Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
Related
I'm not an expert in security, so I would like to validate the options here because I'm a bit lost in all the possibilities.
I have an ASP.NET Core MVC web application, and added Facebook authorization to it (there will be others as well, like Microsoft Mail, and integration with an Azure AD). So users currently can click the 'Log In' button, then click the 'Facebook' button; they redirect to Facebook, enter their credentials, and finally come back to my site where they are authenticated. This works fine, and in the claims I receive nameidentifier and email address.
Now I want to add a ASP.NET Core Web API, which is called by the MVC site (and later by other consumers).
As I have to implement my own authorization mechanism in the web API, I was thinking on passing the authentication token from MVC site to the web API, so that in the web API i know the authenticated user, and based on the nameidentifier I find in the token, I handle authorization for this user.
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Yes, you could use Oauth 2.0 on-behalf-of flow to achieve your idea. The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain.
Here is work flow:
1.The client application makes a request to API A with the token A (with an aud claim of API A).
2.API A authenticates to the Azure AD token issuance endpoint and requests a token to access API B.
3.The Azure AD token issuance endpoint validates API A's credentials with token A and issues the access token for API B (token B).
4.The token B is set in the authorization header of the request to API B.
5.Data from the secured resource is returned by API B.
You can refer to the code sample: Calling a web API in an ASP.NET Core web application using Azure AD.
Kinda new to this area of customizable sign-in/sign-up.
I'm currently planning to use social sing-in/sign-up in my Web API project, that handles backend process for my Web App and Desktop Client. I found it is easy to add a OpenID Connect provider to my Identity Provider, but am not sure how can I add OAuth2 provider. Is there a good example or tutorial on this topic?
Also, according to this and that post, it is recommended to use OAuth2 for native apps and OpenID Connect for Web API/Web Apps. Unfortunately the organization whose authentication I'd like to let customers use doesn't provide OpenID Connect. Is this still fine for my scenario?
This sample should be able to help you achieve what you are looking for. It uses the OAuth2.0 authorization code grant with confidential client and ADAL to obtain access tokens for the web app to call the Graph API with the user's identity.
This reference on authentication scenarios should also be useful to you.
Here's my current situation:
Xamarin iOS mobile app (using MobileServiceClient to login)
Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication
I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.
I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
From this post:
IdentityServer 4 as Identity Provider for Azure App Service
Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?
Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.
Client:
Found a working library for OAuth2 and OpenID that worked for integrating with Okta:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples
with a Xamarin wrapper:
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId
Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.
After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:
Okta (identity provider)
set up a native application with an Implicit (Hybrid) grant on it
Mobile Client
use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS
Server / Web Api
converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore
One thing to note that tripped me up along the way:
in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature
read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/
I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.
The Authentication/Authorization settings for my API app only provide AAD, FB, Google and Twitter. I want to use different authorization provider (different chat app such as Kakaotalk/LINE) and eventhough their API also give me token I don't know how I can make my backend authorize those tokens.
I wonder if it's possible to have custom authorization based on different OAuth token provided by different service? If not can you suggest what steps should I take to do authorization for my api app service?
Thanks
Yes, it is possible to use custom identity providers if you're using .NET for your API app. Some useful references:
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-backend-how-to-use-server-sdk#custom-auth
https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/