Cant Authenticate Single Tenant Angular Application - azure

I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec

Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs

Related

Msal.js not authenticating with google - Redirect uri issue

So I recently used the quickstart method from Azure to make a JS app which authenticates using the MSAL.js library. I am able to authenticate using the normal users in AD, however when adding in google as an external identity provider, I get the Authorization error:
"Error 400: redirect_uri_mismatch
The redirect URI in the request, https://login.microsoftonline.com/te/{tenant-id}/oauth2/authresp, does not match the ones authorized for the OAuth client...."
I have checked the URI in my JS app, on Azure and added it in the Google develops console to no avail. I have followed the documentation as per: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-google
I have tried fiddling with everything and don't know what to do to fix it. Keep in mind that when I created the Azure account, it automatically made my tenant name "Default directory" and my Primary domain as "{FirstName}{EmailDomain}#onmicrosoft.com". I since then change my tenant name to "NewTenant" (I will be changing all names for the purpose of this question as I would like to not reveal any actual details where possible).
To conceal my details I'll be making "{FirstName}": "Bob", and "{EmailDomain}": "mydomain"
JS code:
const msalConfig = {
auth: {
clientId: '{ClientId}',
authority: 'https://login.microsoftonline.com/{TenantId}',
domain: 'bobmydomain.onmicrosoft.com',
instance: 'https://bobmydomain.b2clogin.com/tfp',
redirectUri: "http://localhost:3000/"
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false
}
};
Azure:
Azure redirect URIs
Google developer console:
Google redirect URIs Bear in mind I fiddled with the HTML so that I could get a nice screenshot. I have also configured the ClientID and ClientSecret for Google auth in the Azure external identity provider portal.
EDIT: http://localhost:3000/ was also added as a redirect URI to the Google dev console but also to no avail
Any help would be appreciated.

AAD B2C:Unable to Authenticate web api after changing Authority URL from login.microsoftonline.com to xyz.b2clogin.com

Unable to authenticate Web Api(.Net Core) after changing the Authority URL from login.microsoftonline.com to xyz.b2clogin.com
Authority Old URL: https://login.microsoftonline.com/tfp/xyz.onmicrosoft.com/SignInPolicy/v2.0
Authority New URL: https://xyz.b2clogin.com/tfp/xyz.onmicrosoft.com/SignInPolicy/v2.0
Startup Code
.AddJwtBearer(AzureJwtSchemes.AZURE_ADB2C_AUTHENTICATION_SCHEME, options =>
{
options.Authority = azureB2COptions.Authority;
options.Audience = azureB2COptions.ClientId;
}
Any help will be really appreciated! Thanks!!!
The code in your Azure AD B2C-enabled applications and APIs may refer to login.microsoftonline.com in several places. For example, your code might have references to user flows and token endpoints. Make sure all of them have been updated to your-tenant-name.b2clogin.com.
Reference:
Set redirect URLs to b2clogin.com for Azure Active Directory B2C
Might be caused by another error.
To check what's really happening you can do the ff:
Create your custom method and setup the OnAuthenticationFailed under the options.Event.
Set the Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII to
true
Add a breakpoint to the AuthenticationFailedContext
Should give you an idea on what's wrong.

Azure AD B2C: The redirect URI provided in the request is not registered for the client id... but it actually is

We have the following Azure AD B2C Application (which we will call aadb2c) with the following settings
Include web app/ web API: YES
Allow Implicit Flow: YES
Reply Url:
- https://localhost:44339/
- https://productionURL.com
- https://productionURL.com/
App ID URI (which is optional): none
Native CLient: NO
This Application is what our website https://productionURL.com uses to login it's users with azure AD B2C.
However, on production we keep on getting the error:
The redirect URI 'productionURL.com' provided in the request is not registered for the client id 'aadb2c'
According to this we should add the link to out reply url.
But as you can see above, we already included https://productionURL.com in the "Reply URL" section
of the Azure AD B2C blade.
What could be causing this error to happen? How do we resolve the redirect URI request not registered error?
It needs to be configured in the code as well and you need to make sure that the protocols match. This can also happen if there's a mismatch with the tenant ID or the app ID.
Check the B2C callback request in Chrome DevTools > Network with "Preserve log" to see what URL is being returned. This should give you insight into the problem.
As an extra measure to ensure that the protocols are matching, you can add:
if (context.ProtocolMessage.RedirectUri.Contains("http:"))
{
context.ProtocolMessage.RedirectUri = context.ProtocolMessage.RedirectUri.Replace("http:", "https:");
}
After hours looking at our code and finding no traces of the url without any protocol or any trace of "http:", we now had to look at our deployment orchestrator.
Apparently in Octopus we are deploying the app with an incorrect URI: it's missing the protocol "https://"

