I want to assign a custom role (ca_boarding_administrator_role) in the "Service Account Role" section using the Keycloak Admin REST API.
My client (cq-boarding-client) has the access type "confidential".
My goal is to have it available in the access_token under the realm_access.roles claim.
This documentation describes how to accomplish this in using the web UI. In my case I am trying to automate using the Admin REST API: https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts
By taking a closer look at the Keycloak Resource Models I realized that for each confidential Client also a User is created. By adding the desired role to the realmRoles attribute of the User does the trick.
In case anybody is interested, I included my nodejs script to automate it: service-account-role-mappings.js
For additional reference:
https://github.com/keycloak/keycloak-nodejs-admin-client
https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_userrepresentation
Related
I like to know my understanding is correct and also like to clarify my doubts further.
1) Confirm my Understanding:
In the below image, I have explained my understanding of protecting the application and api using Azure AD. I have exposed the API with the SCOPE and the Application has consumed the same through the permission module.
Can someone please confirm my understanding is correct?
2) Should we pass Role in ACCESS_TOKEN?
This is where I require someone to help me. This is a code flow where the User login into the Application and while he tries to get the Todo list, an application sends a request to the API.
In this communication, an application gets the ACCESS_TOKEN for the login-in user and passes it to the request going to the API.
At the API side, we have the policy where it checks the Scope coming through IHttpContextAccessor.HttpContext.User.Identity and make sure the Claim has scp/scope and it has the right value.
Now, all are going well. The questions here are:
Should we not have Role (User's role) in the ACCESS_TOKEN? (When I said Role - I mean User's role not Application's role)
following the link at Microsoft documentation I am getting the role in claim when user login to the Application but to call the API I have to use ACCESS_TOKEN which I am getting through TokenAcquisition.GetAccessTokenForUserAsync and it doesn't include Role. It includes SUB, userPreferedName, email and Scope kind of detail (have checked in jwt.io)
If the answer of Question #1 is "NO, we should not" what is the way for API to check the user's role and give the result? Is that something we need to stuff in SCOPE only?
REF: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
To give better context, I have added my Azure Configuration as well here.
Confirm my Understanding:
Based on your screenshot, your understanding is basically accurate.
Microsoft identity platform issues you an access token after you sign in, and then you use this access token to call your web API. The API will validate the access token and the permissions / roles, which determines whether you can access its data.
This Protocol diagram is clearer for your understanding.
Should we pass Role in ACCESS_TOKEN?
Firstly, the link you shared is related to Application Roles. But you are not talking about that. What you are talking about is the AAD role (eg. Global admin, Group admin). Correct me if there is any understanding.
Honestly, AAD role should not be included in the access token because it's meaningless. To access your web API, you should define your own roles to control the permissions of users. AAD roles only work when you try to perform AAD or Microsoft Graph operations.
If the answer of Question #1 is "NO, we should not" what is the way
for API to check the user's role and give the result?
You have found the correct guide: Add app roles to your application and receive them in the token.
You should use Application Roles. Define the User app role in the Azure AD app which represents your API and assign your users to the role. Then your API can check the user's role by verifying scopes and app roles.
There is another method to control the user's role: using Group Claims which is also mentioned in the link you shared. The detailed steps are listed here.
I need help determining how to integrate the Azure B2C authentication with the authorization within my app. I got the susi (sign up sign in) user flow working, but I need to do two things. First, I need to validate the alias to ensure no other such alias already exists and I need to add the user to my sql server database to ensure they are available for authorization processes (eg: users can allow other users to view/edit their resources).
I saw this video, which seems to cover what I want to do, but I think I could use some explanation. This article also seems to come close, but it is returning keys from a database as opposed to inserting into a database. That seems like minor change.
It seems like I need to replace the susi user flow with a B2C Identity Experience Framework policy, but I still want the other steps to be completed. I think I should download the susi policy and edit it and upload it to the IEF, but I am not sure.
I previously was trying to capture the events in a web app in the Startup.cs file when configuring the service during the OnTicketReceived event, like this, but this didn't cover mobile apps, so I think the IEF solves for this by including the steps in the flow.
I just want to confirm this is the right way to accomplish what I am looking to accomplish and seeing if anybody has any step by step examples.
It seems like it would be a good tutorial to show starting with a working susi user flow and editing it to add integration with an Azure Function.
Using IEF by calling the REST API will be the right way to accomplish your requirement. During the signup process, execute a restful technical profile which will call an REST API service there you can validate the user existance in your local DB and create the user in the database and proceed the registration process in B2C tenant.
Another approach would be after signing up the user can be created by the service and for the first call, service can insert a claim for itself with new database user Id.
