I generated a gateway application with JHipster to test oauth2 through Okta for my organization. I didn't make any changes to the code beyond what was recommended in the readme: The client ID and Secret are in the yml, as well as the issuer uri.
It redirects me to Okta. I log in. It redirects back as expected. Then I got an unauthorized error at /login?error. So I tried adding a permitAll for /login/**. This resulted in error 404.
Something in the recommended configuration is not working as expected.
application.yml:
oauth2:
client:
provider:
oidc:
issuer-uri: https://dev-[numbers].okta.com/oauth2/default
registration:
oidc:
client-id: {my real client id}
client-secret: {my client secret}
scopes:
- profile
- email
- openid
- customScope
What am I doing wrong?
Could it be the environment variables are not being read?
From .okta.env, but I also added them to the environment variables in the intellij configuration
export SECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI="https://dev-[number].okta.com/oauth2/default/v1/authorize"
export SECURITY_OAUTH2_RESOURCE_USER_INFO_URI="https://dev-[number].okta.com/oauth2/default/v1/userinfo"
export SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI="https://dev-[number].okta.com/oauth2/default/v1/introspect"
export SECURITY_OAUTH2_CLIENT_CLIENT_ID={clientid}
export SECURITY_OAUTH2_CLIENT_CLIENT_SECRET={clientsecret}
Related
I'm working with Power Bi REST APIs, for which I need an azure ad token.
I have set up an app in Azure AD, and have configured it as.
a. I intend to use that access token in my react app so I have configured it as SPA.
b. i have allowed public-client flow.
** I hv not checked 'access token' and 'id token' checkboxes as I'm using msal 2.0.
c. also have specified redirect uri as http://localhost:4200
d. also have given it all the permission I need to access my powerbi content (I need 'Dataset.ReadWrite.All)
THESE ARE MY AZURE APP ENDPOINTS
I HAVE SET MY REACT APP AS:
I'm using #azure/msal-browser and #azure/msal-react libraries.
This is my msalConfig object-
const configuration: Configuration = {
auth: {
clientId: "myclientidhere",//,
authority: "https://login.microsoftonline.com/mytenantidhere",
redirectUri: "http://localhost:4200/",
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: false,
},
}
and, this is my scope:
export const loginRequest = {
scopes: ["Dataset.ReadWrite.All"]
};
after i run my app i see the auth popup. i put my credentials in it. and suddenly it throws this error-
invalid_client: AADSTS650053: The application 'dashboard.xyz.work' asked for scope 'Dataset.ReadWrite.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 77e47883-fdd3-444a-bdd3-9f3a53bc1500 Correlation ID: aa77d724-0d9f-41aa-8e47-251c6b6f9293 Timestamp: 2023-02-09 13:51:46Z
i have granted the same permission in my azure ad app. however my app has not been granted 'admin consent' but as a user my account has the permission to use this scope in powerbi.
NOTE: if I change my scope to 'user.read' or any other ms graph API resource, then I'm able to get an access token of that scope to access graph API resource. but I'm not able to get an access token to access my powerbi resources.
EVERYTHING LOOKS GREAT IN AZURE AD.
I READ IT SOMEWHERE THAT THIS RESOURCE '00000003-0000-0000-c000-000000000000' indicates to the graph.microsoft.com resource. and I'm hitting https://login.microsoftonline.com/{myTenantId} . these are my app endpoints.
I'm not sure if powerbi resources come under graph.microsoft.com ('00000003-0000-0000-c000-000000000000) resource!!??
also on my app's API permissions page I read, they come under https://analysis.windows.net/powerbi/api that is 00000009-0000-0000-c000-000000000000??
am I hitting the wrong endpoint or the issue is something else??
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, try the below:
I created an Azure AD SPA Application and added API permissions:
Note: Make sure to give scope as
https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All to access PowerBI content
I generated the auth-code by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All
&state=12345
&code_challenge=codeChallenge
&code_challenge_method=S256
As admin consent is not granted to the API permissions, you will get the consent screen as below:
The auth-code got generated successfully without any error as below:
Now, I generated access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All
code:code
redirect_uri:https://jwt.ms
code_verifier:S256
The access token generated successfully with the scope Dataset.ReadWrite.All like below:
To resolve the error, modify the code as below:
export const loginRequest = {
scopes: ["https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All"]
};
If still the issue persists, try scope as https://analysis.windows.net/powerbi/api/.default.
First I'm describing how I setup my applications then I will describe how I'm using the APIs.
Setup
In my Azure Active Directory, I have two applications registered: UI and Backend
UI has the client ID clientId1 and backend has client ID clientId2 (it's a GUID, but for simplicity)
Both are under the same tenant tentant1 (single tenant)
Backend (Web API)
Backend has an exposed API with scope "api://clientId2/access_as_user" and authorized client "clientId1" with the scope just mentioned selected
I'm using passport and passport-azure-ad (I pretty much copied https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2).
