We need to pass first name and last name from IdP to Service Provider, does this have tobe specified in the IdP metadate or in the SP metadata, and how? I can not find OneLogin java properties for this.
They are included as attributes in SAML Assertion which is a part of SAML Response. They don't have to be included in the metadata (but some scenarios may need that).
When you create your custom app in Onelogin (either by using UI or API), you can specify which fields are included in the SAML assertion.
Identity provider sends Response to ACS URL. Behind this URL is service provider's backend service which validates the response (idp, SP, ACl url, StatusCode, session NotOnOrAfter, etc. depending on the needs) and processes/forwards needed values and redirects user to relayState location.
Note: There are also other ways to implement SAML authentication flow and it is possible that SAML response could include only authentication assertion with NameID and attributes are queried afterwards. This may require also adding attribute related fields to metadata.
We got the names in the SAML attributes in the assertion sent by the IdP. So no need for the Attribute Consume Service URL etc.
Related
I'm using the auth endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token programmatically (Nodejs) for getting back a token that will be used against my API. I have everything properly configured to send the request using a "Client secret" I setup on the Azure Portal - App registration service.
This issues a valid token that I can later check with the help of the Passport azure AD npm library. However I've been looking for a way of somehow adding more metadata to that token (i.e. a custom user name) so that when it gets validated and parsed by my server upon future requests I can extract this information.
When issuing tokens using a frontend application library (like msal) I have access to some of the user's information on the token (like its oid and email address). I'd like to be able to "extend" the token generated by the client secret to also contain a couple custom fields, which I can use after validating and parsing it.
Hopefully that's clear enough. I'm lost on how to achieve this. Thanks
It is a common requirement for APIs to authorize based on claims stored in the business data, eg roles or other custom data.
OPTION 1
Ideally the authorization server can reach out at the time of token issuance to an API or database to include the custom claims. This is not always supported though.
OPTION 2
Another option is for the API to process the incoming access token into a ClaimsPrincipal and to include custom values at that point. For an example see this code of mine.
PRIVACY
When adding more claims, you should also be careful about revealing sensitive data in JWTs returned to internet clients. Eg if you include names and emails, they are easily readable, and this can sometimes be a security concern.
With reference to the following page:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
Is there a way to send multiple JWT tokens to a custom policy so that they all can be validated in the policy?
Reason I ask is as per above page, the JWT token must be sent as 'id_token_hint' query param which is reserved. Can this be extended to read a second JWT say 'id_token_hint2' from the query string and validate in GetClaims profile.
Use case:
I want to send the current signed-in users' ID token in id_token_hint param.
I want to also send a custom JWT in another param say id_token_hint2 param and validate it similar to #1 (but against my metadata endpoint).
Regards,
Dipesh
Not possible. This follows the OIDC specification for id token hint.
I don’t see why 1&2 can’t be a single JWT. 1 will also be against your metadata endpoint, as is 2.
We are using Azure AD B2C with our application.
We authorize user using the API
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=<client-id-uuid>
&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Findex.html
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&response_type=code&prompt=login
using above we fetch the authorization_code.
This auth code is being used to authenticate the user with the application and fetch the access_token , refresh_token and id_token using
POST /{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code&code={auth code received in previous step}
&scope=openid%20offline_access%20https%3A%2F%2F{tenant}.onmicrosoft.com%2F<client-id-uuid>%2FUser.all
&client_id={client id}&redirect_uri=localhost%253A4200%252Flogin.html%3A
after authentication the code is used for accessing various endpoints and azure functions.
In hte process we need user attributes like email, display_name, country, etc information that user had input while singing up.
Along with default attributes we have some custom attributes like team_name which is specific to our Web application use case. These attributes change over time.
For eg: person may switch team. thus we modify that in the user attribute using Graph APIs.
so in that case if attribute team_name = 'Team ABC' now changes to team_name = 'Team XYZ'
But after the attributes are changed, the attributes do not reflect the new values in the access_token / refresh_token or id_token. Is there a way we can get the refreshed values in the tokens without re authorizing the user?
currently we fetch the user attributes from the Graph APIs but its faster and more convenient if we get refreshed values in the token.
