I have a Web API project I created using this tutorial that I'm trying to secure using Azure AD.
According to the tutorial, when I create the project, I can select "Change Authentication" and enter my AAD information and the authentication supposed to just "work" as long as I have <Authorize> on the controller I want to secure:
According to the tutorial, I need to add the API as an app in the Azure portal but its steps and screenshots are confusing because they're old and the Azure portal has been reorganized. It says:
Next step is to add the "WebAPIServerSingleTenant" as an app you can access in your native app. Navigate to the "WebAPIClientSingleTenant" app and add "WebAPIServerSingleTenant" to your approved list (tick the checkbox too)
But adding the tenant info from Visual Studio when I created the project creates an app registration in AAD automatically, so I'm not sure what it's asking me to do.
Furthermore, when I try to call the API from Postman, for example, I just get "Authorization has been denied for this request" despite generating and passing an access token in the header of the request that looks right to me.
What steps do I need to follow to secure my web API using Azure AD?
The 'Next step is to add the ..." instruction you quote above is about adding a reference to your API app to the AAD registration of your native app. To register the native app, go to the Azure portal and use App Registration. The instructions for how to do that linked in your article are obsolete - AAD UI is totally different now. Rather use one of the official samples, in particular the one for native client accessing an API.
Related
We have an app that uses the Azure Spring Boot Active Directory starter "com.microsoft.azure:azure-active-directory-spring-boot-starter" and Spring Security to secure access to the app. This all works fine.
This was done by following these instructions:
https://learn.microsoft.com/en-us/azure/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
Now we want to call DevOps REST APIs on behalf of the logged in users as per these instructions:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
The thing that is confusing me is that each set of documentation specifies a completely different way of registering the app
The first says : "From the portal menu, click App registrations, and then click Register an application."
The second says "Go to https://app.vsaex.visualstudio.com/app/register to register your app."
If I register via the second manner it doesn't show up in the list of app registrations in the portal.
So for the moment, I've registered two apps, one in the portal, and one in the second manner.
In order to register a user with the app, I go here, specifying the callback URL that I defined for the second app (bear in mind the first and second apps are the same app).
https://app.vssps.visualstudio.com/oauth2/authorize
?client_id={app ID}
&response_type=Assertion
&state={state}
&scope={scope}
&redirect_uri={callback URL}
However, as I am already logged in to the app via Spring Security/AD (the first mecahnism) I get this error back from the app registration URL above, presumably because I'm logged from the first:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: idoffirstapplication
Questions:
How can I secure my app via AD which uses Oauth2 under the bonnet, and allow the app to call Devops APIs on their behalf of the logged in users ?
The main issue seems to be that Azure has two completely different sets of endpoints for logging in via Azure and calling Devops REST APIs. For example the REST API Oauth2 token endpoint is https://app.vssps.visualstudio.com/oauth2/token but the AD one is https://login.microsoftonline.com/${azure.activedirectory.tenant-id}/oauth2/token
Can I just have one application and add in the Oauth2 scopes I need (vso.release_execute) and add in an additional redirect_uri to handle the code returned from the call to https://app.vssps.visualstudio.com/oauth2/authorize, and then have call DevOps specific token URLs to get refresh and access tokens ?
The two links are different things. The first link is securing a Java web app using the Spring Boot Starter for Azure Active Directory. The second link is authorizing access to REST APIs of Azure DevOps Service with OAuth 2.0.
The users who can call the DevOps APIs in the application need to be able to access the DevOps organization. You can refer to the C# example in following link:
https://github.com/microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample
I'm trying to set up Azure AD B2C for my web app.
I've already created a tenant. I then created an app. According to articles I'm following, I should then be able to click "API Access" and add scopes. In my case, there's nothing under API drop down:
I already see "Access the user's profile" with the following selected:
Under "Published Scopes", again, I see nothing:
What am I missing here?
UPDATE:
After adding the App ID URI, I was able to move forward a bit but still not sure about published scopes. This is what I currently have:
And under API Access, this is what I have:
Basically, the behavior I'm getting on my frontend app which is built on ReactJs is that I hit the Azure AD B2C login. After entering my credentials, I get redirected to my app. I see id_token in the URL but the MSAL library I'm using doesn't capture the token -- I have a break point in my React code to see if I'm capturing the token. I get sent back to the login screen on Azure, then back to my app. On the third one, I actually see the token being captured but I end up with the following errors:
I'm using this library which is a wrapper for the MSAL.js library: https://github.com/jamesrandall/react-azure-adb2c
I'm pretty certain there are config errors. Just not sure what they are.
API access is used to assign access from a web app to an API app.
Published scopes is used to register the access scopes for the API app.
Before the access scopes can be registered for the API app, an App ID URI must be set as the resource identifier for the API app, as described by the Azure Active Directory B2C: Register your application article.
