Testing OneLogin access token through OAUTH2 "Client_Credentials" workflow. The steps I followed are;
Add the authorization server
Linked the Authorization server to OIDC app
Even tried to add below claim mapping to the authorization server
{
"name": "sub",
"user_attribute_mappings": "azp"
}
Still "sub" claim is not showing up, the only claims i see are below. I want "azp" and "sub" to have the same value.
{
"jti": "c7a3hjsYatSDxuGV7W68H",
"iss": "https://xxxxx-dev.onelogin.com/oidc/2",
"iat": 1652231902,
"exp": 1652232802,
"aud": [
"https://example.com/todo",
"https://example.com/other_service"
],
"azp": "6xxxxx-axxx-0xxx-6xx-0xxxxxxxx12"
}
Any idea why? In Okta & keycloak I always get "sub" claim from the access token on "client_credentials" workflow.
Related
I want to use the AAD B2C Github identity provider to authorize users in my app. To create a user I need at least get an email from it - but I get nothing. I did set up everything according to docs and I can see in the AAD B2C Users list that Name is set up correctly for a new user, but User Principal Name where email should be is null
Here is JWT answer
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"exp": 1611879546,
"nbf": 1611875946,
"ver": "1.0",
"iss": "https://apichat.b2clogin.com/4d39cd56-4c18-4bc7-aaa8-36bf91191c8c/v2.0/",
"sub": "dfe38752-113e-4431-b1bd-23dd53119369",
"aud": "341eea81-859c-485c-baea-2cc9f75f6512",
"nonce": "defaultNonce",
"iat": 1611875946,
"auth_time": 1611875946,
"idp_access_token": "c5c79a8f49c44575cf127fc3c64aaa5710a0a465",
"idp": "github.com",
"tfp": "B2C_1_susi_debug"
}.[Signature]
What do I missing?
Added
After some studying, I have a suspicion that the Github provider here either does not have the required scopes or mappings. I don't see any ways to add it so far. Potentially that might be solved by a generic OpenID Connect provider but Github does not support well-known/openid-connect-discovery and I have no option to manually set endpoints in AAD B2C.
So far I don't see any way to connect GitHub to my AAD B2C and get that darn email - why the biggest cloud platform does not fully support the biggest dev repository when they have the same owner is beyond my understanding.
Ok, the solution I found looks like that
Set Display Name and Identity Provider Access Token in Application Claims of your User Flow
On GitHub auth you will get name aka username and idp_access_token aka token
That's allow us to call github user api curl -u username:token https://api.github.com/user
By default user api returns public user profile, which might not have a set email
curl -u username:token https://api.github.com/user/emails will return all user associated emails
We need the primary one
{
"email": "***#gmail.com",
"primary": true,
"verified": true,
"visibility": "public"
}
I am trying to do an Azure AD Graph API REST API call to get the currently logged in user information. However, the HTTP GET call to https://graph.windows.net/me?api-version=1.6 fails always with the response 401 Unauthorized. I have registered an App in Azure AD and have the below API Permissions configured:
The call to authorize endpoint is shown below:
HTTP GET https://{my tenant}.b2clogin.com/{my
tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signinsignup&client_id={my
app
id}&nonce=defaultNonce&redirect_uri=https://localhost:44351/Login/LoginResponse&scope=https://graph.windows.net/Directory.AccessAsUser.All
https://graph.windows.net/User.Read&response_type=code&prompt=login
The call to token endpoint is as shown below:
HTTP POST to URL: https://{my tenant}.b2clogin.com/{my
tenant}.onmicrosoft.com/B2C_1_signinsignup/oauth2/v2.0/token Content
type: application/x-www-form-urlencoded
Body:
grant_type=authorization_code&client_id={my app
id}&scope=https://graph.windows.net/Directory.AccessAsUser.All
https://graph.windows.net/User.Read&code={the code received from
authorize
endpoint}&redirect_uri=https://localhost:44351/Login/LoginResponse&client_secret={secret from the portal}
The HTTP POST to token endpoint is successful. I get the JWT token, and I am able to successfully retrieve the access token from the JWT. However, when I try to use this access token to retrieve the user details, the below code fails every time with 401 response. The error message is
"odata.error":{"code":"Authentication_ExpiredToken","message":{"lang":"en","value":"Your
access token has expired. Please renew it before submitting the
request."}}}"
string strURL = #"https://graph.windows.net/me?api-version=1.6";
HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(strURL);
httpWebRequest.Headers.Add("Authorization", $"Bearer {jWTToken.access_token}");
using (HttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse())
{
using (StreamReader streamReader = new StreamReader(httpWebResponse.GetResponseStream()))
{
string str = streamReader.ReadToEnd();
}
}
The JWT token used in the above code is the one I receive from the Token endpoint. Why is it failing? The access token I received is decoded by jwt.ms as follows:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"iss": "https://{my tenant}.b2clogin.com/fc292353-4def-47bd-af44-b92e40798a60/v2.0/",
"exp": 1576642155,
"nbf": 1576638555,
"aud": "00000002-0000-0000-c000-000000000000",
"oid": "05c93456-2f02-4601-afb0-d4599b7e6826",
"sub": "05c93456-2f02-4601-afb0-d4599b7e6826",
"tfp": "B2C_1_signinsignup",
"nonce": "defaultNonce",
"scp": "Directory.AccessAsUser.All User.Read",
"azp": "{my app ID}",
"ver": "1.0",
"iat": 1576638555
}.[Signature]
B2C does not support delegated access to Graph API.