My config:
const config = {
identityMetadata: "https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration",
clientID: "clientId2",
validateIssuer: false,
loggingLevel: 'info',
passReqToCallback: false,
loggingNoPII: false
};
I get this message when starting the server:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":40,"msg":"Production environments should always validate the issuer.","time":"2020-04-11T13:25:44.283Z","v":0}
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":30,"msg":"In BearerStrategy constructor: created strategy with options {\"identityMetadata\":\"https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration\",\"clientID\":\"clientId2\",\"validateIssuer\":false,\"loggingLevel\":\"info\",\"passReqToCallback\":false,\"loggingNoPII\":false,\"clockSkew\":300,\"allowMultiAudiencesInToken\":false,\"audience\":[\"clientId2\",\"spn:clientId2\"]\"isB2C\":false,\"_isCommonEndpoint\":false}","time":"2020-04-11T13:25:44.285Z","v":0}
Listening on port 5000
UI (Angular SPA)
UI has permissions was granted automatically permission to access Microsoft Graph (profile, user.read, user.read.all -- last one I think I granted). The permissions are in "API permissions"
I went ahead and also granted access to the Backend access_as_user
For the UI code I'm using the MSAL library and again I pretty much copied the repo (https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular)
In the protectedResourceMap field I added the following
['https://graph.microsoft.com/v1.0/me', ['user.read']],
['http://localhost:5000', ['api://clientId2/access_as_user']],
I am able to log in and read my user profile, but when trying to access http://localhost:5000/hello (protected), I'm getting the error the title of this question
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":20720,"level":30,"msg":"authentication failed due to: jwt audience is invalid","time":"2020-04-11T13:38:08.700Z","v":0}
--
I can see the Bearer Token coming (in the UI and backend), the server decodes the token (I can see all my profile info in the server logs), but it's saying the JWT is invalid?!
I'm not defining an audience, yet I can see in the token when it gets decoded the audience with aud: 'api://clientId2'.
I can also see when the backend starts it shows the audience as [clientId2, sps:clientId2] by default (step4 on the backend). When I define in the config audience: 'api://clientId2', I get a 403 with the message:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":12644,"level":30,"msg":"In Strategy.prototype.jwtVerify: We did not pass Req back to Callback","time":"2020-04-11T16:19:30.398Z","v":0}
Any help would be appreciated. Thank you.
Turns out their code in the repository is not using proper configuration to verify the scope access...
https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2/blob/master/index.js#L41
if (req.authInfo['scp'].split(" ").indexOf("demo.read") >= 0) {
I needed to change the scope from "demo.read" to "access_as_user".
In my case it was just that the clock of my VM where the application was running on was 15mins behind. So the time of the token was created was in the future...
I am trying to update jhipster v5.8.2 to v6.0.1
But I get an compilation error
The Issuer "https://dev-672339.oktapreview.com/oauth2/default" provided in the OpenID Configuration did not match the requested issuer "https://login.pomzen.com/oauth2/default"
My previous configuration in application.yml is:
security:
oauth2:
client:
access-token-uri: https://dev-672339.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://login.pomzen.com/oauth2/default/v1/authorize
client-id: {myId}
client-secret: {mySecret}
scope: openid profile email
# Token is valid 3 hours
tokenValidityInSeconds: 10800
resource:
user-info-uri: https://dev-672339.oktapreview.com/oauth2/default/v1/userinfo
My new configuration in application.yml is
security:
oauth2:
client:
provider:
oidc:
issuer-uri: https://login.pomzen.com/oauth2/default
registration:
oidc:
client-id: {myId}
client-secret: {mySecret}
Can you try the following for your issuer?
https://dev-672339.oktapreview.com/oauth2/default
If you tack on /.well-known/openid-configuration on the end, you’ll see all the endpoints you used to have to specify.
https://dev-672339.oktapreview.com/oauth2/default/.well-known/openid-configuration
Make sure your Okta Authorization Server is configured for your custom domain.
Go to: https://dev-672339-admin.oktapreview.com/admin/oauth2/as
Select your "default" authorization server from the list, then click the Edit button.
You should have a dropdown for the Issuer which you can select your custom domain from. (make sure this value matches what is in your application.yml
Do you have anything custom for your HttpSecurity configuration?
I created a jhipster monolithic application (jhipster version v4.14.2). Also I create a Okta web application with following settings:
Login redirect URIs -> http://localhost:8080/login
Initiate login URI -> http://localhost:8080
Create groups for admin and user, setup the claim in the default authorization server, and assign them to the application and my user
I updated the application.yaml of my jhipster application as follow:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
client-id: ????????
client-secret: ????????
client-authentication-scheme: form
scope: openid profile email
resource:
filter-order: 3
user-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false
When I start the application and then I try to sign in. I do get the Okta login page, however after adding my credential I always get the following error:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Authentication Failed: Could not obtain access token
I followed instruction in jhipster security documention and can't make it work. Any idea why I still get the unauthorized error?
This might have nothing to do with jhipster. Make sure your you URL for accessing the access token is right.
What Grant type are you using?
https://developer.okta.com/authentication-guide/implementing-authentication/
I think the error is here:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
Is "user-authorization-uri" jhipster way of of asking for "issuer URL"?
I am playing with an Azure Mobile Apps backend (nodeJS), as discussed here. I have been using the default web setup configuration to develop my mobile app, but now I want to customise the cloud backend functionality, so I have created a local backend with the Azure-Mobile-Apps SDK.
I logged in with my mobile app (using the authorization aspect of the Azure client SDK) and then captured the AuthToken, using a live managed backend setup.
When I then come to try and authorise a request, I get the following issue:
{ "name": "JsonWebTokenError", "message": "jwt audience invalid. expected: urn:microsoft:windows-azure:zumo" }
Following on from: Locally Testing Azure Mobile Auth - invalid jwt signature
How can I set the jwt audience?
To set the audience and issuer, use the auth:{} object in your azureMobile.js. You can decode the JWT at jwt.io to see what the audience and issuer are, then do:
auth: {
audience: '<your audience>',
issuer: '<your issuer>'
};
Some good references:
My blog post on Custom Auth
The main configuration reference (which azureMobile.js exports)