Initial
Catalog=xxxxxxx;Persist Security Info=False;Authentication=Active
Directory Integrated
Please note: This connection string is working fine when using thru local system. But getting below error when we use this conn string in Azure App Service:
Failed to authenticate the user NT Authority\Anonymous Logon in Active
Directory (Authentication=ActiveDirectoryIntegrated). Error code
0x4BC; state 10 The format of the specified domain name is invalid
According to your description, I found you used the Active Directory integrated authentication.
To use integrated Windows authentication, your domain’s Active Directory must be federated with Azure Active Directory. Your client application (or a service) connecting to the database must be running on a domain-joined machine under a user’s domain credentials
If you published the web app to Azure, Azure's web app server will not be in your domain’s Active Directory. So the SQL server will not pass the auth.
I suggest you could try to use Active Directory password authentication instead of the Active Directory integrated authentication.
Replace the connection string as below use azure AD user name and password. It will work well.
Server=tcp:brandotest.database.windows.net,1433;Initial Catalog=bradnotestsql;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";
Since the accepted answers are a bit dated, if you are out here in 2020 or later, the correct way for setting up integrated authentication is as follows:
(excerpted from here, the asp.net standard implementation)
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
add the Microsoft.Azure.Services.AppAuthentication nuget package.
modify your web.config by adding: (in configSections)
<section name="SqlAuthenticationProviders" type="System.Data.SqlClient.SqlAuthenticationProviderConfigurationSection, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
(and then)
<SqlAuthenticationProviders>
<providers>
<add name="Active Directory Interactive" type="Microsoft.Azure.Services.AppAuthentication.SqlAppAuthenticationProvider, Microsoft.Azure.Services.AppAuthentication" />
</providers>
</SqlAuthenticationProviders>
It's important to pay attention to the name you use there. Then... your connection string will look like:
<add name="MyEntities" connectionString="metadata=res://*/Data.MyDB.csdl|res://*/Data.MyDB.ssdl|res://*/Data.MyDB.msl;provider=System.Data.SqlClient;provider connection string="server=tcp:MyDB.database.windows.net;database=MyDB;UID=AnyString;Authentication=Active Directory Interactive;"" providerName="System.Data.EntityClient" />
The important notes are that the name you specify in the SqlAuthenticationProviders section must be the exact same name you use in the connection string for Authentication.
The other important note is that, coming from your old connection strings, you have to change Data Source to be Server, and Initial Catalog to be Database. UID=AnyString is necessary, or an exception is thrown.
Failure to follow these steps exactly will net you a lovely error:
System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> AdalException: The format of the specified domain name is invalid.\r\n at ADALNativeWrapper.ADALGetAccessToken(String username, IntPtr password, String stsURL, String servicePrincipalName, ValueType correlationId, String clientId, Boolean* fWindowsIntegrated, Int64& fileTime)\r\n at System.Data.SqlClient.ActiveDirectoryNativeAuthenticationProvider.<>c__DisplayClass2_0.b__0()\r\n at System.Threading.Tasks.Task`1.InnerInvoke()\r\n at System.Threading.Tasks.Task.Execute()\r\n --- End of inner exception stack trace
At the first the error doesn't make sense, but once you see that the parameters were renamed from Data Source to Server, it does make sense.
Maybe all you need to use is token (certificate) authentication as explained on below resource:
https://github.com/Microsoft/sql-server-samples/tree/master/samples/features/security/azure-active-directory-auth/token
Try to register your application with Azure Active Directory as explained on that resource.
Hope this helps.
I am coding an integration that has to call Sharepoint-online API's. My integration is not a webapp and has to work without a user present.
As I understand it I need two setup steps:
1. User has to log in to Azure and set up an application and obtain a client ID.
2. I have to call a service with client ID and username and password I will then obtain an Access Token, Refresh Token and ID Token
Once the two setup steps are complete I then can call the service using the access token, but sometimes this will expire and I need to use the refresh token to get a new one.
