Because of MSAL.js v1.x reliance on 3rd party cookies, I want to move my SPA to MSAL.js 2.0.
This migration document outlines how this can be achieved.
The problem is that it doesn't work when I use the same authority that I used with the Sign up and sign in User Flow. That authority worked for MSAL.js.
Is there any example or some guidelines on how to use MSAL.js 2.0 with the "Sign up and sign in" User flow?
This is the error that I get:
Basically I would like to achieve the same thing as in
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp
but using Msal.js v2.0
I was receiving this error as I had the wrong knownAuthorities property. It should not have contained https://.
Example config
auth: {
clientId: "YOUR_CLIENT_ID",
authority: "https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<policy>",
knownAuthorities: ["<tenant>.b2clogin.com"],
redirectUri: "",
postLogoutRedirectUri: ""
}
Related
I have this Authorization request that works.
How can I replicate it in Python?
I am using an Azure AD to authenticate the access.
Since you are working with python, your case is a : Oauth2 login for SSR web applications with Microsoft
Goal
Get an access_token from interactive login using the oauth2 authorization code grant
Steps
Here I will list all the steps required to do it with any language
Create a web with session with at least these endpoints
/ : home page
/callback : server route or path able to receive query params like /callback?code=123456. This along with your base domain will be called redirect_uri. Sample : http://localhost:8080/callback or http://acme.com/callback
Create and configure an app in Azure Dev Console. Same process is in Google, Facebook, Linkedin, etc. As a result you should have a clientId, clientSecret and a redirect url
Create a simple web with classic session in which if user is not logged-in, redirect (302) to this url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=foo&response_type=code&redirect_uri=foo&response_mode=query&scope=offline_access%20user.read%20mail.read
clientid and redirect_uri are important here and should be the same of previous step
After that, browser should redirect the user to the platform login
If user enters valid credentials and accepts the consent warning, Microsoft will perform another redirect (302) to the provided redirect_uri but with special value: The auth code
http://acme.com/callback?code=123456798
In the backend of /callback get the code and send it to this new endpoint
Add a client_id & client_secret parameters
Add a code parameter with the code sent by microsoft
Add a redirect_uri parameter with previously used and registered on azure. Sample http://acme.com/callback or http://localhost:8080/callback
Add a grant_type parameter with a value of authorization_code
Issue the HTTP POST request with content-type: application/x-www-form-urlencoded
You should get a response with the precious access_token:
{
token_type: 'Bearer',
scope: 'Mail.Read User.Read profile openid email',
expires_in: 5020,
ext_expires_in: 5020,
access_token: 'eyJ0oVlKhZHsvMhRydQ',
refresh_token: 's_Rcrqf6xMaWcPHJxRFwCQFkL_qUYqBLM71UN6'
}
You could do with this token, whatever you configured in azure. Sample: If you want to access to user calendar, profile, etc on behalf of the user, you should have registered this in the azure console. So the clientid is related to that and human user will be prompted with something like this
Libraries
There is some libraries provided by microsoft (c#, nodejs) which will save you a little work. Anyway the previous explanation are very detailed.
Advice
Read about oauth2 spec: https://oauth.net/2/
Read about oauth2 authorization code flow login before the implementation with python
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
https://github.com/msusdev/microsoft_identity_platform_dev/blob/main/presentations/auth_users_msalnet.md
Check this to understand how configure the azure web console: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Check my gist https://gist.github.com/jrichardsz/5b8ba730978fce7a7c585007d3fd06b4
I am trying to use Google as an identity provider in an ADB2C SignInSignUp userflow, consumed within a React Native app through a WebView.
When I am testing this I am hitting an error that I cannot seem to find the cause of. Upon signing up with google I receive the following response object:
{"canGoBack": true, "canGoForward": false, "loading": false, "target": 99, "title": "Loading...", "url": "https://TENANT.b2clogin.com/TENANT.onmicrosoft.com/oauth2/authresp?state=StateProperties%3DeyJTSUQiOiJ4LW1zLWNwaW0tcmM6NjIxMDMyYTYtZTVlZC00OTJkLTg1NmMtMTAzYzg3Mzc0YmE3IiwiVElEIjoiZDM5ZTgwY2MtNzJlNy00ZGE5LWJjODYtMGRjZGNlN2Q1MDZlIiwiVE9JRCI6IjRkOTkyMzhiLTBhOGEtNGU0Ny1hYTRkLTk5NTZiYTY3NmE5YyJ9&code=4%2F0AX4XfWhrpKK2DDX58pFTHkb_U2e8SvGnLrPvhI4grUn5ojA5R-q7q4KjcdS1tO4DYemuWQ&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none#"}
Typically I would receive the fully formatted token back in this response, which I then use for server side validation. This works when signing up with Apple and as a B2C user when pressing 'Sign up now' on the userflow.
The token returned in this is not formatted correctly and doesn't follow 'code=' in the response url as I usually get when signing in or up through the other methods, and therefore throws an error of :'AADB2C90090: The provided JWE is not a valid 5 segment token.' when trying to parse what follows StateProperties.
Does anybody know why Google would not return a valid token in the same way that Apple/Microsoft do when signing up?