You have to add Application permissions to the app registration,
and use client credential authentication to get tokens.
See docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet?tabs=applications#assign-api-access-permissions
Under APPLICATION PERMISSIONS, select Read and write directory data.
Acquire the tokens from the underlying Azure AD's token endpoint, not your B2C policy endpoint.
You won't be able to use /me of course since the token won't contain user info.
But you can use /users/id instead.
The reason for the 401 is probably the issuer in your token.
Graph API expects the normal AAD issuer, and that is not it.
I have an application registered in Azure ad.
When i do ADAL with the following details i get a authoriazation token to use with microsoft graph api.
`username = 'admin#domain.com'
password = 'password123'
client_id = application id from azure ad
client_secret = keys from application on azure ad
tenant = directory id from azure ad`
Using this token i can fetch the list of all sites in my sharepoint account.
Below is the endpoint i call to fetch the sites with the bearer token:
https://graph.microsoft.com/v1.0/sites?search=*
But when I just do the client authentication using token generated using below endpoint Iam not able to access the sites list.
login.microsoftonline.com/tenant_id/oauth2/v2.0/token
`grant_type : client_credentials
clientid : client_id
clientsecrte : client_secret
scope : https://graph.microsoft.com`
It does not return all of the sites.
Is there a way of getting all sites list with just client authentication.
Or can i get a token for user authentication without user password.
Here is the token decoded that i am using:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/",
"iat": 1528949458,
"nbf": 1528949458,
"exp": 1528953358,
"aio": "Y2dgYLh*************xAAA=",
"app_displayname": "App Name",
"appid": "504ddb16-2899-48be-be57-**********",
"appidacr": "1",
"idp": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/",
"oid": "afcf166f-24c2-49f1-b285-b672d0413c50",
"roles": [
"Sites.Read.All",
"Sites.ReadWrite.All",
"Sites.Manage.All",
"Sites.FullControl.All",
],
"sub": "afcf166f-24c2-49f1-b285-b672d0413c50",
"tid": "586145ec-0428-4da6-8061-fb114257ab70",
"uti": "hwYd8FZCH0KruWGRFiIHAA",
"ver": "1.0"
}
I get other permissions also but these are site related in Microsoft Graph api
Cause:
The successful one is using ROPC flow and it can get delegated permissions onbehlaf of the user. But the failed one is using client_credentials flow which get application permissions and cannot onbehlf of the user.
Updated Answer
Solution:(Before you do this test, ensure you have SPO license in your tenant)
Try to add Sites.Read.All Application permission in your registrated AAD Application and do admin consent for it before you getting token.
If you're using AAD v1 endpoint, you can do admin consent by clicking Grant permissions button.If you're using v2 endpoint, please input this kind of URL in your internet browser to do admin grant:
https://login.microsoftonline.com/{yourtenant}/adminconsent?client_id={the applicationid of your client}&state=123&redirect_uri={the redirect uri of your app}
and sign in with Global admin account and accept this permission.
In my test lab, I used v2 endpoint.Here is the token I got via Postman:
Here is decoded token in https://jwt.ms , we can decoded the token to ensure it has the permissions we want.
Then I use this token in the head to call Microsoft Graph API and succeeded:
For more detials about Site permission for Microsoft Graph, please refer to this documentation.
Please let me know if this helps!
I have an Azure AD application and have generated two client secrets. I can get a JWT access token using each secret (via client_credentials grant) but can I also see from the JWT token via which client secret it was requested?
If I inspect the JWT tokens I get back, some payload fields are always the same (aud, iss, etc) and some are always different (iat, nbf, aio, etc) but there is no info as far as I can tell that identifies the client secret that was used.
