Azure KeyVault 403 Forbidden when using Principal Account to access - azure

I created an Azure KeyVault that I want my App Service to be able to access. From what I can tell, the principal of my App Service should have access to the KeyVault, but I always get the following error when trying to retrieve from it. This happens whether I am running locally in Visual Studio or in Azure.
Service request failed. Status: 403 (Forbidden) Content: {"error":{"code":"Forbidden","message":"The policy requires the caller 'appid=MY_APP_ID;oid=MY_PRINCIPAL_ID_STARTING_WITH_1A5 ;iss=https://sts.windows.net/REDACTED_GUID/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}} Headers: Pragma: no-cache x-ms-keyvault-region: westus x-ms-client-request-id: REDACTED x-ms-request-id: REDACTED x-ms-keyvault-service-version: 1.2.236.0 x-ms-keyvault-network-info: conn_type=Ipv4;addr=52.155.40.204;act_addr_fam=InterNetwork; Strict-Transport-Security: REDACTED X-Content-Type-Options: REDACTED Content-Length: 387 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Wed, 21 Apr 2021 20:10:33 GMT Expires: -1 X-Powered-By: REDACTED
I have looked at the linked KB article and it talks about OAUTH`. I am not trying to use OAUTH, so I don't understand why that is relevant.
Here is the access policy in my KeyVault:
Here is the screenshot from the App Service where I configured a principal.
It clearly says at the bottom that it can be configured to access other resources, so I don't understand why it cannot access KeyVault.
Code used to attempt to access.
var kvUri = "https://" + Properties.Settings.Default.KeyVaultName + ".vault.azure.net";
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri(kvUri),credential );
var result = client.GetSecret(secret);

When you set access policy, you need to select service principal with only object id (without app id).
See this similar post answer.

Related

Azure Blob: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)

I have the sas token with write permission but when I am trying to write the blob getting the below error.
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:6c52482f-c01e-001c-5891-b2f06f000000
Time:2020-11-04T10:03:01.6761446Z
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)
ErrorCode: AuthenticationFailed
Headers:
x-ms-request-id: 6c52482f-c01e-001c-5891-b2f06f000000
x-ms-error-code: AuthenticationFailed
Date: Wed, 04 Nov 2020 10:03:00 GMT
Server: Microsoft-HTTPAPI/2.0
Content-Length: 529
Content-Type: application/xml
Code:
var blobClient = new BlobClient(new Uri(command.AzureBlobContainerTargetUri.AbsoluteUri));
using (var ms = new MemoryStream())
{
LoadStreamWithJson(ms, JsonConvert.SerializeObject(userData));
await blobClient.UploadAsync(ms);
}
command.AzureBlobContainerTargetUri.AbsoluteUri --> sas token uri
userData- some object
The error is always related to your access key as SumanthMarigowda said in the comment. Please regenerate the key in the portal and try with the new one. And check your PC's time, in addition to time check your VPN as well.
I also faced the error when using DefaultAzureCredential(). This is the issue(see the UPDATE) with Python.

Access to Azure Key Vault reference value from App Configuration in development on local

I have come across with the Azure App Configuration service, with the ability to link secret from Azure KeyVault, by creating a new record with an option of Key Vault reference.
I have used Microsoft extension for App Configuration as described in Microsoft Doc
The Steps that have been done
Creating a service principle via CMD - ```az ad sp create-for-rbac -n "http://mySP" --sdk-auth
Given permission to the created service provider also via CMD - az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
Set the client id & secret in environment variables
The method implementation
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
var settings = config.Build();
config.AddAzureAppConfiguration(options =>
{
options.Connect(settings["ConnectionStrings:AppConfig"])
.ConfigureKeyVault(kv =>
{
kv.SetCredential(new DefaultAzureCredential());
});
});
})
.UseStartup<Startup>());
}
The issue is started when I trying to fetch data from App Configuration that have at least one KV reference.
I'm getting the following error(only in case of that, one KV reference is linked to the App Configuration)
Service request failed.
Status: 401 (Unauthorized)
Content:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2020-05-27 22:59:52Z","error_codes":[7000215],"timestamp":"2020-05-27 22:59:52Z","trace_id":"","correlation_id":"","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
Headers:
Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
x-ms-request-id: REDACTED
x-ms-ests-server: REDACTED
P3P: REDACTED
Set-Cookie: REDACTED
Date: Wed, 27 May 2020 22:59:51 GMT
Content-Type: application/json; charset=utf-8
Expires: -1
Content-Length: 471
Any help will much appreciate :)
Thanks!
When using the DefaultAzureCredential, it will first try Managed Identity (recommended for services on Azure), and eventually a service principal that requires the following environment variables to be set for the process (both on your application service, as well as for local development - can be different, so long as the service principal ID has appropriate permissions):
AZURE_TENANT_ID : the tenant ID
AZURE_CLIENT_ID : the service principal ID
AZURE_CLIENT_SECRET : the service principal secret (password) you were shown only after creating the service principal
You could also use the new preview of Azure.Identity which supports other authentication schemes more common and easier to use on development machines, such as the Azure CLI (az login), Visual Studio, and Visual Studio Code.
The issue was, that Visual Studio wasn't able to get the Environment Variable from some reason so it does not send with the request, once I ran the Visual Studio as Admin it works