Custom policy doesn't have a mechanism publicly documented to get new access token claims in refresh token flow. So what You have observe is expected
As a somewhat workaround, we have found out that when refreshing the authentication via SSO cookie ("Web app session" in Azure B2C configuration portal), the claims are refreshed.
I think this basically amounts to "re-logging-in" but without a user-visible prompt.
We are using the msal-browser library to do SSO login automatically for us (it uses a hidden iframe for that), but I think you could also do the same by hand.
You need to call the /authorize endpoint with all the usual query parameters, and also:
prompt=none must be set
one of sid (with account-id) or login_hint (with the username) must be set
Haven't done it myself manually, so I might still be missing something, but I think these should be the major things.
Why does the redirect URL have to match completely? Wouldn't matching at the domain level be sufficient enough for proper security?
What if I had hundreds of paths?
example urls:
https://myawesomesite.com
https://myawesomesite.com/account/profile
https://myawesomesite.com/games/fungame/points
https://www.myawesomesite.com/games/fungame/points
...
I would have to enter the 4 above redirect urls into my B2C app configuration.
It is common (and easiest) for all authentication requests to contain two redirect URLs:
One (often known as the reply URL) that is passed in the "redirect_uri" parameter, which must be registered with Azure AD B2C, to which all authentication responses are returned from Azure AD B2C to the relying party application. An example of this is https://www.myawesomesite.com/oidc-signin.
Another (often known as the return URL) that is round-tripped in the "state" parameter, which doesn't have to be registered with Azure AD B2C, to which the end user is returned after the relying party application has handled the authentication response. An example of this is https://www.myawesomesite.com/games/fungame/points.
An authentication handler, such as the ASP.NET Core authentication middleware, manages these redirect URLs for you.
For instance, when the authentication handler creates the authentication request, it encodes the currently protected URL (e.g. https://www.myawesomesite.com/games/fungame/points) in the "state" request parameter.
To ensure this URL isn't tampered with, the "state" parameter should be protected, using encryption or signing.
When the authentication handler processes the authentication response, assuming it is a successful response, it creates an identity cookie and redirects the end user from https://www.myawesomesite.com/oidc-signin to the originally protected URL in the "state" response parameter.
This is actually discussed in RFC 6819 "OAuth 2.0 Threat Model and Security Considerations" sections 4.1.5, 4.2.4 and 5.2.3.5.
4.1.5. Threat: Open Redirectors on Client
An open redirector is an endpoint using a parameter to automatically
redirect a user agent to the location specified by the parameter value
without any validation. If the authorization server allows the client
to register only part of the redirect URI, an attacker can use an open
redirector operated by the client to construct a redirect URI that
will pass the authorization server validation but will send the
authorization "code" or access token to an endpoint under the control
of the attacker.
Impact: An attacker could gain access to authorization "codes" or access tokens.
Countermeasures:
o Require clients to register full redirect URI (Section 5.2.3.5)."
Section 5.2.3.5 talks about the cases where this may be too restrictive and purposes alternate solutions.
Often times, the state parameter can also be used to redirect deterministically as suggested by Chris. However, you have to ensure that such a solution also does not end up being an open redirector, so the state parameter will either need to be protected (e.g. encrypted/signed), or used in conjunction with cookies.
I'm getting an SAML attribute (personal id number) following a successful IDP login. In our keycloak implementation I fetch this using an identity provider mapper with type 'Username Template Importer' and template {ATTRIBUTE.uid}
This attribute is then used within keycloak (via user federation defined endpoints) to call other services to verify the user. The problem I have is that this attribute is in the wrong format. Is it possible somehow in keycloak when fetching the attribute to modify it? Or does this need to be done within the verification service's code?
To solve this type of issue I would think you need to implement your own authenticator, and use that as a "Post Login Flow" on the identity provider.
So first, you have a simple attribute mapper that maps the attribute, and then map this value programmatically to the correct format in the authenticator.