I have added a Web Application in the Microsoft Application Registration Portal. I can view this app in old azure portal. When I try to configure this app as multi tenant and set the Sign-on URL and the App ID URI values, an error pops up saying one of the values is invalid and the save fails. I can connect to this application using OAUTH and get the required refresh and access tokens. Using these tokens in the graph API I can get mails,contacts and calendar events from my office 365 account. But this happens only for a single tenant. I need to able to do this for multiple tenants and so I want to set this app as multi-tenant. If I create the application in Azure AD itself then I am able to set all the values but I cannot connect to this app using OAUTH as the authentication fails with error message saying
error=unauthorized_client&error_description=AADSTS70001%3a+Application+%2791470123-7e7e-4139-9922-ac95b0a6b383%27+is+not+supported+for+this+API+version.
.I went through a few links like here , here and here but until now I haven't been able to find a solution. I am re-posting this as suggested here. Can anyone suggest what I must do to get through this ?
All applications created through the App Registration Portal have the Multi-Tenant flag set to True by default.
The issues you are facing here are likely due to the fact that the App Registration Portal created our new V2 Applications, while our old portals use our V1 Applications. As a result, switching between portals and trying to make configuration changes, you will likely run into issues where our app model has changed, and certain properties exist in one place, and not another.
Finally it is important to note that we now have a V2 endpoint as well, which lines up with our V2 applications. You need to make sure you are using the right kind of application for the right endpoint.
Let me know if this helps!
I'm developing an application that incorporates the Skype for Business Online Web SDK. I've noticed that it is not possible to access information about the signed in user's Skype account/profile (via Skype's mePerson object).
The only way that I see to do this now is by having yourself as a contact and accessing information about that account/profile, via the Skype person object. This doesn't seem possible to me as it isn't feasible to set a requirement upon every client using my application to have themselves added as a contact on Skype for Business.
This issue is related to the one posted here, on the GitHub Skype Web SDK Samples page: https://github.com/OfficeDev/skype-web-sdk-samples/issues/1
My question: Are there plans to add the User.ReadWrite Permissions in Azure AD for an application extending Skype for Business? Or, is there a known workaround to retrieve the signed in user's profile/account information, which includes status, activity, or avatar/avatarUrl?
I've also posted this on the Microsoft Azure forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/27d6ebdc-f023-4829-96dd-eefb9e1aaeaf/userreadwrite-permissions-in-azure-ad?forum=SkypeWebSDK
However, I've had no response so I'm also posting here in hopes of anybody having any input. Thank you in advance.
As you might have noticed from the issue link in GitHub, the permissions for the information you're trying to grab have been turned on in Azure AD.
You can plug in your Azure AD settings into the Interactive Web SDK to see it in action: https://ucwa.skype.com/websdk
Before you sign in, you'll need to do the following in the Azure AD management console:
Update your app to use the permissions in the image
Change your app's reply URL to this: https://ucwa.skype.com/websdk
Make sure you turn on OAuth implicit flow by modifying your app's manifest. Steps here https://msdn.microsoft.com/en-us/library/office/mt622687%28v=office.16%29.aspx?f=255&MSPPError=-2147217396 under "Configure your app for OAuth implicit grant flow"
Paste your app's Azure client ID into the "Client id" field on https://ucwa.skype.com/websdk
After you sign in, you'll notice one of the examples in the left hand navigation will let you view the signed-in user's presence, ID, etc.
I've also created a forked version of the Web SDK samples that you can easily update with your own Azure AD settings and deploy to your localhost. You might find this more useful for playing around than the hosted Interactive Web SDK.
https://github.com/tamhinsf/skype-web-sdk-samples
I have a web forms application which I developed for testing Authentication/Authorization scenarios. While creating the test project, I selected "No Authentication" which created my project to have no authentication mechanism code. I published the web site to my azure tenant and enabled the Azure Active Directory Authentication from the "Authentication / Authorization" under features. I created an Azure AD app pointing to my web application. After hitting the default page, the app now authenticates and everything seems to work fine.
However, when I run the app locally from within Visual Studio, I am not able to get the user information as there are no appropriate headers available, eg X-MS-CLIENT-PRINCIPAL-NAME. My next step was to call the graph API to get the detailed user information.
NOTE: I am able to include the OWIN code in my web project to authenticate users, but I want minimal code change to my existing on-prem windows authentication application.
Any help / guidance
However, when I run the app locally from within Visual Studio, I am not able to get the user information as there are no appropriate headers available, eg X-MS-CLIENT-PRINCIPAL-NAME. My next step was to call the graph API to get the detailed user information.
This is expected. The X-MS-CLIENT-PRINCIPAL-NAME header (and related headers) is added by the Authentication / Authorization module which runs in app service. when you run locally from Visual Studio, you won't have this module and thus won't have this request header.
If you want to use the same code both locally and in App Service, instead of looking at the request headers, I suggest using .NET APIs which surface up user information, such as ClaimsPrincipal.Current.Identity.Name. This should be populated correctly whether you're using Windows Authentication locally or Authentication / Authorization in Azure App Service.
You can find more information about the underlying mechanics of Authentication / Authorization here: https://cgillum.tech/2016/02/01/architecture-of-azure-app-service-authentication-authorization/.