I've created an application that uses Azure AD for (not Azure AD B2C). I've been referencing https://raw.githubusercontent.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/master/ReadmeFiles/aspnetcore-webapp-tutorial-alt.svg?sanitize=true along the way.
Since i've deployed the application to our test environements, I randomly get 'HTTP Error 400. The size of the request headers is too long'.
I've come across Azure Portal: Bad Request - Request Too Long but this solution is for Azure B2C.
Does anyone know a solution to this?
Let me know if you need code examples. but i've pretty much followed the git repositories referenced above.
Seems to be related to TempData. Try to replace from cookie based to session based:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-2.2#configure-the-tempdata-provider
Related
I am trying to call the rest service for getting idToken from Azure B2C application using following URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p={POLICY}
I am passing all the required parameters in the payload :
grant_type=authorization_code&client_id={ClientID}&scope=https://{tenant}.onmicrosoft.com/api/read openid offline_access&code={AUTH_CODE}&redirect_uri={REDIRECT_URI}&client_secret={CLIENT_KEY}
The same approach is working on one environment but returns
404 : The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
when accessing from another environment.
What am I missing here? Any Azure configuration that I need to check?
Your request looks good. So the key point of this issue should not be in B2C side.
This error generally means that the file you are looking is not present on the server or web.config file is not configured properly.
As the approach is working on one environment but failing for another, you should check the web.config file which is in the failing environment to see if it is configured correctly.
See a similar question here.
I've been attempting to authenticate requests to an Azure App Service for some time now and I'm completely stumped, I just can't seem to get the Microsoft.Azure.Mobile.Client to accept and successfully authenticate against a known "good" token.
Overall, all I want is to be able to successfully pull up a web browser in Xamarin Forms, authenticate the user either with Azure, Google or other social authentication, and then use a token to authenticate against an Azure App Service (EasyTables), which I already have running but without authentication enabled. For some reason none of the resources I've found have provided an clear way of doing this, and I'd be grateful for any help.
Here's the main config of what I have so far:
I've got an app successfully reading and saving data tables to an Azure-hosting EasyTables implementation. Tables are read (and written) using the standard form:
var locations = (await App.MobileService.GetTable<Location>().ToListAsync());
The MobileServiceClient is instantiated in the App.xaml.cs file as follows:
public static MobileServiceClient MobileService = new MobileServiceClient("https://mywebapp.azurewebsites.net");
As I say above, this works fine when access to and saving from online services.
Going to the Azure Portal, I've activated "App Service Authentication" under Settings --> Authentication / Authorization, and I've also set up an Azure Active Directory Authentication Provider. Under this provider I've set up the Client ID of an Azure Active Directory instance (under Manage --> App Registrations).
Going back to Xamarin, I have successfully managed to authenticate against this using the approach by Steven Thewissen here. In particular, I've created an "MSAuthService" helper, which successfully pulls up a web browser, allows you to log in with Microsoft credentials, following which it's able to retrieve your account name and verious other things from Microsoft Graph - including the Access Token.
I'm now trying to use this access token to log into the MobileService I'm using to access EasyTables, using the following:
JObject auth_token_jobject = new JObject();
auth_token_jobject["authenticationToken"] = token;
var output = await App.MobileService.LoginAsync(
MobileServiceAuthenticationProvider.MicrosoftAccount,
auth_token_jobject);
However, whenever I do this, I still get an "Unauthorized" error, produced by the last line above.
I understand that others (e.g. here seemed also to have the same problem, but no resolution on that post.
Other things that I've tried, but haven't managed to get working completely. As above, the closest I've got, by successfully authenticating albeit through Microsoft Graph rather than with my web service specifically, is the process above:
Overview of Authorization with EasyTables etc here - although this doesn't seem to provide any clear code for Xamarin to authenticate against.
Latest Xamarin blog and explanatory materials (here and here, but although the process using await WebAuthenticator.AuthenticateAsync method appears to be a lot simpler than the example I was using above, there doesn't seem to be any detail provided about how you generate the URI required to call the authentication page, nor a step by step guide of how to implement it. Either way, I haven't managed to get it working...
If anyone has an easy way of getting hold of a valid token and then providing it to the MobileService client, I'd be most grateful. I suspect it's as simple of getting the token called back, for example from a Xamarin Essentials WebAuthenticator above, and then passing it with var output = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount,auth_token_jobject) but I just can't seem to get it working so far.
Thanks a lot!
Oliver.
There are a couple of issues here (on re-reading it a few times)
You are using MobileServiceAuthenticationProvider.MicrosoftAccount - you should be using "aad" instead.