Step 2 seems odd to me. Why isn't there a user interface where a user can log in and obtain the Access Refresh and ID tokens? Has someone built a utility website that just does this, or have I mis-understood something?
Thanks
Robert
The recommended OAuth flow for service and daemons apps is the Client Credential Flow (in that flow, there no refresh tokens involved; a client ID and a client secret is used to obtain an access token which eventually expires and then you need to get a new access token using the same client ID and secret). In the case of SharePoint Online, you have 2 options for this scenario:
SharePoint Online + Azure Access Control Service (ACS) integration. Details here. In short, you create a service principal (add in only policy) for instance at the site collection level - follow the "Creating the AppPrincipal" section in the blog I linked for this. Then you need to assign the specific permissions your app will need, in the application manifest. See a sample for that in the "Giving the App Principal Permissions" sections - again, you should first define what permissions your app needs. Then, you can use the service principal from a console application:
Program.cs
static void Main(string[] args)
{
Uri siteUri = new Uri("https://tenant.sharepoint.com/teams/test");
//Get the realm for the URL
string realm = TokenHelper.GetRealmFromTargetUrl(siteUri);
//Get the access token for the URL.
// Requires this app to be registered with the tenant
string accessToken = TokenHelper.GetAppOnlyAccessToken(
TokenHelper.SharePointPrincipal,
siteUri.Authority, realm).AccessToken;
HttpWebRequest endpointRequest =
(HttpWebRequest)HttpWebRequest.Create(
"https://tenant.sharepoint.com/teams/test/_api/web/lists/GetByTitle('Documents')/items");
endpointRequest.Method = "GET";
endpointRequest.Accept = "application/json;odata=verbose";
endpointRequest.Headers.Add("Authorization", "Bearer " + accessToken);
HttpWebResponse endpointResponse =
(HttpWebResponse)endpointRequest.GetResponse();
}
}
app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<appSettings>
<add key="ClientId" value="65e674ca-3827-4134-852b-1196ff935e08"/>
<add key="ClientSecret" value="xxxxxxx"/>
</appSettings>
</configuration>
SharePoint Online + Azure Active Directory (AAD) integration. Details here. In that link you will find a sample code. The difference between the first approach is that in this one you are not using ACS but AAD. The permission that the app needs is defined in AAD - as of today, as far as I know, the application permissions that you can define in AAD are not as granular as the ones you can define via ACS - i.e. with ACS you can define an app at the site collection level, with AAD you can't the app will have tenant wide permissions (i.e. all site collections)
I have taken over part of a project from a colleague that uses Azure AD B2C.
At the moment we use the list of users in the old Azure portal to get the authentication tokens of users, which we can then tie in with the user entries in our own database. I.e. we copy-and-paste from the columns here:
It would be far more sensible to do this programatically.
The article Azure AD B2C Preview: Use the Graph API includes sample code to download. To get it running I needed these things:
<appSettings>
<add key="b2c:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="b2c:ClientId" value="[Enter the client ID (a.k.a AppPrincipalId) as obtained from the Azure AD Powershell, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />
<add key="b2c:ClientSecret" value="[Enter the client secret that you generated, e.g. ONHJGaI232VenJIboyg8hmTlyNXh0Ef0brRRRNWBRfc=]" />
</appSettings>
I can get the Tenant and the Application ID from the new Azure Portal portal:
and my colleague has passed me the client secret from when he made the directory.
Following the article I now compile the app and run
B2C Get-User
But instead of the expected list of users from our Azure AD B2C directory I get the error message
AADSTS70001: Application my-app-id is not supported for this API version.
Trace ID: a-guid
Correlation ID: another-guid
Timestamp: 2016-07-15 10:27:15Z
How do I programmatically get the users in my Azure AD B2C directory?
Run the powershell commands from here to register a new service principal:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
This new service principal has it's own appId, and it's own client secret.
You mixed some of these (the AppId you chose is from an B2C application, not a B2C/AD Service principal)