I have created a Microsoft Teams bot built using a Golang port of the Bot Framework. It is a multi tenant bot which lives in my infrastructure.
It is easy to add the bot as a "Teams Application" by selecting it from the marketplace (for free), however, to function correctly it needs additional Microsoft Graph permissions. Specifically read the title of a MS Teams Channel / Group Chat.
This seems to be a challenge for users as almost no one - even those 'in IT' seem able to correctly add the permissions required, even with documentation.
I've been helping them personally but it's not a commercial product so not viable in the long term.
I would like to find an OAuth2 flow which would allow a privileged user to authenticate with their Azure tentant and grant the necessary privileges for my application to do it's thing. Or, alternatively create the client registration in advance of installing the bot.
Every OAuth2 flow requires me to have (or know) my client_id before making the request. Given it's in the users Tenant, I don't have access to it; the users can authenticate against their Azure AD tenant though, so they must receive a bearer token which would allow them access to create or update permissions on an Azure Application.
There is chance to use the OAuth 2.0 client credentials. This grant is specified in RFC 6749. This grant is to access the web hosted resources. This resource will directly identify the application based on the identity of the application. In server-to-server communication we can use OAuth 2.0. This can be referred as "Service accounts" or "Daemons".
Microsoft identity platform and the OAuth 2.0 client credentials flow
Related
We would like to use Azure client credentials flow to do authentication for our service accounts. The thing is our service accounts are just regular users in Azure AD. They are not registered apps. The way our company sets up Azure makes it very heavy to register apps, so we would like to avoid it. So the question is, can we use client credentials flow for regular users in Azure? We need this as in our CI/CD we cannot popup a browser and let users do device-based authentication. We need the user to be able to authenticate in an automated way.
You can't use client credentials flow where an Azure AD user is involved in the authentication flow.
Micrsofot Documentation - client credentials flow
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
But you can use one of the following supported authentication flow where a user is involved;
Micrsofot Documentation - authorization code flow
Micrsofot Documentation - implicit grant flow
Micrsofot Documentation - device authorization grant flow
Device authorization grant flow might work in your case?
I want to set up an OAuth2.0 flow for users that have access to GCP.
The user will login to a web app.
Then, the OAuth2.0 flow will need to ask for the consent that will allow the app to perform things on their behalf, based on their permissions.
Therefore, the scopes that need to be requested should be those that cover their actual permissions on GCP.
Is something like that possible when it comes to OAuth2.0 and GCP?
Had you seen? https://developers.google.com/identity/protocols/oauth2
Looks like that might address your question.
Separately from that link --> Yes that is something that could be done. You login via OAuth, and once authenticated that service can use GCP Service Accounts https://cloud.google.com/iam/docs/service-accounts to work with GCP Services.
A user can be granted permission to impersonate a service account.
A service account can be granted permission to impersonate a user account via Domain Wide Delegation (Google Workspace).
A user cannot impersonate another user. There is no mechanism to grant the required permissions.
In a GCP project you can access Google APIs using these types of credentials:
API keys
OAuth 2.0 client IDs
service accounts
So, to answer you question, using OAuth 2.0 in GCP is certainly possible.
However, without knowing what data your application needs to access, it's hard to tell if it's more appropriate to use a service account or an OAuth 2.0 client. In a GCP project, if you go to APIs and services > Credentials > CREATE CREDENTIALS > Help me choose, a wizard will guide you through the process of creating the most appropriate credential for each authentication scenario:
Lastly, when you say this:
for users that have access to GCP
Do you mean that these users have a Google account that can access the Google APIs used in your project? If that's the case, and your project doesn't need to access user's data, then a service account might be a better choice than an OAuth 2.0 consent screen. I think you could let a service account impersonate a user via Domain Wide Delegation, but please keep in mind that Google itself discourages this feature.
See also Create access credentials.
We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.
I want to develop a SaaS application on Azure and deploy to the Azure marketplace. This app will be able to obtain information about the user's network. (for instance VNET information). Ideally I would like to have a single-page application that would authenticate with the user who subscribed to the app, and then make calls on a backend API tier, which would make calls to Azure management API endpoints.
The Azure docs layout a number of scenarios of how apps could interface with AD. how-to guides
I believe what im trying to do most closely matches the "Build a web app that calls web APIs" flow, which is an example of OBO. My question is, is that really describing what im doing? Is "calls web APIs" really an example of invoking APIs on the microsoft azure platform?
So my understanding is that I would develop my own API app, that would accept requests from my client browser code, which would contain an oauth token, and then the API layer would derive another token to pass onto the Azure API layer?
Im trying to keep the architecture as simple as possible, but im afraid I may be misinterpreting the Azure docs.
OBO (On-Behalf-Of) allows you to exchange an access token that your API received for an access token to another API.
The important bit is that the access token must have been acquired in the context of the user and must contain user information.
The new access token will then also contain this user's info.
So it allows your back-end API to call Azure Management APIs on behalf of the current user.
This means your API can't do anything the current user can't do.
It is limited to the user's own access rights.
The other option for authentication is to use client credentials authentication,
where your back-end API uses only a client id + certificate/secret to authenticate.
In this case the token will not contain user information.
To enable this approach, the target organization's users would have to assign RBAC access rights to your app's service principal, so it can act by itself.
You could also build a flow in your app where you setup these RBAC accesses on behalf of the current user.
Personally, I would prefer to use delegated access (OBO) whenever possible, as it will block the user from doing things they cannot do.
Though on the other hand, service principal-based access allows the organization to control your app's access better.
I'm working with a client to define a security strategy and have got stuck trying to get something working. I'm new to Azure AD so this may actually not be possible.
Consider the following application landscape.
I have 4 "API" applications:
API-A, requires interactive user and role based permissions
API-B, access via service demon, client_credential grant
API-C, must not be authenticated against directly
API-D, access via service demon, client_credential grant
A user / demon authenticated against API-A or API-B should be able to access API-C as well. However the demon authenticated against API-D must not be able to access API-C.
I was expecting to be able to use the "Expose an API" and "API Permissions" of the App Registrations to be able to control to "roles" returned in the JWT, I cannot seem to get it to work or find any decent guide on how this can be achieved.
EDIT: For clarity the API applications are not hosted within Azure, I am just looking to use Azure AD to provide authentication
It may be helpful for you to distinguish between client apps and API apps (or resource servers in OAuth2 lingo). Each of them has to be registered separately. Your list above seems to merge them together, which is a likely source of confusion for you.
The former (client apps) acquire tokens, the latter receive them from the clients with the service request. Authentication is only only involved when client apps acquire tokens. APIs do not authenticate - they use tokens to authorize access to their services. Clients acquire tokens either on behalf of a user - and the user authenticates and consents as part of the process, or on their own behalf (client creds). In AAD an API app may expose/define scopes/permissions which may be included in one or both of these token types. An API may decide not to require any tokens (sounds like your API-C). You Expose (available) Permissions on API apps, you specify (required) API Permissions on client apps. At runtime (if using the AAD V2 endpoint) a client may request fewer scopes than it is is configured with as Required. That applies only if the client is using delegated tokens (user based). (Note that an API app may also be a client app to another API app (common in multi-tier systems).
BTW, where the clients or APIs are deployed is totally immaterial to the above. At most deployment affects the value of the reply url you need to specify for some client apps (not APIs).