I'm writing an app which will allow me to get specific data from outlook/exchange using the EWS on behalf of a slack/outlook/exchange user. to authenticate via Microsoft’s oauth flow I created a azure a client_id and would like to initiate the oauth flow for m265 from the apps Home Screen. In order to create the client I’d I also need to provide a redirect url within azure ad.
Where can I find documentation on how to best use external oauth flows? (This is not about installing/authorizing the app within slack).
I’d like to add a "connect to outlook" button on my apps home page after installing from which to start the flow.
Shall I call the Microsoft login (oauth) url directly or should I first link to my apps web server?
When calling the microsoft login I need to provide a redirect url (which needs to match the one in azure ad) to which the authorization codes gets returned.
For some apps (e.g. outlook calendar for slack) this seems be a slack url.
servicenow seems to use something like…
https://slack.com/interop-apps/servicenow/snow_oauth_redirect
Is there a way to define such an url for my app within slack?
How will the authorization code be handed over to my app (I assume to the Request url I defined for my app…?
Thank you for time and consideration..
• I am considering here that you are providing authentication for your application through Azure AD, thus, to configure redirect URIs after authorization code or token is received post successful authentication, please refer the below documentation on redirect URIs. It specifies in detail the configuration restrictions that should be followed while configuring a redirect URL in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Similarly, to configure a redirect URL for an application in Slack, please check the callback URL settings configured because it is required while redirect URL is an optional thing. Also, Slack will redirect the users to the callback URL itself configured in app settings if redirect URL is absent. And if provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL. Please follow the below link for more information: -
https://api.slack.com/legacy/oauth
In the above URL, go to ‘Using access tokens’ and ‘Redirect URLs’ section for exact information.
• And as far as calling the Microsoft login (OAuth)URL directly or linking it to your app’s web server, I would suggest you provision your Azure AD users in Slack by following the below documentation link or configure SSO with Slack by adding it in Enterprise Applications in Azure AD from application gallery and then configure the API permissions required for accessing the data from Exchange through EWS. In this way, proper configuration and redirection can be achieved for the users which are allowed to access the specific data from Exchange.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-tutorial
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-provisioning-tutorial
Related
I have a mobile app, in which am i need to read a list from SharePoint online. But I cannot able to login to the Sharepoint api using Azure AD.
I have tried many approaches like passing client ids, all the responses are like redirecting to the domain, but I don't have any domain since mines are mobile app.
So kindly help me to login to the Azure AD without redirectUrl
GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=https://localhost/myapp/permissions
In the above method after successfull login am redirecting to the mentioned redirect url but i dont have any domain, since i'm developing mobile apps.
I'm using ionic with angular app.
Kindly help is there any way to get a access token.
You don't need your own domain.
Redirect URI is unique to your application and it will return to this URI when authentication is complete.
For native app(mobile app), when authentication is successful, the code or token will be included in the redirect url.
You don't need to worry about it because if you are using MSAL or ADAL, you may select from the suggested Redirect URIs in Azure AD app Authentication page.
I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app
I am using Azure 'B2C', and users are creating successfully in B2C. And I am using dynamic web apps. ie, there is number of web apps are present.
sssss01.example.com
sss2.example.com
wwwss2.example.com........
When a user want to login using B2C, it's successfully login, but it reply url is not correct. I checked in azure, B2C app not supporting wildcard(*). So Is there any option to add wildcard, or any other method to manage pragmatically ?
Sign in reply url is different for different web apps.
Wildcard redirect URLs are not supported in OAuth2. See: why are redirect URLs fully qualified.
Unfortunately, we can't manage B2C programmatically.
You can upvote this item on User Voice and subscribe to stay updated: https://feedback.azure.com/forums/169401-azure-active-directory
Others have suggested this same feature but the User Voice forum appears to be down right now.
I am registering a Native application in the Microsoft application registration portal with the goal of giving it delegate permission to my separately registered Azure Web API. As I understand, this is the normal setup for desktop or mobile application, because an authorization UI cannot be directly shown to the user.
Since my application is an Amazon Alexa skill, I must use the mandated Alexa redirect links. Within the Microsoft application registration portal these links need to be placed in the custom redirect URIs section of my native application platform (See image below). It would like me to use a URI like "msalaaaaa-bbbb-ccc-dddd-111111111111://auth", which I guess works for Azure mobile and desktop native applications.
Why does the portal not permit a http URI? When will this feature be implemented or do I have a miss-understanding?
Thanks,
Microsoft do not support transmitting tokens over unsecured channel. Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https, and all redirect URI values must share a single DNS domain. For example, you cannot register a web app that has one of these redirect URIs:
https://login-east.contoso.com
https://login-west.contoso.com
In our project we are using B2C where the front-end is hosted on a webapp and gets the token and the backend is hosted on an API app and validates the token.
When developing we deploy the front-end and backend as needed, often with multiple copies for multiple developers.
The problem is that the B2C app registration requires to add the reply URL manually. Our development domains are generally under https://XXX###.azurewebsites.net. where XXX is a common prefix and ### is some number.
Is there a way to either define the reply URL programmatically (i.e. add it and remove it as we deploy/remove the instance) or to support wildcard reply URLs?
If the above is not possible is there a way to programmatically register a new application with a copy of all configurations of an existing one except the reply URL?
Wildcard redirect URLs are not supported in OAuth2. See this post: why are redirect URLs fully qualified.
And, unfortunately, we can't manage B2C programmatically.
UserVoice item: Programmatically manage B2C policies