I want to use the AAD B2C Github identity provider to authorize users in my app. To create a user I need at least get an email from it - but I get nothing. I did set up everything according to docs and I can see in the AAD B2C Users list that Name is set up correctly for a new user, but User Principal Name where email should be is null
Here is JWT answer
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"exp": 1611879546,
"nbf": 1611875946,
"ver": "1.0",
"iss": "https://apichat.b2clogin.com/4d39cd56-4c18-4bc7-aaa8-36bf91191c8c/v2.0/",
"sub": "dfe38752-113e-4431-b1bd-23dd53119369",
"aud": "341eea81-859c-485c-baea-2cc9f75f6512",
"nonce": "defaultNonce",
"iat": 1611875946,
"auth_time": 1611875946,
"idp_access_token": "c5c79a8f49c44575cf127fc3c64aaa5710a0a465",
"idp": "github.com",
"tfp": "B2C_1_susi_debug"
}.[Signature]
What do I missing?
Added
After some studying, I have a suspicion that the Github provider here either does not have the required scopes or mappings. I don't see any ways to add it so far. Potentially that might be solved by a generic OpenID Connect provider but Github does not support well-known/openid-connect-discovery and I have no option to manually set endpoints in AAD B2C.
So far I don't see any way to connect GitHub to my AAD B2C and get that darn email - why the biggest cloud platform does not fully support the biggest dev repository when they have the same owner is beyond my understanding.
Ok, the solution I found looks like that
Set Display Name and Identity Provider Access Token in Application Claims of your User Flow
On GitHub auth you will get name aka username and idp_access_token aka token
That's allow us to call github user api curl -u username:token https://api.github.com/user
By default user api returns public user profile, which might not have a set email
curl -u username:token https://api.github.com/user/emails will return all user associated emails
We need the primary one
{
"email": "***#gmail.com",
"primary": true,
"verified": true,
"visibility": "public"
}
Related
I have written one custom policy in azure AD b2c and its working ok , Now i want to return the access token as well if some one login from social media account i am able to return access token but with local account login i am not sure what steps needs to follow , Can any one help me on this
login via social media: Claims like below works fine
{
"exp": 7676868,
"nbf": 6868712,
"ver": "1.0",
"iss": "xyxjhgjgjg/v2.0/",
"sub": "26cd4=jfh1-9e4f-4d74-a4bd-afjhhdfkj6",
"aud": "584nczac-f6ba-4d42-a051-859700f247cj,
"acr": "b2c_1a_signuporsigninwithphoneoremail",
"iat": 1622700jhj,
"auth_time": 1622700447,
"givenName": "mnmn",
"surname": "nbnbnb",
"name": "nbvnvnv",
"idp_access_token": "v117OqsDGUyPjPlqmjfRCZB7zrsWZBxfzhgj,mnn,lwIEuDVyvE3VsH4cuZAf",
"tid": "d302bdbnbvv-09e5-42bf-9006-6bjhgjg"
}
When you login via a social idp, the user enters their credentials on the social idp page, and in return gets an access token which B2C can use to grab their information after consent.
There is not the case for local accounts, because when the user logs in using a local account, they enter their credentials on the B2C idp itself. The access token is what constitutes these entire claims you have shared.
So in essence, when using social idp, there are two access tokens, one related to B2C, which constitute the entire claims, and another related to the social idp, which you highlighted in your question.
I am working on an app that was registered on the 20-Jan-2021 in Azure AD (via the "App registration" page) which uses the SharePoint REST API (_api/Web/SiteUsers, amongst others) to retrieve user information (from SharePoint online). The app was, and is still, working fine using the tenant id, application id and client secret I got then. A few days ago (9-Apr-2021), I registered a 2nd app in Azure to show a colleague how to set things up. Using that new app's application id and client secret (same tenant id), the application fails with error 403 when I submit a call to _api/Web/SiteUsers (calls to MS Graph APIs work fine using both app ids - it's only the SharePoint api calls that fail). Both registered apps have the same permissions set up - I can't see any difference when I compare them side-by-side. They both have Application permissions for MS Graph API:(Directory.Read.All, Files.Read.All, Sites.Read.All, Group.Read.All) and SharePoint:(Sites.Read.All, User.Read.All), and Delegated permissions for MS GraphAPI:User.Read. All application permissions have been granted admin consent. Both use secret keys. I've visually compared both registered apps in Azure and can't see any differences in any other properties (other than app id, client id, branded name, secret key). Does anyone know if something has changed recently that would cause the earlier app id to work, and not the more recent one? Is there some sort of sync delay between Azure and SharePoint (the issue still persists after 3 days)? Any help/hints would be appreciated. Thank you in advance.
