We need help with Azure AD B2C. We are trying to use both Basic AuthN and ClientCertificate AuthN to make a POST API call but there is no mention of it in the Microsoft docs. Is it possible to use both AuthenticationType together in one technical profile for making an API call?
You cannot use more than one authentication type.
Related
We have on-prem sql server database which is connected to a legacy application. The on-prem database contains the username and password for the users. We are in process of migrating the existing solution to Cloud, and using Azure AD B2C for Authentication.
As the existing system is very big, so there is a phased transition we need to do which means keeping the both system running, allowing the users to login to the existing app as well as through Azure AD B2C in the cloud app.
I stumbled across API connectors for Azure AD B2C. I want to know if its possible to implement API connector for Sign In flow, in a way that it does the authentication against the external database store (legacy database) instead of Azure AD B2C.
From whatever I researched on google, it seems that API connector is called after authentication only. Also all the samples were related to Sign up flow. Can someone please guide me for a sample to achieve the login through external database using API connector ?
B2C supports integrating external identity providers. You can find a full list of them here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-local?pivots=b2c-custom-policy
However, you are seeking to use a custom (generic) identity provider (IDP). This scenario is supported if the custom IDP supports either the OpenID Connector (OIDC) or SAML protocols. Please check that list in the URL above to review these options.
Regarding using the API connector, you can invoke the API connector before the authentication occurs in B2C using a validation technical profile in a custom policy. However, that does not achieve the actual authentication based on OIDC. Instead, it would be considered a validation step.
An overview of when you can use API Connectors is here.
You might be able to achieve a type of workaround using a custom policy to invoke your API connector to authenticate before authenticating in B2C and returning a success flag.
However, I think a better idea is to implement password synchronization. This seems like a perfect fit for you based on what you described. Users would be able to log into both your local system and Azure B2C simultaneously until you decommission your legacy authentication mechanism.
Your main requirement is that you have use a Microsoft Graph API SDK to update the B2C account password via your application backend. The bottom line is that you just need to keep the passwords the same in both systems. This is very easy to achieve with the Graph API, especially if you are developing in C# / .NET.
You also have to figure out how the B2C accounts get provisioned in the first place. This can happen in several different ways depending on your business requirements: Graph API, user sign up flow, import operation, etc.
API connectors only work for sign-up.
There's an example here but you will have to use custom policies.
I would like to use the Azure DevOps API to create a PAT for my user. But I'm unable to authenticate yet. In this document from Microsoft, they state that authentication is possible with a PAT, but it is not true. I'm getting a HTTP 203 with a Sign In page in response.
PS: I'm using Postman to test the API requests.
I think the security section of this REST API is misleading.
In fact, this REST API cannot be authenticated with PAT, as mentioned in another document:
To use the API, you must authenticate with an Azure AD token.
Unlike other Azure DevOps Services APIs, users must provide an Azure AD access token to use this API instead of a PAT token. Azure AD tokens are a safer authentication mechanism than using PATs. Given this API’s ability to create and revoke PATs, we want to ensure that such powerful functionality is given to allowed users only.
This document also explains how to use this REST API in detail, which you can refer to.
Yes it does work, you're just not setting it up right.
Look at the Basic Authentication of this document. You need to base 64 encode the username password like this: username:PAT. Spearate the two with the colon.
We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/
The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
The Authentication/Authorization settings for my API app only provide AAD, FB, Google and Twitter. I want to use different authorization provider (different chat app such as Kakaotalk/LINE) and eventhough their API also give me token I don't know how I can make my backend authorize those tokens.
I wonder if it's possible to have custom authorization based on different OAuth token provided by different service? If not can you suggest what steps should I take to do authorization for my api app service?
Thanks
Yes, it is possible to use custom identity providers if you're using .NET for your API app. Some useful references:
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-backend-how-to-use-server-sdk#custom-auth
https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/