Azure Active Directory: 'Forbidden' error while fetching groupclaims using Graph API

I'm using Azure Active Directory tenant along with Graph API to fetch groupclaims objectIDs.
However, it's failing with Forbidden error at runtime.
I used the same code with another Azure Active Directory tenant (which created almost 4 months back), it's working perfectly.
I have followed ditto to create new Azure Active Direct tenant and double checked configuration details in Azure management portal.
Even, I have created many times new Azure Active Directory tenant with the same steps but still getting a Forbidden error.
{
StatusCode: 403,
ReasonPhrase: 'Forbidden',
Version: 1.1,
Content: System.Net.Http.StreamContent,
Headers: {
ocp-aad-diagnostics-server-name: a***********Bc=
request-id: 9*******1
client-request-id: 4b**************b9
x-ms-dirapi-data-contract-version: 1.5
x-ms-gateway-rewrite: false
ocp-aad-session-key: GXB**********************5bi0
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
Duration: 1168232
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 08 Jan 2016 23:29:43 GMT
Content-Length: 139
Content-Type: application/json; odata=minimalmetadata; streaming=true; charset=utf-8
}
}
In general, Forbidden error is due to lack of permissions on the server, but another active directory tenant is working perfectly (which is also created by me 4 months back). There isn’t any configuration change between the working AAD Tenant and newly created one.
Is there any recent changes in AAD creation?
I’m using Microsoft Active Directory, do we need any configuration update from MSIT team on server side?
followed the steps: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Could someone help me to fix this issue.
Thanks,
Pradeep
Make sure groupclaims that you try to access is in azure subscription you have access, also try creating new groupclaim and try to fetch using GraphAPi
MSIT team owns server side configuration setting.
Contacting them has been fixed the issue.

Cannot access OpenId UserInfo endpoint on Azure (AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint)

I'm trying to access the OpenId UserInfo endpoint for a user on an Office365 Azure tenant, with the following GET:
GET https://login.windows.net/common/openid/userinfo HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJ(...remainder deleted for brevity...)
Host: login.windows.net
The response fails with "400 Bad Request", and a more specific error "AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint"
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.5
x-ms-request-id: ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2
x-ms-gateway-service-instanceid: ESTSFE_IN_6
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
WWW-Authenticate: Bearer correlation_id="e5c613a0-0a21-40e1-9ef6- eacf77580608", error="invalid_request", error_codes="[50063, 90010]", error_description="AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.%0d%0aTrace ID: ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2%0d%0aCorrelation ID: e5c613a0-0a21-40e1-9ef6-eacf77580608%0d%0aTimestamp: 2015-02-20 14:13:42Z", timestamp="2015-02-20 14:13:42Z", trace_id="ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2"
Set-Cookie: x-ms-gateway-slice=productionb; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 20 Feb 2015 14:13:40 GMT
Content-Length: 0
The bearer token used is a non-expired access token that works fine for other operations, such as retrieving Exchange emails.
Furthermore, when I use an identical GET to the openid userinfo endpoint at "https://www.googleapis.com/plus/v1/people/me/openIdConnect" (as part of a gmail access scenario), it works fine
Am I doing anything wrong here? Thanks for any help!
Some extra info:
-Already tried using the id_token instead of the access_token, but this makes no difference.
-the Oauth scopes used are "profile email"
-the resources requested are "https://outlook.office365.com/"
-the client application is a native app and has enabled all delegated permissions for both "Windows Azure AD" and "Office 365 Exchange Online"
The Azure AD user info endpoint does not support the use of the regular JWT access tokens at this time. Instead, you can acquire a user info specific access token by not specifying any resource in a request to the token endpoint. You can think of the user info endpoint as a resource in its own right, which requires a special token format.
For example, in the authorization code case:
GET request to https://login.windows.net/common/oauth2/authorize?... without a resource parameter, and acquire an authorization_code
POST request to https://login.windows.net/common/oauth2/token using the authorization_code, also without a resource parameter. Receive an access token for the user info endpoint.
GET request to https://login.windows.net/common/openid/userinfo passing the access token in the header as Authorization: Bearer AAAB(...rest of token...)