Mm
Decoded token for App ID that works:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
"kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
"aud": "00000003-0000-0ff1ce00-000000000000/iplatinum1.sharepoint.com#55379f90-a2a4-4f64-b18d-f3453e934a85",
"iss": "00000001-0000-0000-c000-000000000000#55379f90-a2a4-4f64-b18d-f3453e934a85",
"iat": 1618276524,
"nbf": 1618276524,
"exp": 1618363224,
"identityprovider": "00000001-0000-0000-c000-000000000000#55379f90-a2a4-4f64-b18d-f3453e934a85",
"nameid": "7c331853-01ae-422b-bfe4-7df2d3fdbacf#55379f90-a2a4-4f64-b18d-f3453e934a85",
"oid": "fa4507cb-dfb1-4ed4-9d06-5fa9ffcb814e",
"sub": "fa4507cb-dfb1-4ed4-9d06-5fa9ffcb814e",
"trustedfordelegation": "false"
}.[Signature]
For the one that doesn't:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
"kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
"aud": "00000003-0000-0ff1-ce00-000000000000/iplatinum1.sharepoint.com#55379f90-a2a4-4f64-b18d-f3453e934a85",
"iss": "00000001-0000-0000-c000-000000000000#55379f90-a2a4-4f64-b18d-f3453e934a85",
"iat": 1618276454,
"nbf": 1618276454,
"exp": 1618363154,
"identityprovider": "00000001-0000-0000-c000-000000000000#55379f90-a2a4-4f64-b18d-f3453e934a85",
"nameid": "7307b725-738e-4b8c-b898-89486cff95de#55379f90-a2a4-4f64-b18d-f3453e934a85",
"oid": "08650d87-1a47-436f-a8e1-ee44caa361ee",
"sub": "08650d87-1a47-436f-a8e1-ee44caa361ee",
"trustedfordelegation": "false"
}.[Signature]
As far as I know, Azure AD App Client Secret is blocked by sharepoint online. You need to choose certificate for authentication: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
Another workaround is register app in SharePoint site "https://yoursite/_layouts/15/appregnew.aspx". In this way you can sue client secret. https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
As pointed out by Michael Han, I had to register the App ID in SharePoint. Once that was done, the access was granted.
I have an Angular Application which is authenticated using AAD B2C. This talks to a .Net Core API using an access token.
My problem is that I am not receiving a User Principal Name (upn) in my access token.
I have been adding additional "Application claims" like "Given name" and "Surname" and these appear in my access token just fine! Therefore, I believe that my scopes (openid, profile, email) are set correctly and that this in theory is working.
I believe since I am using version 1.0 of the token, that I do not need to configure an any additional claims in my application manifest. My user is a standard AD user not a guest.
The following document states that the upn claim should be included in the v1.0 tokens:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
What am I doing wrong?!
Decoded Access Token:
{
"iss": "https://(my-tenant-name).b2clogin.com/(guid)/v2.0/",
"exp": (number),
"nbf": (number),
"aud": "(guid)",
"oid": "(guid)",
"sub": "(guid)",
"name": "My Name",
"given_name": "Given name",
"family_name": "Surname",
"country": "Norge",
"tfp": "B2C_1_signupsignin2",
"nonce": "(guid)",
"scp": "basic",
"azp": "(guid)",
"ver": "1.0",
"iat": (number)
}
UPN is not returned in AAD B2C tokens because it is an irrelevant random string that is set.
Rather AAD B2Cs unique name is stored in signInNames attribute, and returned in your token as email or username.
The doc you linked is for AAD, and irrelevant to AAD B2C. These are two seperate token issuer services. Select in your User Flow Application Claims to return “email addresses”.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#email-address-storage
At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest.
To achieve UPN Claim in the token, use B2C Custom Policy.
Refer this link for the starter pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Add below claim to the TechnicalProfile AAD-UserReadUsingObjectId and in the Relying Party Policy (Eg: SignUpOrSignin.xml):
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
As per the code you have provided we observed you are using v2 endpoint( "iss": "https://(my-tenant-name).b2clogin.com/(guid)/v2.0/")
As per the document if you see iss:If the token was issued by the v2.0 endpoint, the URI will end in /v2.0.
In the V2 endpoint you need to make a request explicitly for UPN claim.
In v1.0 endpoint they are returned by default but v2.0 made smaller tokens so they made it optional.
Please go through the following links for more understanding. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims How to add optional claims in application manifest https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
I created an Angular application with Implicit Grant Flow for authentication and a Web Api in .Net Core 3.1 following this tutorial: https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi
The problem is: I need to return the roles and/or groups of the logged User within the Bearer Token to authorize my API, but I'm not being able to do so.