Here's an example payload:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/e402c5fb-58e9-48c3-b567-741c4cef0b96/",
"iat": 1516886787,
"nbf": 1516886787,
"exp": 1516890687,
"aio": "Y2NgYEjJqF0stqv73u41a6ZmxPEvBgA=",
"app_displayname": "TravelAgencies",
"appid": "ee8cf944-bf6f-42cf-ae30-6060412416a1",
"appidacr": "2",
"e_exp": 262800,
"idp": "https://sts.windows.net/e402c5fb-58e9-48c3-b567-741c4cef0b96/",
"oid": "bc430bc6-d9fb-4fa0-87e5-8b8803fcb222",
"sub": "bc430bc6-d9fb-4fa0-87e5-8b8803fcb222",
"tid": "e402c5fb-58e9-48c3-b567-741c4cef0b96",
"uti": "1TgusyfGtECjErT0Kv4PAA",
"ver": "1.0"
}
On a related note: what are the aio, e_exp and uti fields for? I can't find any information on them.
You can't see through which client secret has the token been issued. What is the reason for asking through which secret it was?
Regarding provided claims - you can check here and here what the different claims mean. For exampe the iat, nbf are just dates - when the token was issued and the validity begin time.
For some of the claims, like aio there is no documentation. But there is no claim to show you which secret was used.
From https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
aio An internal claim used by Azure AD to record data for token reuse. Should be ignored.
This is a duplicate of how to validate token using outlook rest api, but that received no answers so I'm asking again.
I have managed to authorise a user and receive an access token. I will use the sandbox as an example.
I have decoded the access token and got the following:
Header
{
"typ": "JWT",
"alg": "RS256",
"x5t": "MnC_VZcATfM5pOYiJHMba9goEKY",
"kid": "MnC_VZcATfM5pOYiJHMba9goEKY"
}
Payload
{
"aud": "https://outlook.office.com",
"iss": "https://sts.windows.net/c512ffd1-581d-4dc0-a672-faee32f6387c/",
"iat": 1458918504,
"nbf": 1458918504,
"exp": 1458922404,
"acr": "1",
"amr": [
"pwd"
],
"appid": "32613fc5-e7ac-4894-ac94-fbc39c9f3e4a",
"appidacr": "1",
"family_name": "Dehenne",
"given_name": "Denis",
"ipaddr": "137.117.9.62",
"name": "Denis Dehenne",
"oid": "28328486-e820-4c98-a1cf-e8b35456313a",
"puid": "10033FFF89319A48",
"scp": "Calendars.Read Contacts.Read Mail.Read",
"sub": "XfYUvqiIreYX9wF-909Yf7Hodiwg6ClTwWOc75WmX7o",
"tid": "c512ffd1-581d-4dc0-a672-faee32f6387c",
"unique_name": "DenisD#oauthplay.onmicrosoft.com",
"upn": "DenisD#oauthplay.onmicrosoft.com",
"ver": "1.0"
}
Signature
gtpjf40FxEN8cTX22Mk-Da1n_sKtIUGAmzyYkuhkCskR5y1j4uuenf4ejJxeRwtqIIRWN5w1zOfvFZ2XqXreeSpSCZU-CJCoHIicchChUbyq4iIEcWZr29LbnpDkCyqB8LzoA3rEHUxhZYwHnWIHmkrD4XbMN4CW31bdNQwP0YgXvIucLe_tv80Eu4jDiZsqfCh91DFIb7bv6mbPXiTYMtV6OEdXeHLh--vFvZRRm--atSkKrZHFPT1no2B0YAC8w0kEYWPHyM-TbGni6WjIc7ZGSuDNmkHJfIKndcoFzlVJubV2ntKJhWrXfee490oj3GJi-lkNkFLfa9_VDIYu0w
Inside the Exchange identity token mentions something about metadata and self-signed X509 certificates, but those tokens include fields that don't exist of the ones I am getting.
The header states that the token is signed with RSA. I want to validate the token and for that I need the public key of the signing certificate. Where would I get the certificate? Do I even need to validate the token?
The token is issued by Microsoft Azure, not by Outlook or the Outlook REST API. I added the azure tag for you. According to the subtopic Validating Tokens:
At this point in time, the only token validation your apps should need to perform is validating id_tokens. In order to validate an id_token, your app should validate both the id_token's signature and the claims in the id_token.
We provide libraries & code samples that show how to easily handle token validation - the below information is simply provided for those who wish to understand the underlying process. There are also several 3rd party open source libraries available for JWT validation - there is at least one option for almost every platform & language out there.
It goes on to give more specifics. Like to get the signing key data:
You can acquire the signing key data necessary to validate the signature by using the OpenID Connect metadata document located at:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration