I'm building an REST API which should be protected by Azure AD. So I have the following OAuth2 items
Resource Server: My REST API server
Authorization Server: Azure Active Directory
Client: Postman
Resource Owner: me
I've been trying to configure AD using this blog post but then it goes straight to configure a frontend application. In the blog post, the author configured a front end application but during development, the front end is not yet ready, so I will be using Postman
And when I tried using Postman using the Get New Access Token functionality (Grant type is Authorization code with PKCE), it is failing with error Error: AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests
Any thoughts on how I can properly test this? What am I doing wrong?
Please refer to this cogent article on testing Azure AD protected Springboot API: Securing a RESTful API using Spring Boot and Microsoft’s Azure Active Directory.
Here are some screenshots for quick reference on setting up Postman:
Related
I am working on a project, in which I am building a publish-subscribe system through Azure Web PubSub Service. The JavaScript clients (subscribers) are connected through socket and able to receive the published message on the Hub and in the Group. For this I followed this tutorial: https://learn.microsoft.com/en-us/azure/azure-web-pubsub/tutorial-pub-sub-messages?tabs=javascript
Everything is working fine, as I am in the POC phase yet. So currently I am publishing messages through JavaScript from above tutorial. But now I am starting to integrate it in my existing app which is developed in PHP. So I am thinking to use following Azure REST API for Web PubSub operation: https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub
Before this I worked on the Azure Graph APIs, in which I did an App Registration at Azure Portal with some Redirect URLs, and assign some permissions to access the resources. I did this for Outlook Mail, Overdrive, SharePoint and its very straight forward process to get the access token (JWT) to access the resources.
But I am stuck and unable to get the access token for Azure Web PubSub API. I need token to just Publish a message from PHP end by REST API. I checked in App Registration's > API permissions section, there is no permission for the Azure Web PubSub Service. I checked the same app in Enterprise application also. Did some hit and try, but didn't get the access token. I know the issue is with the permission.
Please help me to get the token for this, so will call the Web PubSub API, Or if I am missing something please help me to trace. Any suggestion are welcome.
Thanks.
I think you can make use of the following REST API endpoints:
Web Pub Sub - Grant Permission
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/grant-permission#webpubsubpermission
Web Pub Sub - Generate Client Token
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token
I have a React Application for the Front end hosted on Azure in App Services. I also have another NodeJS app that I am using to create REST APIs for the front-end App. This App is hosted on another App Service.
Now, I want to integrate AD authentication for the front-end app using Azure Active Directory, which I have managed to do using the Easy Auth process. But I don't know how to get (or pass to the front end) the user and token details once the user is authenticated.
The second part of the query is, that I want to use the token to secure my REST APIs by passing it in the header and validating it in the backend. I have gone through various Microsoft documentation but I am not able to figure out how to do this.
Please help me in getting the user and token details. And please suggest how to secure my REST APIs.
You can get the tokens via http headers or via an endpoint /.auth/me. More details: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#retrieve-tokens-in-app-code
Regarding validating tokens, take a look at this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation
We developed an API hosted in Azure and we decided to experiment a frontend in Azure DevOps with a web extension in react.
Without authentication, it worked :D
So, let's move on OAuth2.
In the past we developed task extensions with custom service connections. So we decide to experiment them with the acceptance criteria of an authentication based on AzureAD (or related to as Azure DevOps) with userId in claims in API scope and keep benefit of Azure DevOps not to ask a second authentication to users. (no MSAL for now....)
Simple first solution was to use core sdk getAppToken function. But token was not containing userId information.
We them tried service connections :
Client credentials
Native azurerm service connection works but with some limitation. We can't use a datasourcebinding with datasourceurl as it should begin with {{config.url}} or {{endpoint.url}}. And endpoint.url is "https://management.azure.com", so we can't call our api :
We also tried to use managed service identity service connection type (ms.vss-endpoint.endpoint-auth-scheme-managed-service-identity for curious). Because in task extension frontend, Azure DevOps is using user credentials to request Azure for any datasourcebinding.
But Microsoft seems to block this kind of authentication to their type azurerm :
Let's now try OAuth2 configuration :
So we created a custom service connection and defined authentication and datasource like ServiceNow endpoint :
https://github.com/Microsoft/azure-pipelines-extensions/blob/master/Extensions/ServiceNow/Src/vss-extension.json
OAuth2 configuration url : https://login.microsoftonline.com/XXX/oauth2/v2.0
AuthorizationUrl : {{{configuration.Url}}}/authorize?client_id={{{configuration.ClientId}}}&response_type=code&redirect_uri={{{RedirectUrl}}}&scope=api://XXX/.default
AccessToken and RefreshToken datasourcebindings requestUrl {{{configuration.Url}}}/token"
Everything was in place to use a configuration.url for code and token. Whereas endpoint.url was pointing to our API in Azure with a custom domain.
