Trying to add authentication/authorization to an exposed endpoint by a Microsoft Teams Bot.
The bot is deployed on Azure; bot-things working fine so far.
It's exposing 2 endpoints:
/api/messages: this is used as BOT URL.
/api/notify: this is the endpoint I want to add authentication & authorization.
Context: the Bot is exposing /api/notify so an external service will call here making the bot to send activities to public channels.
Azure Configuration overall
The Bot Channel Registration is linked to a registered app on the Active Directory. This registered app has a will-never-expire secret. The src code itself uses this applicationId and secretId.
What I've tried
App service > Authentication: App Service Authentication ON/Login with Azure Active Directory
ClientId: the applicationId
Issuer URL: https://login.microsoftonline.com/{tenantId}
Authentication tab: I've added a Web platform:
https://{my-service}.azurewebsites.net/.auth/login/aad/callback
Supported account types: Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Enable Implicit Grant flow > Open ID tokens
not sure if I need to "Expose an API" and set as Application URI the base URL of the bot service (https://{my-service}.azurewebsites.net);
not sure if I need to register a second app in the Active Directory and have a tuple: "bot app"/"authentication provider" and re-think the whole thing
In the end, I want the external service to authenticate using a pair "clientId/clientSecret" and making HTTP requests to {my-service}.azurewebsites.net/api/notify;
no token -> 401
valid token -> ok
The problem
With this configuration the bot stops authenticating itself, if I - for instance - open the emulator and use the original applicationId + secret credentials, the initial POST to /api/messages receives:
{
"value": {
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: ..."
}
}
Related
I followed this resource: https://icareb2cdev.b2clogin.com/icareb2cdev.onmicrosoft.com/B2C_1A_DEMO_CLIENTCREDENTIALSFLOW/oauth2/v2.0/token
Azure B2C App registrations:
Protected web api
Expose an api
App ID URI = https://{my tenant name}.onmicrosoft.com/{protected web api client id}/.default
Daemon console app
API Permissions
API = protected web api
Permission = access_as_application
Type = Application
Admin consent requested = Yes
I acquire a token using the OAuth client credentials flow:
POST https://{my tenant name}.b2clogin.com/{my tenant name}.onmicrosoft.com/{a basic user flow SUSI policy}/oauth2/v2.0/token
scope=https://icareb2cdev.onmicrosoft.com/{protected web api client id}/.default&
grant_type=client_credentials&
client_id={daemon console app client id}&
client_secret={daemon console app client secret}
Error response:
{
"error": "invalid_grant",
"error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: REDACTED\r\nTimestamp: REDACTED\r\n"
}
I ran into the same issue, please double check your Manifest and make sure that "signInAudience": "AzureADandPersonalMicrosoftAccount" and not your organization only. Do also ensure you followed the steps same as other answer.
In basic terms, I am trying to get an access token to get Azure Cost Centre Data through the Usage Details API. The problem is that I can't seem to configure my service principal with azure properly. I have:
Created the registered app in Azure Active Directory
added https://www.thunderclient.io/oauth/callback in the redirect URL
generated a client secret
Included the following information in my Generate New Token in Thunder Client:
Request URL:
GET: https://management.azure.com/subscriptions/{subscription-id}/resourceGroupName/{resourceGroupName}/providers/Microsoft.CostManagement/dimensions?api-version=2019-11-01
Grant Type: Authorization Code
Auth Url: https://login.mmicrosoftonline.com/common/oauthorize
Token Url: https://login.microsoft.com/{tenant-id}/oauth2/v2.0/authorize from app registration
callback Url: https://thunderclient.io/oauth/callback
client ID: {{client_id}} from app registration
client secret: {{client_secret}} from app registration
scope: user_impersonation
{
Status 401 Unauthorized
"error": {
"code": "AuthenticationFailed",
"message": Authentication failed."
}
}
Header:
Bearer authorization_uri "https://login.windows.net/{tenant_id}, error= "invalid_token", error description="Could not find identity for access token"
Answering my own question. And big thanks to Guarav Mantri in the comments below.
The Scope should be set to https://management.azure.com/.default
The Grant Type is client credentials and not authorization code
The service principal needs to be added to the resource in azure that is part of the request (i.e. if looking for subscription data, then add the service principal as a reader role to the subscription).
I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.
After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
I called the Azure API below:
https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01
In my app registration in Azure AD, I have given these permission to access the Azure API:
In my Web App Bot -> Settings -> OAuth Connection Settings, I select:
ClientId -> My application client id
ClinetSecret -> My application client secret
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType)
LoginURL -> https://login.microsoftonline.com
TenantId -> common (To allow any user)
ResourceURL -> https://graph.microsoft.com/
Scopes -> I just left blank
Why am I not able to access the Azure API with that token?
Any Help. Thanks
An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.
In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.
Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.
I have a background JS app that wont have any user input, so i was looking at using the app authentication without user input. I have set up an app in the Azure AD portal and also apps.dev.microsoft.com.
I am using the following endpoint:
login.microsoftonline.com/{Tenant}/oauth2/token
With the following body:
client_id: application_id
client_secret: generated key
grant_type: client_credentials
scope: "https://graph.microsoft.com/.default"
This generates an access_token however when i try and use it using the graph API, I get the following error
Access token validation failure
When investigating the token compared to a normal OAuth token with user input, i noticed its passing in roles rather then scp and the audience is my application rather then graph.microsoft.com.
What am i doing wrong?
The app registered in Azure AD portal works with Azure AD V1.0 endpoint ,app registered in apps.dev.microsoft.com that works with the v2.0 endpoint , Please firstly refer to this document for what's different about the v2.0 endpoint .
To use Azure AD v2.0 to access secure resources without user interaction(client credential flow) , you should send a POST request to the /token v2.0 endpoint:
POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=qWgdYAmab0YSkuL1qKv5bPX&grant_type=client_credentials
You could refer to this document for how to use the OAuth 2.0 client credentials grant with Azure AD V2.0 endpoint .
If you want to use azure ad v1.0 (app registered in azure portal) with client credential flow, you could refer to this document . In azure ad v1.0 , you should indicate the resource parameter which the client app is requesting authorization for , in your scenario , the resource should be https://graph.microsoft.com/ if you want to acquire token to call microsoft graph api .
I have created a ASP.Net Web API (.Net Framework) app with "Work or School Accounts" as authentication type. This automatically registers this API app in my Azure subscription and I can see it under "App Registrations". I can see that Home Page Url is pointing to localhost address. I can see that API is launching locally on localhost address. I then launch Fiddler to get access token from Azure AD. My POST request to endpoint https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token. has following 4 parameters
grant_type=client_credentials
&client_id=<appid from Azure AD Portal>
&client_secret=<secret from Azure AD Portal>
&resource=<appid from Azure AD Portal>
I get a token back. When I decode this token, I see aud and appid as expected(matching appid in Azure AD). I use this token as bearer token to invoke API call by adding Authorization: Bearer <mytoken> header in GET request to https://localhost:44374/api/values. However, this GET call to my API is returning me {"Message":"Authorization has been denied for this request."} error message.
What am I missing?
You should use App ID URI as the resource value when acquiring token , you could find the App ID URI in Properties of api app in azure portal ,like https://xxxxx.onmicrosoft.com/WebApplicationName . Web api will check whether the aud claim in access token matches the one you set in web.config :
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
ida:Audience value in web.config is the allowed audience .