I want to create an Azure Web Application that can authenticate an external/internal (from any Organization) user upon opening the Web Application link through Azure AD Credentials and acquire its Access token in return.
I want to use that Access Token to programmatically create an application registration in User's tenant.
First, you need to register an application and set it as a multi-tenant application, then use the auth code flow to authenticate the user and obtain an access token.
Next, you need to use the access token to call the MS graph api to create an application, because you are using the auth code flow to obtain the token, so you need to grant delegation permissions to the application.
see: sample.
Related
I'm creating a web service that contains authentication (no identity), and I protected the APIS with JWT (the token is returned when the user logs in or registers by email, password, name, etc..) but I also have a microsoft login/register using MSAL, I also created an Azure App. How do I validate the login with microsoft to return the JWT or how could I implement the API authorization using both JWT and Azure AD.
You have currently registered an Azure application, you can set it as a client application, and then you need to create a back-end application representing the api, and then let the user log in to your client application to complete authorization and obtain an access token, and finally use the the access token calls the api application.
The operation process is as follows:
First expose the api of the back-end application and add the client application.
Next,under 'API permissions', give your front-end application access to your backend api:
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your backend application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.
Parse the token:
Finally, you can use the token to call the api.
The complete sample is for your reference.
I am setting a background process which will communicate with API secured by Azure AD. Without giving delegate access to API, Client App is able to generate access token
Using client credential flow, Is it possible to generate access token for web api without giving delegate permission. I am able to generate it but according to it should not happen. Any app created in my tenant is able to generate the token for web api without delegate permission.
I have followed below sample on github.
https://github.com/Azure-Samples/active-directory-dotnet-daemon
It should not be able to generate access token, if no delegate access is provided.
This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.
Update:
If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.
I can login to Outlook 365 in my web with MS Graph without user action. I'm using simple-oauth2 module and oauth2.ownerPassword.getToken method to generate tokens with username/password from my database.
I'd like embed Outlook.com in my web for each user (with their credentials).
Is there any way to do this?
Why would you do that?
If your application already lets the user login with Azure Ad account, you could use the on-behalf-of flow. Then your web application can request a token for another resource by sending the access token of the user for the current application.
If they aren’t logged in to Azure ad already you could have a look at the client credentials flow. Then your application will just get a token with access to all mailboxes.
I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.
I have a native client (console app) from where I am trying to access a WebAPI. The API has been authenticated using Azure AAD. So, in order to acquire a token using the method AuthenticationContext.AcquireToken(), ClientCredentials are needed which in turn need the "client secret" that one is supposed to receive from Azure while registering the application to Azure AAD. Is there any other way for me to be able to retrieve the access token to access the WebAPI?
If you want to call the WebAPI on behalf of (or "as") the current user then you can use the Resource Owner Credentials flow. Otherwise, the client credential flow you described is the appropriate solution.
Note that your client app should be registered separately from your WebAPI in AAD.