But it failed because I realized when a code is requested through service connection of kind OAuth2, serverurl is magically replaced by configurationUrl...
I didn't understand this issue with executeServiceEndpointRequest function call :
Backend code is inspired from mkaszub post : https://github.com/microsoft/azure-devops-extension-api/issues/12
It comes before real request and after service connection get.
The strangiest thing is that next call to API itself failed but not because or bad url. First endpoint.url at service connection creating was still there...
Conclusion, fail to use OAuth2 configuration in Azure DevOps with an Azure API.
So, do you know how to call an API inside Azure DevOps web extension with a user generated AzureAD token ?
Solution we think of :
MSAL should be the way to go for standard authentication, but we will need to ask for user to login. Even he's already inside Azure DevOps. Any trick to avoid this ?
MSAL with frontend outside Azure DevOps, inside Azure. But we loose Azure DevOps integration. And using extension with hub collection, would brings unique API frontend places.
Anyway, Thank you for time you spent reading me.
I have created new web service using VS 2019 ASP.NET Core Web API from the project template with AAD authenticalion. It creates a simple ValuesController and sets up AzureAdBearer authentication in StartUp, but there is no pointers of what do next. There are no doc links in the created project, and no comments. I could not find any documents on https://learn.microsoft.com/ referring this template, all examples there refer to other sample projects, which use different code constructs, authentication types, etc.
Out of the box, the project simply returns 401, whether run locally or published to Azure Web Service.
Is there any guidance on what to do next and make this template work?
A WebApi is out on the internet waiting for a client to call it with an access token in its headers.
Usually, to learn about this scenario, you would create a couple of projects in Visual Studio, a Web Api and a client app of some sort that calls this web api.
The client app will request an access_token for this web api from Azure AD and sent it along in its call to the api.
The generated code validates this access token to ensure that its a valid one and issued for this Api (among other things).
I'd suggest you try one of Please use the samples provided at Azure Active Directory Home page for developers
You can refer to code sample : Calling a web API in an ASP.NET Core web application using Azure AD .
Your web api is now protected by Azure AD , if any client call your api , it should append Azure AD Access token as a Bearer token to the Authorization header in an HTTP request . Your web api will validate the token and authorizes the user using the JWT bearer authentication middleware(AzureAdBearer middleware) .
Your client app could uses the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol. Then the client app can use that token to access your protected API . See TodoListWebApp project .
I have an AspNetCore 2.0 MVC web API secured by an Azure Active Directory B2C tenant. I have been able to use Postman to test the API end points by following this SO posting: Request Access Token in Postman for Azure AD B2C (in particular, the Microsoft documented steps referenced in SpottedMahn's comments:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi#use-postman-to-get-a-token-and-test-the-api )
Now, I am working on a serverless version of the above - the app is pretty much identical expect that the endpoints have been implemented by Azure functions in an Azure Functions App
The Functions App has Authentication on, Log in with Azure Active Directory and the following settings:
This is how i have set up the Application in the Azure B2C tenant:
If I access the functions endpoint via a browser, I get successfully routed to the Azure AD B2C login page and can log in, then see the results from the API endpoint. So I'm pretty confident all is good w.r.t. the Azure AD B2C <-> Function App configuration.
However, I can't use the Request Access Token technique linked above to get a token and inspect the endpoint in Postman
If I take the token obtained after authentication (for example by using fiddler and observing the id_token being returned), and in Postman I choose Bearer authentication and supply that id_token, then Postman successfully hits my endpoint. However, if I follow the steps in the linked document above, I do get the "login" popup and then do get a valid [looking] token, but when I click Use Token and run the request, I get
You do not have permission to view this directory or page.
I'd really like to be able to request an access token from postman just like I can with my aspnetcore 2.0 app (really just for the consistency so I don't have to remember lots of different techniques). Is that possible for Azure Function Apps and if so, any clues what I'm doing wrong in the above?
Ah I stumbled upon it. I fixed it by adding the Postman API client id (note: the postman API client id, not the postman App client id) [those references will make sense in the context of the Microsoft how-to linked above], under "ALLOWED TOKEN AUDIENCES" (visible in screenshot in question above).