Following this tutorial by Microsoft, the JavaScript application is not able to access the API protected by Azure AD B2C. The application is able to login/authenticate, but when clicking the Call Web API button, the following message is output onto the page:
Web APi returned:
"AuthenticationFailed: IDX10803: Unable to obtain configuration from: 'https://b2c-tenant-name.microsoftonline.com/tfp/b2c-tenant-name.onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration'."
How can this be repaired? What change is required to allow the JavaScript SPA to call the protected web API?
Well that URL looks a bit odd.
It should be something like:
https://b2c-tenant-name.b2clogin.com/b2c-tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin
I got this from the Run user flow feature in the Azure portal.
You can't use microsoftonline.com URLs any more.
They were deprecated.
The host is now b2clogin.com.
Related
I have a Web API project I created using this tutorial that I'm trying to secure using Azure AD.
According to the tutorial, when I create the project, I can select "Change Authentication" and enter my AAD information and the authentication supposed to just "work" as long as I have <Authorize> on the controller I want to secure:
According to the tutorial, I need to add the API as an app in the Azure portal but its steps and screenshots are confusing because they're old and the Azure portal has been reorganized. It says:
Next step is to add the "WebAPIServerSingleTenant" as an app you can access in your native app. Navigate to the "WebAPIClientSingleTenant" app and add "WebAPIServerSingleTenant" to your approved list (tick the checkbox too)
But adding the tenant info from Visual Studio when I created the project creates an app registration in AAD automatically, so I'm not sure what it's asking me to do.
Furthermore, when I try to call the API from Postman, for example, I just get "Authorization has been denied for this request" despite generating and passing an access token in the header of the request that looks right to me.
What steps do I need to follow to secure my web API using Azure AD?
The 'Next step is to add the ..." instruction you quote above is about adding a reference to your API app to the AAD registration of your native app. To register the native app, go to the Azure portal and use App Registration. The instructions for how to do that linked in your article are obsolete - AAD UI is totally different now. Rather use one of the official samples, in particular the one for native client accessing an API.
I have an angular website which is secured using Azure AD B2C. B2C is configured with local accounts and three social providers (MS, Google & Facebook) and everything from the web app perspective works great.
The web app calls a separate .NET Core web API which has a couple of secured endpoints. The web API has been set up as an application in B2C with all of the relevant scopes and the scopes have then been added to the web app as described in the getting started docs from MS.
If I'm logged in to the web app using a local account the API call's work perfectly however if I'm logged in using a social provider they fail. In the case of an MS account I see the following:
Frame with URL 'https://login.live.com/oauth20_authorize.srf?client_id=omitted for brevity'
attempted to navigate its top-level window with origin 'https://localhost:44314'.
Navigating the top-level window from a cross-origin iframe will soon require that the iframe has received a user gesture.
See https://www.chromestatus.com/features/5851021045661696.
Google and Facebook provide similar errors. It looks to me like somewhere along the line a redirect is being initiated to try and log in again.
On the Angualr app I'm using msal-angular (https://www.npmjs.com/package/#azure/msal-angular) which is configured as described in the link.
I've scoured the docs and google to try to find a solution but to no avail so any help would be greatly appreciated. I'm not sure if I'm just running into something that's not currently supported in B2C.
Thanks in advance.
I'm trying to set up Azure AD B2C for my web app.
I've already created a tenant. I then created an app. According to articles I'm following, I should then be able to click "API Access" and add scopes. In my case, there's nothing under API drop down:
I already see "Access the user's profile" with the following selected:
Under "Published Scopes", again, I see nothing:
What am I missing here?
UPDATE:
After adding the App ID URI, I was able to move forward a bit but still not sure about published scopes. This is what I currently have:
And under API Access, this is what I have:
Basically, the behavior I'm getting on my frontend app which is built on ReactJs is that I hit the Azure AD B2C login. After entering my credentials, I get redirected to my app. I see id_token in the URL but the MSAL library I'm using doesn't capture the token -- I have a break point in my React code to see if I'm capturing the token. I get sent back to the login screen on Azure, then back to my app. On the third one, I actually see the token being captured but I end up with the following errors:
I'm using this library which is a wrapper for the MSAL.js library: https://github.com/jamesrandall/react-azure-adb2c
I'm pretty certain there are config errors. Just not sure what they are.
API access is used to assign access from a web app to an API app.
Published scopes is used to register the access scopes for the API app.
Before the access scopes can be registered for the API app, an App ID URI must be set as the resource identifier for the API app, as described by the Azure Active Directory B2C: Register your application article.
I'm using adal js to auth with Azure AD. I have webApp and webApi. Pretty much my apps follow this sample https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet .
I was able to login to my webApp and adal.js successfully acquired a token for my webApi and injected it into a request. All was working until recently. Then token acquisition for webApi stopped working with error:
"response_type 'token' is not supported for the application"
renewToken is failed:AADSTS70005: response_type 'token' is not supported for the application
Trace ID: 104c18e3-eb6e-42a4-a292-c6f170f27f65
Correlation ID: c2e65622-0c58-473a-8184-b3056fb1af58
Timestamp: 2015-03-27 22:53:12Z
I can clearly see that adal.js is building a request and puts "response_type=token" into a query string. So, my assumption is that something changed on Azure AD side.
I found one article that correlates response_type=token to implicit grant flow. I confirmed that my webApp has "oauth2AllowImplicitFlow" enabled. I have contacted MS support and waiting for resolution. Meanwhile, I wanted to share this with community and see whether someone has any information regarding the issue.
Thanks
If you are building client-side app, you need to enable Implicit flow from the application manifest.
"oauth2AllowImplicitFlow": true,
Open your application configuration azure portal, and download the manifest file from "Manage Manifest" menu.
search for oauth2AllowImplicitFlow and change the value to true.
upload the file again through the same menu.
Logout and login again to your app and it will work will a charm.
It can also be configured via the Azure AD portal:
From the application page, click on Authentication, and under Advanced Settings, select the checkboxes next to Access tokens and ID tokens to enable OAuth2 implicit grant for the application.
more info about OAuth2 Implicit flow >> link:
The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed...
recreating my webApp fixed the issue. I'm still investigation the root cause with MS. Manifests for two apps aren't different except their AAD Client IDs.
UPDATE
see my comments for resolution
I have an Azure mobile service setup and have followed the examples online for authenticating. I call AuthenticationContext.AcquireToken and get back a token. Then I set the header using:
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AquireAccessToken());
However I am getting a 401 back and in the Azure logs I am getting "The 'Bearer' HTTP authentication scheme is not supported". What am I missing?
If you are using a service to call the mobile service why not use the Application key instead of a login process?
You can set a header on your request like so:
HttpClient.DefaultRequestHeaders.Add("X-ZUMO-APPLICATION", "<YOUR APP KEY>";
You can get your application key from the portal. When you are on the dashboard view click the button at the bottom of the window to "manage keys".
This works if you want to login as the service, but if you need to login on behalf of a user, then you'll need to go the authentication route. You'll also need to make sure the permissions on your various tables and APIs allow the application key level of access.
Alternately, you can use the X-ZUMO-MASTER header with your master key to get admin rights to the service.
Mobile Services does not support tokens being passed in the Authorization header. Instead, please consider using the POST method for the login endpoint. The Mobile Services SDK makes this available as an overload of the login method if desired.
Could you please comment on what examples you are following? Our standard "Get Started with Authentication" tutorial shows how to do login without handling an access token directly. We also have tutorials for using a provider SDK to obtain a token and pass it to the mobile service using the overloads mentioned above. For example, we have this tutorial for Microsoft Account and Azure Active Directory