MS Identity Azure app registered but sends unauthorized_client in implicit flow

I have registered an app in Azure for Microsoft Identity platform. I configured it to allow MS Accounts (e.g. outlook.com) and have basically done everything in a few of the quickstarts online here and here (except for "add credentials to your web app"). I have also checked the boxes that enable implicit flow.
I redirect my React application to the URL to sign in (using implicit flow), I get to enter my username but then I see
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908
Like I mentioned above, I've gone through several quick starts and read about implicit flow here and followed their examples for my code.
I also tried just deleting the app registration and starting over. No luck.
JS Code attempting to implement Implicit Flow
JS code that redirects the browser to a Url that looks like Microsoft's first example on their implicit flow page
goSignIn() {
const tenant = 'common'; // (for us with MS accounts)
const clientId = '*****';
const redir = encodeURIComponent('http://localhost:3000/signin');
const nonce = Math.round(Math.random() * 10000, 0);
const uriTemplate = 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={clientId}&response_type=id_token+token&redirect_uri={redirect}&scope=openid&response_mode=fragment&state={state}&nonce={nonce}';
const filledTemplate = uriTemplate
.replace('{tenant}', tenant)
.replace('{clientId', clientId)
.replace('{redirect}', redir)
.replace('{nonce}', nonce)
.replace('{state}', nonce);
console.log(filledTemplate);
window.location = filledTemplate;
}
App Configuration in Azure:
Azure -> Identity -> App Registrations -> MyApp -> Authentication
Redirect Uri: http://localhost:3000/signin (React app runs on 3000 and I have a route configured for /signin)
Not using any suggested Redirects.
Checked Implicit checkboxes for ID Token and Access Token
Live SDK support enabled
Supported account types is set to "Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)"
Azure -> Identity -> App Registrations -> MyApp -> API Permissions
MS Graph
User.Read
Email
Profile
openid
From the docs I read, I thought I had done enough to the id token. I'm not sure what tweak must be made in order to get it to work.
I experienced an issue like this one. The mistake I made has to do with the App ID: when you create the client secret the Azure UI will present the secret and the secret ID. This secret ID is not the one to use in your app's configuration. Rather, you need the Application ID found on the Overview page.
I imagine that there are many configuration problems which can produce this error message. In general: pay close attention to the App ID, if the error is that the app is not found.
It seems that you have done enough to get the token. I have tested this on my side, it works well. Here I provide you with my screenshot for you to check again.
Also, here is my working request url, you can login with your msa to have a test.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=5fd66168-7ba3-4bbc-a155-bff662eed9f7
&response_type=id_token+token
&redirect_uri=http://localhost:3000/signin
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910

Register Application in Azure AD - node.js passport-azure-ad example

I am trying to setup a authentification for POST requests on my Node.js server hosted # Azure.
I am using this example:
passport.use(new OIDCStrategy({
callbackURL: config.creds.returnURL,
realm: config.creds.realm,
clientID: config.creds.clientID,
clientSecret: config.creds.clientSecret,
oidcIssuer: config.creds.issuer,
identityMetadata: 'https://login.microsoftonline.com/TenantGuidOrTheWordCOMMON/v2.0/.well-known/openid-configuration',
skipUserProfile: config.creds.skipUserProfile,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode,
(tenant: "Guid from AzureAD-Endpoints-Button"),
(validateIssuer: false/true)
}, (...)
Although my code redirects me to a "https://login.microsoftonline.com" page (which is nice), after entering my email-address it immediately redirects me somewhere else.
There I get an error in the browserUrl: "the client does not exist"...
and it says I should create an application # "https://apps.dev.microsoft.com".
WHY? I have a AppService "MyService", an Azure AD within the same subscription and within the Azure AD an "App registration" for "MyApp".
What is now this cruel apps.dev.microsoft site? Why is there not my registered "MyApp" shown and Vice versa?
What do I have to enter within "oidcIssuer"? the MyApp.ApplicationId? The (apps.dev.microsoft.com)-Application.ApplicationId? The AzureAD-ClientId? The AzureAD-IssuerUrl?
The same question for the clientSecret
Whats the difference between using identityMetadata with an ID instead of "common" + validateIssuer:true against using identityMetadata with "common", validateIssuer:false + tenant:"myTenant(Guid?)"
When I Use "ExpressSettings" within Authentication/Authorization-->AzureAD why can I not find the Application I defined in Azure AD?
Do I have to activate the Graph API (I dont know anything about it yet)
Are there good alternatives protecting my express.post endpoint with authentification in Azure AD? (ADAL seems to be for resources)
I dont get all this settings, properties and portals of Microsoft I am just overhelmed by all this... (not to mention there is also an "OLD" portal)
The next days I will try this Azure Step-By-Step Guide maybe It will help me somehow...
For this example you are using, you don't need to modify the params in OIDCStrategy object. Instead, you need to config your AAD settings in client_config_*.js. files. Just like the document describes at https://github.com/AzureAD/passport-azure-ad/tree/master/examples/login-oidc.
And BTW, we manage our AAD applications on the Classic Portal.
Like my answer to "Has anyone successfully used Azure AD to authenticate users for a Node.js web application?"
I setup my authentification like this instead (without code) in the new Azure Portal:
host my Node.js Server
add an AD to the subscription
Register new application within the AD
Add "https://YourNodeJS.azurewebsites.net/.auth/login/aad/callback" as Reply URL
In AppServices, pick your Node.js Server
In Settings go to Authentication/Authorization
Activate AAD
Use Advanced Mode of AAD
Enter the ClientID (GUID) of the application registered above in AD
As issuerURL enter this link: https://sts.windows.net/YourADGuid/ (you can see the GUID within "Endpoints" if you look back at your application registered in AD above)

Resources