Any help would be greatly appreciated
Please check few workarounds:
Try to include client id in scope along with other scopes
2.Try mentionin Response_mode=form_post in auth request
In some cases its working with other versions , so try Msal version 4.32. see Issue · GitHub
According to sign-in with a Google account - Azure AD B2C | Microsoft Docs make sure to create app registered in google’s console
Also note from the same document and this blog:
References:
jwt - Azure AD B2C - Token validation does not work - Stack Overflow
Azure Active Directory B2C - Authorization code encoding issue
(microsoft.com)
I have Web API which is an NodeJs code. In Web API we have protect API using (passport.authenticate('oauth-bearer', {session: false}).
When generating token using ROPC app in postman, Access token is generated but at the time of authorization
var bearerStrategy = new BearerStrategy(options,
function (token, done) {
console.log(options);
console.log(token);
// Send user info using the second argument
done(null, {}, token);
}
);
This will return unauthorized.
I have added scope and configure Native and Web API as per document.
This issue was solved by #Sruthi comment, add it as the answer to close the question:
For login.microsoftonline.com, it is generally used to perform a
login request for Azure ad tenants to obtain tokens. For b2c
tenants, you need to use tenant-name.b2clogin.com to perform the
request.
Use ROPC flow to get access token:
POST https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token
username=<username>
&password=<Passxword>
&grant_type=password
&scope=openid+app_id+offline_access
&client_id=<client_id>
&response_type=token+id_token
(Moving from comments to Answer).
You can get access token using curl for ROPC curl -X POST -d "client_id=Clientid&scope=openid+appid+offline_access&grant_type=password&username=username&password=password&response_type=token" https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token'
As you are using old origin URL which is login.microsoftonline.com should no longer refer to your applications and APIs. Instead, use b2clogin.com for all new applications, and migrate existing applications from login.microsoftonline.com to b2clogin.com. Please refer to the official document
I'm trying to implement Implicit flow using Angular 6/MSAL. The client is trying to get an ID token from Azure AD. Our AD Client is configured to provide tokens only for certain users and groups. So, when an unauthorized user (still a user inside the organization) tries to login, Azure Ad directly reroutes them to the Login Page, which is not very intuitive. I would like to redirect them to a custom page, indicating that the user is not in any of the roles required by the application.
But MSAL has no option for something like "failedRedirectUri". Can someone please tell me if this is even possible with MSAL, if so how do i go about configuring it?
I've tried to set the "redirectUri" from localStorage, and try to modify it before the redirect happens. but that doesn't help.
MsalModule.forRoot({
clientID: '*****-************************',
authority: "https://login.microsoftonline.com/*************************/",
validateAuthority: true,
redirectUri: window.location.origin,
cacheLocation: 'localStorage',
postLogoutRedirectUri: window.location.origin + "/loggedout",
navigateToLoginRequestUrl: false,
popUp: false,
unprotectedResources: ["https://www.microsoft.com/en-us/"],
protectedResourceMap: protectedResourceMap,
logger: loggerCallback,
correlationId: "1000",
level: LogLevel.Info,
piiLoggingEnabled: true
})
On login failure for implicit flow, the user should not be redirect to the "redirectUrl" page. Instead the user should be taken to an error page where the error description is displayed.
As I know for clients that are ours (mobile applications) we can use password grant type that authorizes client using client_id, client_secret and user's username and password.
I wanted to know what is the advantage of using client_secret over sending username and password without client_secret?
When we use client_secret and someone just decompiles the Android application and obtains the client_secret what's the benefit of having it in the first place?
You have there a couple of questions so lets taken them one by one.
What is the purpose of password grant type (ROPC) in OAuth2?
The big objective of this grant type is to provide a seamless migration to OAuth 2.0 for application that were storing the username and password of the end-users as a way to access other resources on their behalf. Storing user passwords is a big no no, so having a quick migration step is one good way to ensure developers will move to OAuth 2.0.
... what is the advantage of using client_secret over sending username and password without client_secret?
The username and password serves the purpose of authenticating the end-user; that is, to be sure that the request comes from the user with a specific identity. The client secret, has a similar purpose, it's used to authenticate the client application itself.
The advantage is that you can trust that the request is being issued from a known and trusted client. Mostly useful if being able to securely differentiate between more than one client is a requirement.
In relation to using a client secret in a native application that someone can just decompile and get the secret, you're correct in considering this worthless because you can't trust that type of client authentication.
However, OAuth2 only requires the client secret to be used for confidential clients, which is not the case for a native application incapable of securely maintaining a client secret. In this case you perform ROPC without client credentials/secret.
This possibility is illustrated in the example tutorial from Auth0 about how you can perform a ROPC grant type request. As you can see in the following snippet it does make use of the client secret parameter as it assumes this is a non-confidential client:
var options = { method: 'POST',
url: 'https://YOUR_AUTH0_DOMAIN/oauth/token',
headers: { 'content-type': 'application/json' },
body:
{ grant_type: 'password',
username: 'user#example.com',
password: 'pwd',
audience: 'https://someapi.com/api',
scope: 'read:sample',
client_id: 'XyD....23S' },
json: true };