AADSTS50001: Getting exception while trying to access token from Azure AD by using ADAL from Console client

Getting exception while trying to access token from Azure AD by using ADAL from Console client.
Steps:
I have configured Azure AD with my Web API application localhost:44307.
Added the required configuration for Client Id, Client Key.
Followed the work around by changing manifest suggested in this link.
https://www.google.com/search?q=AADSTS50001+%2B+azure+AD+athentication&oq=AADSTS50001+%2B+azure+AD+athentication&aqs=chrome..69i57.10202j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8#q=AADSTS50001&safe=active
ADAL Version Using: Microsoft.IdentityModel.Clients.ActiveDirectory 2.6.0-alpha
Console App Code:
void GetToken()
{
clientId = "be6b055a-4efc-222a-2187-49657e6f4f1b";
string ClientKey = "c/uIMlsqn9SzJLKKyBle42Ym+tgcaC2tbMlWxJQawE";
string ClientCredential clientCred = new ClientCredential(clientId, ClientKey);
authenticationContext = new AuthenticationContext("https://login.windows.net/MyDevAD.onmicrosoft.com");
authenticationResult = authenticationContext.AcquireToken("https://mylocalwebapiapp.com/", clientCred);
....
}
Fiddler Input:
POST https: //login.windows.net/MyDevAD.onmicrosoft.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client-request-id: 53262b17-1234-4ed9-bdb3-748d332eb44b
return-client-request-id: true
x-client-SKU: .NET
x-client-Ver: 2.6.0.0
x-client-CPU: x64
x-client-OS: Microsoft Windows NT 6.3.9600.0
Host: login.windows.net
Content-Length: 185
Expect: 100-continue
Connection: Keep-Alive
grant_type=client_credentials&resource=https%3A%2F%2Flocalhost%3A44307%2F&client_id=be6b055a-4efc-408a-8187-42137e6f4f1b&client_secret=c%2FuIMlsqn9SzJLKKyBle123Ym%2BtgcaC3tbMlWxJQawE%3D
Fiddler Output:
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Set-Cookie: x-ms-gateway-slice=ProductionB; path=/
x-ms-request-id: e89741b2-570d-44f6-9e71-6533b083abcd
client-request-id: 35262b17-4771-4ed9-bdb3-748d332eb33b
X-Content-Type-Options: nosniff
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Tue, 01 Apr 2014 19:05:51 GMT
Content-Length: 438
{"error":"invalid_resource","error_description":"AADSTS50001: Resource 'https://mylocalwebapiapp.com/' is not registered for the account.\r\nTrace ID: e89741b2-570d-44f6-9e71-6533b083cdad\r\nCorrelation ID: 35262b17-4771-4ed9-cddb3-748d332eb44b\r\nTimestamp: 2014-04-01 19:05:53Z","error_codes":[50001],"timestamp":"2014-04-01 19:05:53Z","trace_id":"e89741b2-570d-44f6-9e71-6533b083cdad","correlation_id":"35262b17-4771-4ed9-bdb3-748d332eb44b"}
Note: Posted URLS and ID's are faked ones.
We should not have introduced any changes. I would recommend to double check that you assigned to your client app the correct permissions for accessing your web API. Please note that your app is getting a token with its own credentials, hence you need to assign app permissions directly (as opposed to delegated permissions).
HTH
V.

Resources