Azure Application Gateway support Open ID connect Authentication - azure-web-app-service

I have an azure web app , which has open id connect authentication configured with Azure AD
For this , i had created a new app under App Registrations in Azure Active Directory and configured the Redirect URL as /signin-oidc . So when i try to login to the app service url , it first redirects to the redirect url and then to https://login.microsoftonline.com and passes the client id ,tenant etc details in the query string and works perfectly fine. So i can login with my azure ad user credentials
The Web Application is working perfectly fine with Open ID Connect with Azure AD.
When i front Azure Web App , with an Azure Application Gateway , it directly redirects to
/signin-oidc and stops there . I tried redirect options also.
Does Azure Application Gateway support -open id connect authentication with Azure AD. ?

Same scenario here, an App Service behind an Application Gateway. Here's what worked:
The BuildRedirectUri method in Microsoft.AspNetCore.Authentication.AuthenticationHandler<> builds the redirect URI concatenating, among other values, the Resquest.Host string. That's why the App Service host was being used instead of the Gateway's.
So, the following code snipped was added to the Configure() method of Startup.cs:
if (env.IsProduction())
{
app.Use((context, next) =>
{
context.Request.Host = new HostString("<gateway.host>");
return next();
});
}

Yes , we can use application gateway with open id authentication. In my case, SSL certificate was missing and i got it working once added.

Related

Cant Authenticate Single Tenant Angular Application

I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec
Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs

Resource Token Provider as an Azure Function

I've been following the guide in this repo to setup a resource token provider as an Azure function.
https://github.com/adamhockemeyer/Azure-Functions---CosmosDB-ResourceToken-Broker
I've setup the Cosmos DB, App registration, and Azure function with permissions according to the instructions. When I get to step 3 in the guide where I enter https://{function-url}/.auth/login/{provider} into my browser I get the following error.
ADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application: [App id]
Update
I changed the Reply URL in my App Registration to https://{function-url}/.auth/login/{provider}/callback with {function-url} as my Function App URL. Originally I had it set to one of my Function URL's. Now i'm getting a 404 not found error.
App Registration Redirect URL
Function App URL
Function App Authentication Settings
You need to add the URL as below in your app registration, then it should work.
Note: After adding the URl, go back to the Authentication / Authorization in your functionapp, turn off the Authentication Providers whcih you configured -> turn off Authentication / Authorization, then turn on and configure again, otherwise it seems not become effective.
https://{function-url}/.auth/login/{provider}/callback
Update:
Turn off all the configuration and create the new AD App like below.

LDAP Authentication Fails in Azure App Service

I have created a Java web app and deployed it on Azure App Service. In the app, we are providing users with a Login Page and upon submitting the credentials the users are authenticated using LDAP. This is working when deployed locally.
When I deploy this to Azure as WebApp, the authentication doesn't happen and the application gives an error. I am trying to authenticate like below. The LDAPContext is always returned as null in Azure.
The Authentication/Authorization settings in Azure Portal is turned OFF.
LdapContext ctx = null;
String dn= "uid=" + username + ",ou=users,ou=xxxx,o=xxxxx";
String ldapURL = "ldap://ldap.example.com:389";
Hashtable<String, String> environment =new Hashtable<String, String>();
environment.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL, ldapURL);
environment.put(Context.SECURITY_AUTHENTICATION, "simple");
environment.put(Context.SECURITY_PRINCIPAL, dn);
environment.put(Context.SECURITY_CREDENTIALS, password);
ctx = new InitialLdapContext(environment,null);
Server Side: Check the inbound Security rule for Which Ip address are can access the LDAP
If you pass the LDAP domain name in code . Try pass empty value that place
Try to give Auth type is Basic or Negotiate or Anonymous etc . these are in .Net Frame work same way try some other type in Java may be . So try like that
ldap://ldap.example.com - For this example.com is domain name

Register MicroServices in Azure Active Directory (AAD) for Security

I have a service fabric application (Stateless and Statefull) deployed in Service fabric cluster. I am trying to implement security in the applications. The application uses the Active Directory Authentication Library (ADAL) to get a token from Azure AD using the OAuth 2.0 client credential flow, where the client credential is a password. I am able to implement the same scenario in ordinary web api applications by registering them in Azure portal. Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id). I receive unauthorized access while calling the corresponding service. I am not sure of what url has to be registered for a statefull or stateless application when adding the application in in azure active directory. Could you please suggest me where I'm wrong and what to do to implement.
Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id).
The client credential flow is used for the service or daemon app. There is not need to use the redirect_url when we use the client credential flow to acquire the token. You can register any validate redirect_url. Here is an example that using the client credential:
POST https://login.microsoftonline.com/<tenantId>/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<app id uri of your web api >
And it is same that to integrate with Azure AD with web API using Azure service fabric. Here is an example for your reference:
1 . register an web app(app1) which used to protect the web API on Azure portal
2 . register an web app(app2) as the client to request the web API
3 . grant the the app1 to app2 from portal
4 . create Service Fabric application with Stateless Web API template
5 . config the app.config of Service Fabric application
<add key="ida:Audience" value="app id Uri of app1" />
<add key="ida:Tenant" value="tenantId" />
6 . install the package Microsoft.Owin.Security.ActiveDirectory
Install-Package Microsoft.Owin.Security.ActiveDirectory
7. modify the startup code like below:( Note: the method appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication is before appBuilder.UseWebApi(config).
public static void ConfigureApp(IAppBuilder appBuilder)
{
// Configure Web API for self-host.
HttpConfiguration config = new HttpConfiguration();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false
}
});
appBuilder.UseWebApi(config);
}
run the Service Fabric Application
acquire the token using the client credential flow mentioned above( clientId and clientSecret is from app2)
request the service public by Service Fabric Application with the access token and it works well

Azure WebApp with Azure AD App returning `auth/login/aad/callback` permission

After setting up a Azure Web App with Azure AD Authentication, the site is returning a 401 after authenticating.
This is the auth flow as I see it.
Go to https://mysite-$environment.azurewebsites.net/
Redirects to https://login.microsoftonline.com/
Authenticate using my credentials
Redirects to https://mysite-$environment.azurewebsites.net/.auth/login/aad/callback
Error You do not have permission to view this directory or page. HttpStatus 401.
Long version
I have 3 x Web Apps in Azure under the same Service Plan - 1 x website and 2 x APIs.
I would like these to use Azure AD for authentication.
So, I created an Azure AD App using Powershell.
$app = #{
DisplayName = "azad-$environment-mysite"
IdentifierUris = #(
"https://mysite-$environment.azurewebsites.net",
"https://mysite-api-$environment.azurewebsites.net",
"https://mysite-api-2-$environment.azurewebsites.net"
)
HomePage = "https://mysite-$environment.azurewebsites.net"
ReplyUrls = #(
"https://mysite-$environment.azurewebsites.net",
"https://mysite-api-$environment.azurewebsites.net",
"https://mysite-api-2-$environment.azurewebsites.net"
)
AvailableToOtherTenants = $false
}
New-AzureRmADApplication #app
Then using the ApplicationId returned, I have setup the Azure AD through the portal Web App > Authentication / Authorization blade.
This is similar scenario to question asked over at Azure AD server authentication, No permission to view directory question.
You have to register each app in the AAD and you can do it, more easily, via azure-portal.
When you have the web-app registered through the "Express" process everything should work as expected (OAuth2 flow). The problem may come with your API-app especially if you need to access with server-to-server.
Because the process is a little bit long to write here I wrote two posts:
Web API access through Azure Active Directory
API-APP server-to-server through Azure Active Directory
In the first post you can see the REST flow using POSTMAN.

Resources