I'm currently working on a SPA with Electron that uses Azure to log the user in. For this, I'm passing the "domain_hint" query string in the authorize request to by-pass the login screen. Indeed, the user is inside a specific domain, so it gets logged in without any prompt.
I tried this connected to a VPN, and it works. However, when I disconnect from the VPN, it does not work anymore. I kind of understand why but then I'm wondering how I could work around this. I'm thinking about application such as Teams or OneDrive that ask you to login once then never ask it again, how is it working? Can I do the same with my Electron app?
So for teams, it uses modern authentication adal or msal, it's also an electron app. once the user logs in teams will store the access token in a cookie and maybe refresh token? then everytime you start it up, it will just use that. so yes, you can do something similar. you just have to store the relevant token. and grab it from storage to use
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi.
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials
How do I achieve this, and is there something wrong with this flow? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account. What other methods could achieve a better user experience? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around? Can I hint for azure to prompt the user even if they are logged in already?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed.
Ultimately the user must select their account every time, instead of just when the account is wrong. I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.
I would like to use Active Directory with a REST API Express backend: users would fill out a username and login form on the client side, and get authenticated with their Active Directory credentials, through the backend. Then, based on their user groups, they would see certain information. I have tried the node package passport-windowsauth, but I am not able to authenticate, possibly because I don't know what the bindDN or bindCredentials are. I have also tried node-sspi, and had better luck with this, but the issue with this is that it's only server-side, and as far as I can tell, I can't create a form that would then allow the user to authenticate from the client side. I am hosting this site on IIS, and using iisnode for the backend. How can I can achieve this Active Directory authentication with Node/Express server-side and a client-side login form, or in other words, not a .NET application?
Active Directory (AD) authentication is accomplished by binding to the Active Directory with credentials (not the credentials from the User form) supplied by your AD engineers. After binding, AD is searched for matching credentials (from the User form).
Basically you need to talk to your AD engineers about what you should use.
Then you need a /login/ route the user form sends to, the route accomplishes the login (AD bind, authentication) and returns to the client.
A simpler workaround can be to bind to AD with the credentials entered into the login form - a successful bind means the user is logged in. I would, again, talk to your AD engineers about how they prefer this to be done. I've run into problems in the past where it's taken a long time to authenticate users after binding so we used this as a workaround.
You might ask if your AD already has single-sign-on options - maybe they use Shiboleth or something similar.
You should try that package : https://www.npmjs.com/package/ad I'm not sure it will meet your requirements, but it's a very easy t work with Active Directory in a node/express back end.
I'm working on Xamarin.Forms application where user should Authorize using Azure AD B2C. I've managed it just fine using this library.
Now I'd like to know if it is possible to authorize without redirecting to webview. When user enters email and password on app send a get request directly to an url and receive access token, refresh token and etc. Just like in OAuth 2.0.
I've researched and found out that skipping the webview authentication part is doable but extremely not recommended for security reasons but anyway, would be glad to hear any solutions.
Webview runs on SSL (https) and hence transmission of user credentials for authentication is secured.
It’s worth noting that you don’t have to use a web view for authentication; you may create your own user interface for this flow and pass the information back to MSAL.
- this is mentioned on the same blog-post which you referred to.
All you have to do is to design your own interface and pass back the login info. It seems like a little work to do.
I have managed to create an iOS app that successfully authenticated the user and connects to the Nest structures and device settings. Using the access token, the app connects automatically to the Nest server each time the app is launched.
However, I am unable to find any documentation that explains what procedure to follow if the app needs to provide the functionality to enable log on/off for different user accounts, e.g. monitoring devices at different locations under separate user accounts from the same app.
The only way that I can change the login for a different user at this time is when I delete and re-install the app, which is not practical.
Does anyone have a suggestion as to how to solve this issue?
Your help is much appreciated.
You'll want to just create a routine for getting the access token that can be reused. The login is part of the authentication process in retrieving an access token.
Once you have an access token, there isn't any open session per user account so there isn't a need to logout. Instead, just reuse the same method that got you the first access token and store as many access tokens as necessary.
Each access token is effectively a session id.