AAD needs an access token - see https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#validate-tokens-from-providers for the details on what needs to be provided.
If the token you get back is really an MSA token, then you still need to provide an access_token field (and not an authenticationToken field)
If you don't need anything special, you should be able to just use .login() like this:
await App.MobileService.LoginAsync("aad", "your-method");
For more details on this, see one of the authentica
I have a Java Web App which is integrated with Azure AD. Now when I run the app locally, everything works fine.
But When I deploy the WAR file to the Azure App Service, the authentication redirection seems to be going in an infinite loop.
The application is running in loop between login.microsoftonline.com and mysite.azurewebsites.net.
I have read in blog posts that this happens with OWIN cooke in .Net , but not sure if this is case with Java as well.
All the traffic is through HTTPS only, but still the issue exists.
Is there any setting in Azure Portal to overcome this ?
Owin middleware is only available for .NET, so yes, we cannot fault that.
The redirect would be triggering from the portion of your code that evaluates a condition like 401 Unauthorized and constructs an authentication Url and redirects the user to that.
I'd suggest you enable as much diagnostics as possible and look into logs to..
Azure AD is sending the tokens in response as expected and not an error
The code acceptig/parsing these tokens is working correctly
What I'm hoping to accomplish is a connection to Visual Studio Team Services through the Microsoft Account authentication provider. I've been following the documentation here (https://github.com/Azure/azure-content/blob/master/articles/app-service-api/app-service-api-dotnet-connect-to-saas.md) and have a couple problems with the implementation.
They use the Microsoft.Azure.AppService.ApiApps.Service package to get to the token from the api gateway
// Retrieve the token from the gateway
var runtime = Runtime.FromAppSettings(Request);
var dropboxTokenResult = await runtime.CurrentUser.GetRawTokenAsync("dropbox");
But when I publish my webapp I get a 500 error when trying to create the Runtime object, the remote Debugger literally just dies on the line below and I don't even see any logs in the api's streaming logs interface to give more info on the error.
var runtime = Runtime.FromAppSettings(Request);
Any idea on how to get to the token?
Documenation for implementing microsoftaccount authentication with a web api is kinda scarce, any links to examples or documentation that was helpful to you guys out there?
Also, is the apiapp.json file really even necessary? They create one in the example but authentication setup Via the Azure blades seems to work ok and leaving the apiapp.json file out of the api doesn't seem to matter either way. In the end I'd like my web api to maintain authentication via microsoft account no matter where it's moved to, so I figured there would be settings somewhere I would need to specify but can't really put that piece together either.
It looks like you're using the old model for building API apps (which involves a gateway) which has been deprecated. I believe its still supported, but the official way to build API apps has since changed, and you might find it a bit simpler to work with. More information can be found here: https://azure.microsoft.com/en-us/documentation/articles/app-service-api-whats-changed/
Documentation for leveraging Microsoft Account authentication is here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-microsoft-authentication/
Once you're all set up, there are a few different ways you can obtain the token. You can find it as an inbound HTTP header (x-ms-token-microsoftaccount-access-token) or you can use the App Service Server SDK to obtain it: something alongs the lines of:
var creds = await this.User.GetAppServiceIdentityAsync<MicrosoftAccountCredentials>(this.Request);
string accessToken = creds.AccessToken;
I'm creating a web app to work with Azure AD.
I'm going through the process of making the REST requests, etc., and I'm a bit confused as to the endpoint URL parameters given by AD versus those given in the help documentation versus what I'm given in the AD console online. On some of the documentation pages, the endpoints are given as "https://login.windows.net/[some domain].onmicrosoft/...", where on the AD console, I'm given a long hash, with no ".onmicrosoft/..." present. I'm having problems with both (something else is obviously wrong), but I can't proceed debugging that until I know which I should proceed with, so I know that this isn't causing the problem.
The "hash" is actually a GUID, and is your tenant ID - the unique identifier for your Azure AD tenant. When constructing the login.windows.net endpoints you can use the tenant ID and the domain name (yourtenant.onmicrosoft.com) interchangeably.
See this post from Vitorrio Bertocci for more details on the subject.
This is indeed confusing and not well hashed out in the documentation.
I've created a web-app that also uses Office 365 authentication with Azure AD, and I am using the hash generated by the Azure AD console for my endpoint URLs, and everything is functioning well. Whatever the AD console gives you online is correct, and will work for your particular app (the hash given is in fact replacing a .onmicrosoft domain, and will work well).