openid Authentication for multi domain website - azure

we have a website hosted in IIS, we have pointed the multiple domains to the same website.
like
www.exmple.com
www.example.in
www.wxaple.co.uk
and so on.
similarly, we have pointed more than 30 domains to this website.
Before there was no authentication on this website, now we need to implement authentication. so we have used OpenID connect and Azure AD for authentication.
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code
This is working fine for one domain because we can configure the redirection URL for 1 domain. But how we can make sure this will work fine for all domains.
or any other approach to implementing this.

Though you have many domains in a website, when you login in your website the appId is the same. So, you could use the access token to request your domain website.
BTW, you need to add your domain into your Redirect Uri in App registered in your Azure AD.

Related

Azure Active Directory B2C with Azure Front door auth response uses wrong domain

We are using Azure Active Directory B2C in combination with Azure Front door. When signing in with a password and username it works fine, but when signing in with a social provider it shows the wrong domain.
Before sign in:
After sign in with social provider (loading before continuing with, in this case localhost)
The difference here, is that before the sign-in we have login.timchermin.com/login.timchermin.com and after we have login.timchermin.com/lokaalaybler.onmicrosoft.com. I would prefer the onmicrosoft.com to also be login.timchermin.com.
I tried putting https://login.timchermin.com/login.timchermin.com/oauth2/authresp in the google cloud app setting. But this will give the following error.
(How) Can I make it so that my authresp also includes the domain in after the first / ?
I am also using custom policies, if that makes a difference.
The domain login.timchermin.com is also set as the primary domain.
Please make sure that you have all redirect URLs registered properly in your social IDP. This is my configuration for the Facebook login. I also use Front Door with Azure AD B2C:
Redirect URL should be aligned with this pattern when using custom domain:
https://your-custom-domain/name-of-your-ad-b2c-tenant.onmicrosoft.com/oauth2/authresp

AzureAD not accepting my HTTP URL from my NodeJS OAuth2

I have a NodeJS Application utilizing OAuth2. I do not have SSL. I am trying to authenticate using Single Sign-on with Microsoft. While it works on localhost, it doesn't work with network's IP. Any idea?
On MS Website it says I should be able to:
The Azure AD application model today supports both HTTP and HTTPS
schemes for apps that sign in Microsoft work or school accounts in any
organization's Azure Active Directory (Azure AD) tenant. That is
signInAudience field in the application manifest is set to either
AzureADMyOrg or AzureADMultipleOrgs. For the apps that sign in
Personal Microsoft accounts and work and school accounts (that is
signInAudience set to AzureADandPersonalMicrosoftAccount) only HTTPS
scheme is allowed.
I have the Manifest set to AzureADMultipleOrgs
The redirect URL should still be using HTTPS,
In general, they do not support transmitting tokens over unsecured channels. Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https.

SharePoint online for mobile apps

I have a mobile app, in which am i need to read a list from SharePoint online. But I cannot able to login to the Sharepoint api using Azure AD.
I have tried many approaches like passing client ids, all the responses are like redirecting to the domain, but I don't have any domain since mines are mobile app.
So kindly help me to login to the Azure AD without redirectUrl
GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=https://localhost/myapp/permissions
In the above method after successfull login am redirecting to the mentioned redirect url but i dont have any domain, since i'm developing mobile apps.
I'm using ionic with angular app.
Kindly help is there any way to get a access token.
You don't need your own domain.
Redirect URI is unique to your application and it will return to this URI when authentication is complete.
For native app(mobile app), when authentication is successful, the code or token will be included in the redirect url.
You don't need to worry about it because if you are using MSAL or ADAL, you may select from the suggested Redirect URIs in Azure AD app Authentication page.

How to configure Azure AD app registration redirect URLs to work for localhost and Azure deployment?

I've registered an app in Azure AD and can successfully authenticate users against it while running on localhost.
The Azure AD app's Redirect URI is set to https://localhost:44352/sigin-oidc and the Logout URI is https://localhost:44352/signout-oidc
If I deploy my MVC app to Azure the host name will be different from "localhost". Do I have to register another app for deployment or just add a second redirect URI? But what about the logout URL then - only one can be configured there?
Second redirect URI. Here are some pointer on restrictions on redirect URIs.
Logout URI is only relevant to your application. Not the application registration.
If you are referring to the post_logout_redirect_uri, as described here - it must registered in the redirect_uris as well:
Or if you consider the logoutUrl as described in the Manifest - that is only used when you perform a Single-sign-out of all web apps, as described here. Frankly, there are very few reasons to use the single sign out capability of Azure AD. And, it requires of course that all apps are configured for single sign out.

Create azure B2C which can reply to wildcard URL

In our project we are using B2C where the front-end is hosted on a webapp and gets the token and the backend is hosted on an API app and validates the token.
When developing we deploy the front-end and backend as needed, often with multiple copies for multiple developers.
The problem is that the B2C app registration requires to add the reply URL manually. Our development domains are generally under https://XXX###.azurewebsites.net. where XXX is a common prefix and ### is some number.
Is there a way to either define the reply URL programmatically (i.e. add it and remove it as we deploy/remove the instance) or to support wildcard reply URLs?
If the above is not possible is there a way to programmatically register a new application with a copy of all configurations of an existing one except the reply URL?
Wildcard redirect URLs are not supported in OAuth2. See this post: why are redirect URLs fully qualified.
And, unfortunately, we can't manage B2C programmatically.
UserVoice item: Programmatically manage B2C policies

Resources