I have a .net core Api and a Spa application connecting to the Api. Everything works fine. Now I want to authenticate to the Api from a CLI using a client secret. I use get the token using AcquireTokenForClient but when I send the request to Api I get a error:
=> 08:46:30.130 +03:00 [Information] Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:kid: 'nOo3ZDrODXEK1jKWhXslHR_KXEq'.
Configuration for API is
"Instance": "https://xxx.b2clogin.com",
"ClientId": "CLIENTID",
"Domain": "xxx.onmicrosoft.com",
"TenantId": "ID",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"SignUpSignInPolicyId": "B2C_1_SignUpSignIn",
"ResetPasswordPolicyId": "b2c_1_Reset",
"EditProfilePolicyId": "b2c_1_EditProfile", // Optional profile editing policy
},
and the configuration for CLI application
{
"Instance": "https://login.microsoftonline.com/{0}",
"Tenant": "xxx.onmicrosoft.com",
"TenantId": "ID",
"ClientId": "CLICLIENTID",
"Domain": "xxx.onmicrosoft.com",
"ClientSecret": "secret",
"TodoListBaseAddress": "http://localhost:5000",
"TodoListScope": "api://APICLIENTID/.default"
}```
Any idea?
Related
I have a .Net Core 3.1 WebAPI with the following configurations in the appsettings.json file
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "demo#gmail.onmicrosoft.com", //Domain name configured in Azure: null,
"TenantId": "xxxxx", // Tenant Id configured in Azure
"ClientId": "xxxx", // Client Id configured in Azure
"CallbackPath": "/signin-oidc"
},
"ApplicationInsights": {
"InstrumentationKey": "xxxxx"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
I have created an Azure WebApp and added the above settings
and deployed the application using zip package, it works as expected.
However, I am asked to store the credentials in the Azure Key vault and use it instead of directly storing it at the WebApp level.
What should I do so that WebAPP configuration would pull the configuration values from the Azure Key Vault and have it ready for the application to use?
I recently deployed a Node.js/express application to a Google Cloud Compute VM. How do I send it get requests? I followed the instructions in this article to get my URL. When I curl it from the command line, though, I get a 401 authentication credential error.
Request:
https://compute.googleapis.com/compute/v1/projects/*PROJECT_ID*/zones/*ZONE*/machineTypes/e2-standard-2
I am already logged into the gcloud SDK--is there some kind of other auth I need to network with my VM?
Full Error Message:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "compute.v1.MachineTypesService.Get",
"service": "compute.googleapis.com"
}
}
]
}
}
I'm using Azure AD and have registered an application in it. I've used msal-browser JS library to sign-in the user and obtain an Authorization token:
{
//...
"accessToken": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkY...",
"account": {
"homeAccountId": "00000000-0000-0000-bac6-4831a1177397.9188040d-6c67-4c5b-b112-36a304b66dad",
"environment": "login.windows.net",
"tenantId": "62765715-2081-4050-bdc7-8c2e178d7424",
"username": "tfgh55555#outlook.com",
"localAccountId": "6fad727e-1df2-4b14-b234-30b407b7ab42",
"name": "Tali Gehrin",
"idTokenClaims": {
"aud": "0d42647a-183c-404b-bbe1-796ad6420989",
"iss": "https://login.microsoftonline.com/62765715-2081-4050-bdc7-8c2e178d7424/v2.0",
"iat": 1633271767,
"nbf": 1633271767,
"exp": 1633275667,
"idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
"name": "Tali Gehrin",
"nonce": "b04400da-eb58-4617-bbaa-5c66e04d762a",
"oid": "6fad727e-1df2-4b14-b234-30b407b7ab42",
"preferred_username": "tfgh55555#outlook.com",
"rh": "0.AREAFVd2YoEgUEC9x4wuF410JHpkQg08GEtAu-F5atZCCYkRABI.",
"roles": [
"content_manager" //<= the role i'm interested in
],
"sub": "WbvYLdLb3DNVgczM_iyu4n4i-s8mPtfhQqVyAK_abaU",
"tid": "62765715-2081-4050-bdc7-8c2e178d7424",
"uti": "HDhn_MWkl0iGcm-jlBEMAA",
"ver": "2.0"
}
},
//...
}
I'm passing accessToken in an HTTP call as header
Authorization: Bearer yJ0eXAiOiJKV1QiLCJub25jZSI6IkY...
