I would like to be able to use the authentication token that I get when logging into my webapp through msal. If I use the toolkit I am forced to log in again (mgt-login). How can I bypass the second login? Thanks.
It sounds like you are already using msal.js in your application, correct?
This feature is not yet available, but we added the capability to configure an new MsalProvider with an existing UserAgentApplication object from msal.js.
This capability was added recently by a community member and is available in the latest preview:
https://github.com/microsoftgraph/microsoft-graph-toolkit/releases/tag/v2.0.0-preview.1
You can find details on this new feature in the mgt preview docs here:
https://github.com/microsoftgraph/microsoft-graph-docs/blob/mgt/next/concepts/toolkit/providers/msal.md#pass-an-existing-useragentapplication-in-the-useragentapplication-property
Related
So my project has got a two asp.net projects. One is for showing date(User Interface) and the another one is API(for background processes like login, database calls and etc.). Right now my app has Username and Password feature to login. I have setup a startup class in my API which authenticates the user and pass the user token. Now I want to add a feature to login through Azure portal.
Can anyone suggest me a good practice in this situation? Like I don't want to change my code and just add a feature. Should I make changes in API or Web or Both? Meanwhile I was reading about expose api in app registration. Will it be appropriate to use it just for login purposes?
Azure AD supports OAuth2, OIDC and SAML. See more information here. It is probably best to introduce the mechanism through the API first, since it would apply to the frontend as well (though slight modifications may be required there as well).
I am very much new to IBM Cognos. I want to fetch the metadata from Cognos env.(cloud/on-prem) to my java application. Metadata like reports, dashboards, data sources, namespaces and etc. I am ready to use Java SDK or REST Services. So I want to know how to Authenticate from Rest Interface and is there a way to create client id and client secret or should I just have to just get the Authorization token based on Username and password and use that token in consequent calls. Or if in Java SDK, please let me know from where can I get the sdk. Whatever the way, please help me to get forward.
Thanks,
Kranthi kiran.
There is a host of knowledge about accessing Cognos via the SDK available in the Cognos SDK documentation. The SDK JARs can be found in the Cognos installation itself (<Cognos root>/sdk), but you will probably want a little orientation from the docs to get started.
The above references the traditional Cognos SOAP SDK (accessible via Java). Cognos does offer a REST API, but it does not access all the various objects' metadata yet (as of 11.2).
For authentication, specifically, this will depend a little on whether you have a traditional namespace like LDAP or Active Directory (or even a Custom Authentication Provider). In this case, you'll wind up logging in to Cognos using the username and password, at which time Cognos will issue a CAM passport token. This token can be used for the remainder of the session. If you have an OpenID Connect namespace (e.g. Okta, ADFS, IBMid, etc.) things get a little more complicated.
IBM Cognos Analytics introduced support for two factor authentication protocol through OpenID Connect (OIDC) namespace. More information on Cognos OIDC configuration can be found here: Configuring an OpenID Connect namespace. Many Customers have existing automation applications or integrations through Cognos SDK or REST APIs. When moving to two factor authentication they struggle to implement logon to their OIDC namespace through the SDK. Depending on the OIDC provider, there are two main cases:
OIDC provider supports password grant, like OKTA:
...
OIDC provider does not support password grant, like IBMId.
Source
I'm building an app that should be able to send emails. I'm using OAuth2 to verify the user, and I've looked at the Xamarin Forms Sample which works great with gmail after setup.
However it doesn't work with my Microsoft account.
I've created a cliendId and all that stuff on Microsoft. Do I have to have a Azure AD as well?
I'm calling the authentication with:
new OAuth2Authenticator(
"myClientId",
"User.Read",
new Uri("https://login.live.com/oauth20_authorize.srf?client_id=myid&scope=user.read&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf"),
new Uri("myRedirectUri"),
null,
true);
But am reaching a screen saying: We cannot perform your request.
Microsoft-accounts is having technical issues right now. Try again later.
Have looked at this sample, where the author uses Google and Microsoft accounts in similar ways.
If I'm instead using this sample it works with the original setup, but not if I change to my own clientId and redirectUrl. Is this since I don't have any Azure account?
Would not like to pay to get it, and since the first approach works fine with my gmail I would love if it could work with Microsoft as well.
/Oliver
Have you tried the microsoftonline.com endpoints instead? I've also implemented this using Xamarin.Auth and could get it working that way.
AuthorizeUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
AccessTokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
"common" is the {tenant} which you can replace with "consumers" if you only wanna allow personal accounts.
An alternative to coding it yourself, is to use a 3rd party library to handle authentication.
CloudRail have SDKs for Xamarin, with build-in integrations for social login/authentication, and also for email sending, which you mention.
Here is my problem, I create a brand new AspNetCore WebApplication in VS2017 RC.
Since I want to use Azure AD B2C to authenticate, I add the required NuGet packages:
Microsoft.AspNetCore.Authentication.Cookies
Microsoft.AspNetCore.Authentication.OpenIdConnect
I then add all the code to configure authentication. In fact, I reproduced the app demoed in this Channel9 video: https://channel9.msdn.com/events/Ignite/Australia-2017/CLD336a
It works fine and I can authenticate as expected. Now I want to get an access_token in order to access my WebApi also secured using AAD-B2C. For this, I need to change the ResponseType to
ResponseType = OpenIdConnectResponseType.CodeIdToken
and handle the OnAuthorizationCodeReceived event. In order to do that, my understanding is that I have to add the Nuget Package Microsoft.IdentityModel.Clients.ActiveDirectory. But this library will not target the v2.0 endpoint that I need for AAD-B2C.
So I saw in another GitHub solution (https://github.com/dzimchuk/azure-ad-b2c-asp-net-core) that i could use the Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory package.
Unfortunately, this package is not compatible with NETCoreApp,Version=v1.0 and I get this error message when trying to add it to my project:
One or more packages are incompatible with .NETCoreApp,Version=v1.0 (win-x64).
Package Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory 4.0.209160138-alpha
is not compatible with netcoreapp1.0 (.NETCoreApp,Version=v1.0) / win-x86.
Package Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory 4.0.209160138-alpha
What am I missing?
Azure AD B2C does not currently support access tokens to a resource other than "self". To get an access token for self, you just need to put your client/app id as the scope. You can post on User Voice to recommend this feature and check in on other user recommended features (this has been requested before).
In terms of your library confusion, you definitely want to stick with MSAL. The ADAL experimental branch is not recommended and not actively being developed.
I read these two articles 1.here and 2.here to find out what is best way to perform authentication against an Azure Mobile App when the API on the server is using Claims based custom authorization and the Xamarin client calling it is using the MobileServiceClient framework. I am unable to finalize which of the two examples in those links is the better way to go.
In the first link there doesn't seem to be any dependency on platform specific code like it has in the second link, which means I don't need to write any code in the Driod or IOS or Windows projects and can get away with doing everything in a class library itself.(Am I right here?)
Also, the first link seems to not require any provider like the second link does because I am invoking a direct service call to a Url. The second link on the other hand only seems to support Facebook, Twitter, MicrosoftAccount, Google and WindowsAzureActiveDirectory. The mandatory MobileServiceAuthenticationProvider parameter doesn't seem to provide for Custom Authentication against a sql server based User table. I am not sure about this part and cant find documentation that says otherwise.
If LoginAsync doesn't provide for Custom Authentication then its clear that I will need to follow the InvokeApiAsync route. If it does provide it then the question is: should I write platform specific(Droid/IOS/windows) code in each target project like in the second link or should I handle all the service calls in a class library as can be done in the example shown in the first link? In other words should I go with LoginAsync or InvokeApiAsync? Which of the two is the recommended way?
The first article shows off custom authentication, as you intimated. The second article shows off App Service Authentication, which has a known list. If you need to do a custom username/password, then go with the former. If you need to go with social auth or enterprise auth, then go with the latter.
My general recommendation is don't require the user to create yet another username unless you have to - which means social authentication for consumer apps and enterprise authentication via AAD for enterprise apps.
My other recommendation is to always use the client SDK for doing the authentication part. This allows you to follow the very latest practices from the provider (facebook, twitter, etc.) in respect to security, refresh tokens and other authentication requirements. Once you have the provider token, it's easy to swap it for an Azure Mobile token by using LoginAsync() with a token. See the Azure Documentation for information on this.
In all cases, you are going to need platform specific code - that means using the DependencyService (as in the second example) to execute your login code. I generally create a singleton class that wraps the MobileServiceClient in the PCL. Then create an ILoginProvider interface which has LoginAsync/LogoutAsync code in it to handle the platform dependency code. My singleton class then calls the DependencyService to get the code. You can find an example in my GitHub Repository that covers iOS, Android and UWP.