I'm trying to get Google oAuth clientId but it says:
To create an OAuth client ID, you must first set a product name on the consent screen
So, when I click on Configure Consent Screen:
In my app, I'm using passport.js and google's oAuth20.My app can let anyone log in with a google account. And for that I need the clientId.
But it says to choose Internal and External option. I don't know what's this. The consent screen was not there before.
What do I do?
The consent screen is primarily used by Google to understand your application. Internal means within organization and external refers to any user. So whenever you setup your application for the first time, Google wants to understand who you are building this application for.Just follow this link for the entire Oauth setup procedure
Related
A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.
You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.
I am designing my first dev tool with the Azure SDK (JavaScript), and I am having a difficult time understanding how to authenticate users in production so the dev tool can access the user's Azure account. The tool is going to retrieve metrics from all of the user's Azure Functions in their tenant to display React component graphs based on those metrics over time. The app will be run locally with an npm run command.
My entry point for using Azure Identity in my app was this blog post (https://devblogs.microsoft.com/azure-sdk/authentication-and-the-azure-sdk/). I like the way the DefaultAzureCredential is working in development, using the tenant for whichever developer is running it by using the AzureCliCredential. I want a similar functionality for production, but for the browser instead of Azure Cli. In other words, if a user is already logged in to Azure Portal, it will get a credential for their tenant. How do I go about this?
One of the things I tried was opting into the Interactive Browser of the DefaultAzureCredential as described in that blog post. But even though, I could see the browser method in the src (https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/defaultAzureCredential.browser.ts), I couldn't figure how to opt into this when using the actual SDK. I couldn't find that method in the npm package in Azure Identity, and the documentation (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/defaultazurecredentialoptions?view=azure-node-latest) didn't help me either. If this is the correct option for my use case, I would like to understand how to opt into it and use it.
Another thing I tried was implementing the InteractiveBrowserCredential. As long as I pass in a redirectUri with a port not already being used by my app, it did open another tab to tell me to login to the Azure Portal if I am not already logged in. This is exactly the user experience I would want in my app. However, after logging in the credential didn't actually do anything. The credential returned actually has a client Id equal to the application Id (04b07795-8ddb-461a-bbee-02f9e1bf7b46) of Azure CLI (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) for some reason. This led me to look into the Interactive Browser Credential and find out that it is using the Authorization Code Flow (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/interactivebrowsercredential?view=azure-node-latest). This flow doesn't seem right for my use case, since I have to register my app. I am not trying to grant users access to my app, but access to their own Azure account. Is InteractiveBrowserCredential what I should be using?
Next, I looked into all of the different authentication flows. None of them seem quite right for my use case though. The closest one I found was the client credentials flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) since I am authenticating the user to their own Azure account and not my app. However, even this one doesn't seem quite right because when I looked up how to implement that flow with Azure Identity (https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/using-azure-identity.md#clientsecretcredential-and-clientcertificatecredential) I found out that I have to pass in the tenant Id. But the app won't know the user's tenant Id of the user before they log in. Which flow is right for this use case?
It seems like there is a gap in my understanding. How can I use the Azure SDK to implement an authentication flow that authenticates the user to their own Azure tenant (not authenticates them to my app) through the browser?
Thank you ShwetaMathur for answering this question in Q & A. Posting the same here to help Stack Overflow community members.
To access your application by Azure AD users, your application should also need to register in Azure AD.
Once your application is register, you can acquire the access token based on different OAuth flows which is needed to call various resources(Users in your case) or protected API based on your scenario.
Azure Identity TokenCredential provide various flows to obtain an access token based on different scenarios.
InteractiveBrowserCredential is one way to launches the system default browser to interactively authenticate a user and obtain an access token.
Using access token, you can retrieve user’s info or access any other resource in Azure tenant. The InteractiveBrowserCredential uses Authorization Code Flow to authenticate users for browser based applications and to access resources further.
Client credential flow is OAuth flow commonly used for server-to-server interactions that usually run in the background, without immediate interaction with a user and help to acquire the token and call protected web APIs.
Complete reference
I have given ClientID and TanentID (from my organization, i cannot share it) to use in NodeJS application that will ask me to sign in with email and password, when i run the application microsoft Login window appears and i enter my own email and password. but in return Microsoft is saying the following AADSTS90014: The required field 'request' is missing from the credential. Ensure that you have all the necessary parameters for the login request.
Where in need to add the field 'request'. DO i have to contact my admin to grant me admin access or is there something in need to fix in my code.
Single page application (e.g Angular). if the authentication platform they have added as SPA then you need to create SPA (Single Page Application) with angular.
for demo purpose:
create dummy azure account.
register an application.
select that registered application
under Manage>Authentication>Add Platform
you will see 5 options as following:
WEB, Signle Page Application, iOS/MacOS, Android, Mobile and desktop application.
Your admin has added SPA as Authentication platform.
You can get the tutorial from Official link of MicroSoft Tutorial
I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.
I'm developing an application that incorporates the Skype for Business Online Web SDK. I've noticed that it is not possible to access information about the signed in user's Skype account/profile (via Skype's mePerson object).
The only way that I see to do this now is by having yourself as a contact and accessing information about that account/profile, via the Skype person object. This doesn't seem possible to me as it isn't feasible to set a requirement upon every client using my application to have themselves added as a contact on Skype for Business.
This issue is related to the one posted here, on the GitHub Skype Web SDK Samples page: https://github.com/OfficeDev/skype-web-sdk-samples/issues/1
My question: Are there plans to add the User.ReadWrite Permissions in Azure AD for an application extending Skype for Business? Or, is there a known workaround to retrieve the signed in user's profile/account information, which includes status, activity, or avatar/avatarUrl?
I've also posted this on the Microsoft Azure forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/27d6ebdc-f023-4829-96dd-eefb9e1aaeaf/userreadwrite-permissions-in-azure-ad?forum=SkypeWebSDK
However, I've had no response so I'm also posting here in hopes of anybody having any input. Thank you in advance.
As you might have noticed from the issue link in GitHub, the permissions for the information you're trying to grab have been turned on in Azure AD.
You can plug in your Azure AD settings into the Interactive Web SDK to see it in action: https://ucwa.skype.com/websdk
Before you sign in, you'll need to do the following in the Azure AD management console:
Update your app to use the permissions in the image
Change your app's reply URL to this: https://ucwa.skype.com/websdk
Make sure you turn on OAuth implicit flow by modifying your app's manifest. Steps here https://msdn.microsoft.com/en-us/library/office/mt622687%28v=office.16%29.aspx?f=255&MSPPError=-2147217396 under "Configure your app for OAuth implicit grant flow"
Paste your app's Azure client ID into the "Client id" field on https://ucwa.skype.com/websdk
After you sign in, you'll notice one of the examples in the left hand navigation will let you view the signed-in user's presence, ID, etc.
I've also created a forked version of the Web SDK samples that you can easily update with your own Azure AD settings and deploy to your localhost. You might find this more useful for playing around than the hosted Interactive Web SDK.
https://github.com/tamhinsf/skype-web-sdk-samples