I added the roles to the App Registrations Manifest here, added the claim 'groups' in the Token Configuration menu and set the "User assignment required?" as yes in my Enterprise App Configuration.
Even with all these configurations, I'm not able to return the roles/groups claims in the bearer token.
Example of the token the authentication returns:
{
"ver": "2.0",
"iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"sub": "AAAAAAAAAAAAAAAAAAAAABTOBMzzWB5LS36oSmQMgyc",
"aud": "ecb5e87f-6f34-4f05-8e8d-8d6149178926",
"exp": 1597173984,
"iat": 1597170084,
"nbf": 1597170084,
"name": "name",
"preferred_username": "email#outlook.com",
"oid": "00000000-0000-0000-fa54-d112egdce65a",
"tid": "9188040d-6c67-4c5b-b112-36a304b643ad",
"azp": "edeb4b7d-9cac-4f3b-a21d-ead77993689e",
"scp": "access_as_user",
"azpacr": "0",
"aio": "DYNhHjG*PSY1ceuC11yaLYcLta8zh49iA!l2UCbCsH9QlaUkEHVQ4paQFRmb!qv7J6yTbAQItGWDgCW9UgUipz4Xnma*DOkFFDNIZ5lkffThD*ie91XMzZIoPhUPwNHOt5dLrw3VASE2WCvJfvDFOQk$"
}
Am I doing something wrong? Is there any other way to authorize the logged user in a SPA Application, return the token with the roles and groups and send it to the Web Api?
You should add the App Role into the manifest of the service app (TodoListAPI) rather than the client app (TodoListSPA).
Don't forget the assign the App Role to the users.
This should be able to fix your issue.
Hi You need go to azure ad -> app registrations -> your app -> taken configuration -> Add Groups Claim -> then select Security groups checkbox. Save. Then log out log in again and should be in taken under groups.
I have an application registered in Azure ad.
When i do ADAL with the following details i get a authoriazation token to use with microsoft graph api.
`username = 'admin#domain.com'
password = 'password123'
client_id = application id from azure ad
client_secret = keys from application on azure ad
tenant = directory id from azure ad`
Using this token i can fetch the list of all sites in my sharepoint account.
Below is the endpoint i call to fetch the sites with the bearer token:
https://graph.microsoft.com/v1.0/sites?search=*
But when I just do the client authentication using token generated using below endpoint Iam not able to access the sites list.
login.microsoftonline.com/tenant_id/oauth2/v2.0/token
`grant_type : client_credentials
clientid : client_id
clientsecrte : client_secret
scope : https://graph.microsoft.com`
It does not return all of the sites.
Is there a way of getting all sites list with just client authentication.
Or can i get a token for user authentication without user password.
Here is the token decoded that i am using:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/",
"iat": 1528949458,
"nbf": 1528949458,
"exp": 1528953358,
"aio": "Y2dgYLh*************xAAA=",
"app_displayname": "App Name",
"appid": "504ddb16-2899-48be-be57-**********",
"appidacr": "1",
"idp": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/",
"oid": "afcf166f-24c2-49f1-b285-b672d0413c50",
"roles": [
"Sites.Read.All",
"Sites.ReadWrite.All",
"Sites.Manage.All",
"Sites.FullControl.All",
],
"sub": "afcf166f-24c2-49f1-b285-b672d0413c50",
"tid": "586145ec-0428-4da6-8061-fb114257ab70",
"uti": "hwYd8FZCH0KruWGRFiIHAA",
"ver": "1.0"
}
I get other permissions also but these are site related in Microsoft Graph api
Cause:
The successful one is using ROPC flow and it can get delegated permissions onbehlaf of the user. But the failed one is using client_credentials flow which get application permissions and cannot onbehlf of the user.
Updated Answer
Solution:(Before you do this test, ensure you have SPO license in your tenant)
Try to add Sites.Read.All Application permission in your registrated AAD Application and do admin consent for it before you getting token.
If you're using AAD v1 endpoint, you can do admin consent by clicking Grant permissions button.If you're using v2 endpoint, please input this kind of URL in your internet browser to do admin grant:
https://login.microsoftonline.com/{yourtenant}/adminconsent?client_id={the applicationid of your client}&state=123&redirect_uri={the redirect uri of your app}
and sign in with Global admin account and accept this permission.
In my test lab, I used v2 endpoint.Here is the token I got via Postman:
Here is decoded token in https://jwt.ms , we can decoded the token to ensure it has the permissions we want.
Then I use this token in the head to call Microsoft Graph API and succeeded:
For more detials about Site permission for Microsoft Graph, please refer to this documentation.
Please let me know if this helps!