There is a sample showing how to implement RBAC in B2C using security groups. If the role model is very simple, you could also consider attaching them directly to the user object as custom claim.
IBM Cognos is not returning group claims after modifying the manifest of the application to "All" on the azure side.
Spoke with an IBM Cognos Engineer and he clearly stated that this is from the azure side. when we ran some fiddler and got the access_token of the application, decoded it but no group claims returned still.
Now we need to see something like this on the JWT body as shown in the image below:
link to documentation that addresses this.
Adding to #juunas answer,
does it have a claim by the name of "_claim_names" instead?
Are there multiple applications involved. did you change the manifest of the correct app?
Have you been working on this app for a while, you might be examining a cached token. Sign-out and sign-in again
Take a look at the following link for instructions on modification to the AAD application manifest. You will want to change the “groupMembershipClaims” property to “SecurityGroup” or all.
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
Also, note that the name of the security group won’t be shown... only the guid of the security group.
To see the name of the claim as a friendly string, you would want to use an “App Role”. Edit the application manifest file in AAD to contain the names of the app roles you would like, and then you can edit users in your AAD Application and assign them to a role. Note, if you only have AAD Basic then you can only assign users to one app role via the Azure Portal. You’ll need to use the Graph API to assign the user to more than one app role, or you’ll need to upgrade to premium AAD. Premium AAD subscriptions let you tie app roles to security groups, making it easier to apply multiple app roles to a user.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
I am working on documenting integration with Azure for later use by colleagues. This is for obtaining an AAD bearer token (done) and using it to get a Logic Apps callback URL. There is the problem, which is to correctly permit the client application. I am not finding documentation on the correct scope to set in the Portal. Also, I don't have the admin permissions myself to try and, so trial-and-error is not an option.
Right now, I have registered in Azure an app with only default permissions. So, when I try the desired action, I get back the error response:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '{Client Id}' with object id '{object id}' does not have authorization to perform action 'Microsoft.Logic/workflows/triggers/listCallbackUrl/action' over scope '/subscriptions/{subscription id}/resourceGroups/{resourceGroup Name}/providers/Microsoft.Logic/workflows/{workflow name}/triggers/manual'."
}
}
In trying to get the app the right permissions, I am encountering the error in Azure portal:
You are adding permission(s) that require an admin to consent, users will not be able to use the application until an admin grants permissions to the application.
Which I expect, so I am seeking to tell my admins the exact permission(s) that need to be granted or delegated.
Possibly this can be done in PowerShell and easier than in Portal, or even CLI. I am not wedded to a particular method, just looking for direction or documentation on how to correctly configure the client app. I figure I need to give our app at least Contributor access to the resource group via the Access Control (IAM) tab. However, in this subscription, I do not have the "Add" option there, suggesting I do not have permission to do it.
Right now, I am using the documentation at register your client application with azure ad but am not finding the steps toward correctly permitting the registered client when I am unable to try it out before explaining it to someone else. Maybe there is more detailed documentation, or a blog post someone knows of that I have not found?
Thank you
Getting the callback url at runtime requires permission to invoke the API action Microsoft.Logic/integrationAccounts/assemblies/listContentCallbackUrl/action. You can do this a couple of ways:
create a custom role with the required API access. This is nice from a least-privilege perspective, but you're limited to 200 custom roles and you'd need to document what the role is for and track that going forward
You could leverage the built in role of logic app contributor which has carte blanche on logic app apis.
Which ever you choose, the next step is to assign the service principal associated to your application (or the user or group account defined in AD) to the role. Here is a great walkthrough for the role assignment process using the portal or using the CLI, if you prefer
I want to get the health and other resource details of a particular Azure Account or Subscription using these API's
https://learn.microsoft.com/en-us/rest/api/resourcehealth/availabilitystatuses/listbysubscriptionid
When i do TryIt on the web page it works, but If i want to do it using say PostMan or programatically, how do i generate the Authorization key, I have seen docs to create Authorization Key using "App Registrations", but i dont have any WebApp here, All i want to do is get the details of a particular account or subscription using Azure provided API calls and using any AD user with proper roles for authentication.
This link provides some details but then i dont have a clientid here, since i dont have any webapp
https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx
Please let me know if anyone has tried doing this.
Thanks
You have to register an app in Azure AD.
This does not need to be an actual "Web app".
You are registering a service principal (you can think of it as a service account).
After registering the app (with type Web App/API), generate a Key for it.
Write down the Application Id (Client Id) and the key (Client Secret).
Then give the service principal access through the Access Control (IAM) section on the subscription/resource group/resource where you want to give the app access to.
You can then follow the instructions here to generate the access token: https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx.
Remember to use https://management.azure.com/ as the resource since you are calling the ARM API.