How do I validate and decipher this token inside an Azure function running Node?
You can validate and decipher this token inside an Azure function running Node by Azure function that implements the HTTP trigger. This requires configuration data to perform a token validation and these are inside the AzureAdTokenAttribute instance. However, the token will be inside the HttpRequest. To have access to what was implemented in the token validation service, you will insert IHttpContextAccessor.
I'm trying to set up a system where an Azure DataFactory can call an Azure function through its managed identity. Good example here: Authorising Azure Function App Http endpoint from Data Factory
However, this was using the old(er) Authentication/Authorization tool for Azure functions, which has now been renamed Authentication (Classic). Setting the system up through this is fine, I can make the call and get a response, but upgrading to Authorization causes this to break. It seems like the key thing missing is the option of "Action to take when the request is not authenticated", which I cannot seem to set with the new Authorization tool but should be set to "Login with Azure AD"
In summary, how do I set this setting with the new Authorization tool so that a MSI can make a cool to the function and authenticate with AAD.
Image with classic
Image with new Authorization (no visible way to redirect to AAD)
In summary, how do I set this setting with the new Authorization tool so that a MSI can make a cool to the function and authenticate with AAD.
To make it work with the new Authentication, follow the steps below.
1.Edit the Authentication settings in the portal or set it when creating the app as below.
2.Edit the Identity provider, make sure the Issuer URL is https://sts.windows.net/<tenant-id>(without /v2.0) and Allowed token audiences include the App ID URI.
For the App ID URI, you could check it in your AD App of the function app -> Expose an API, if you use the old Authentication before, maybe it is your function app URL, it does matter, just make sure Allowed token audiences include it.
3.Then in the datafactory web activity, also make sure the resource is the App ID URI.
Then it will work fine.
Update:
You could refer to my configuration.
Function app:
AD App:
AD App manifest:
{
"id": "xxxxxx",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": null,
"appId": "xxxxx",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-06-08T01:51:06Z",
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
"api://xxxxx"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "joyfuna2",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access joyfuna2 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access joyfuna2",
"id": "1704f162-421d-4733-855f-5d93c0c55689",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow the application to access joyfuna2 on your behalf.",
"userConsentDisplayName": "Access joyfuna2",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2031-06-08T01:51:05.573Z",
"keyId": "c6d4434f-7aaf-4c4c-9428-a38cbf8200bb",
"startDate": "2021-06-08T01:51:05.573Z",
"value": null,
"createdOn": "2021-06-08T01:51:07.3876164Z",
"hint": "UT_",
"displayName": "Generated by App Service"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "xxxxxx.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://joyfuna2.azurewebsites.net/.auth/login/aad/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": "https://joyfuna2.azurewebsites.net",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
Datafactory web activity:
I have a REST API on the internet that is secured with Azure AD and a required header (custom apikey).
You can call this API in example with postman using the client credentials flow. This all works fine.
I'm now developing a custom Azure DevOps extension that is showing the information returned from that API in the workitem form of ADO. I can call the API (if I remove the security from the API) from the extension through a generic Service Connection. Now I want to get the security working.
So I want to create a custom service connection that will get an accesstoken from the azure AD using ClientID and ClientSecret (client credentials flow).
When I have that working, I can call my API on a secure way.
Also how do I add the mandatory header to the call to the api? I need to add the header as field to the service connection as well right?
So I think I end up with a custom service connection instance that asks for TenantId, ClientId, Client Secret, Audience/Scope, List of headers (name/value).
For a more reference blog post I used this one: https://thingswithcode.blogspot.com/2019/07/using-azure-devops-service-connections.html
{
"id": "api-service-connection",
"description": "Service connection for api",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "Call API",
"displayName": "Call API",
"icon": "img/world.png",
"url": {
"displayName": "API Url",
"value": "https://path-to-api",
"helpText": "Url of the API to connect to."
},
"inputDescriptors": [
{
"id": "api-key",
"name": "API Key",
"description": "The value for the header 'ApiKey'",
"inputMode": "textbox",
"isConfidential": false,
"validation": {
"isRequired": true,
"dataType": "string"
}
}
],
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-oauth2" // this is wrong...
}
],
"headers": [
{
"name": "ApiKey",
"value": "{{endpoint.api-key}}"
}
],
"helpMarkDown": "<b>Learn more</b>"
}
}
Thanks