The following page shows how can I purge Application Insights data -
https://learn.microsoft.com/en-us/rest/api/application-insights/components/purge
I tried following it but it doesn't mention how to use authentication and I am getting the following error in response -
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed. The 'Authorization' header is missing."
}
Can someone please guide me how do use the authentication header?
As per joy said in comment, just go to the website, and click "try it" -> log use your credential, then you can see the token:
On the page you linked to, scroll all the way up in the menu and find 'Getting started with REST'. When you click that and scroll the page, you find Register your client application with Azure AD.
Most Azure services (such as Azure Resource Manager providers and the classic deployment model) require your client code to authenticate with valid credentials before you can call the service's API. Authentication is coordinated between the various actors by Azure AD, and provides your client with an access token as proof of the authentication. The token is then sent to the Azure service in the HTTP Authorization header of subsequent REST API requests. The token's claims also provide information to the service, allowing it to validate the client and perform any required authorization.
Long story short:
Register your client application with Azure AD
Create the request
Acquire an access token
Assemble the request message
Send the request
Process the response message
You need authorization header to be added in your request to purge the azure application insights data. Refer for more details and step by step guide - https://sanganakauthority.blogspot.com/2019/06/how-to-delete-or-purge-azure.html
Related
From Azure Data Factory, I'm trying to connect to a REST service that requires an access token (OAuth2).
Tried in Postman with the client credentials flow (client_id/client_secret) and it works fine:
Calling the token endpoint to get an access_token
Use the token in a subsequent request to retrieve data.
I configured the linked service like that as It supposed to support the OAuth2 client credentials flow:
But when testing the connection, it fails with this message:
The request body must contain the following parameter: 'client_secret'.
I don't really understand why the client_secret is not added in the request body as it is a client credentials flow.
Not sure if I'm missing some configuration ?
For the moment, I'm using Web Activity as a workaround.
This error may occurred because Allow public client flows is disabled for the application registered in Azure AD.
Enabling it may fixed the issue.
Refer - https://learn.microsoft.com/en-us/azure/data-factory/parameterize-linked-services?tabs=data-factory
Refer - https://learn.microsoft.com/en-gb/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=python#username-and-password
I created an Api in azure and recently tried to change to authentication method to access it via OAuth2.
I requested a token using https://login.microsoftonline.com/[TENANT]/oauth2/v2.0/token/ and tried to use it to access my api via postman.
Then I tried to use the received token to make a request to my api:
I used Postman's Authorization pane to specify OAuth2.0 as the authentication method and set the Grant Type configuration to "implicit" and sent a request.
Configured like this, the request goes through using the "http" version of my api but as soon as I try to use the "https" version, I get a 401 error "Unauthorized".
Have I configured my api wrong ? Or am I using the wrong url to authenticate ?
Thanks a lot for your time.
After a lot of research I found out what was wrong :
I had to add the application ID in the allowed token audiences of identity provider (in the azure app service, navigate to authentication > locate the identity provider > click on edit > at the bottom of the page add the your app registration's application ID. For good measure I also added api://[APPLICATION ID]/.default and api://[APPLICATION ID]
There was still some authentication code left in the source code of my api. When I was trying to connect I sometime had a response which consisted of HTML titled "Sign in to your account". It was caused by a segment of code in the startup.cs file of my api which verified the user who made the request against my Azure AAD. After removing it I no longer had the error
I'm using <log-to-event-hub> policy to log all the request and responses to event-hubs.This policy requires a logger-id which refers to the event hub where our logs will be streamed.To create this logger I referred https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-log-event-hubs . Where we send a PUT request to https://{your service}.management.azure-api.net/loggers/{new logger name}?api-version=2017-03-01 with the SharedAccessSignature token generated in the Management API section API Management Service.Now this token is valid only for 30days.That means the<log-to-event-hub> policy can log to this event-hub only for 30 days.
Today the SharedAccessSignature got expired.So all of my API's started throwing a 500 internal server error.How to renew this SharedAccessSignature automatically so that when its about to expire it automatically gets renewed with the new SharedAccessSignature.
I did not find any solution so I deleted the event-hub and created a new one with the new shared key.I will be storing all my logs in this event-hub so it should be running up everytime.Can anyone help me with this.
You're mixing up tokens here. The token you generate in "Management API" section is used to authenticate your call to create logger. This token is only needed if you choose to make that call via our direct api (xxx.management.azure-api.net) and not via ARM. This PUT call needs to be done only once to create a logger. The credentials that are used to talk to eventhub are passed inside payload of that call, see "credentials" here: https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/logger/createorupdate#request-body. And it's those credentials you may need to rotate. See eventhub docs on how to create those credentials.
I need some help with Azure API Management service.
At the moment we have a SinglePage App which is using two Backend Services (WebApi .Net Core) hosted on Azure. To Authenticate and Authrize user we are using IdentityServer (also hosted on Azure as a service) + SubscriptionService. Here IdSrv is authenticating the user and it also defines to which APIs the webapp has access. The SubscriptionService has information if the user has rights to given APIs. More or less like that.
So the flow is:
WebApp -> redirect to IdSrv endpoint -> login -> back to UI -> ask backend with user credentials (token)
Now, we want to add Azure API Management to the mix and I am struggling how to do that...
Initially we were thinking that we can hide everything including the IdentityServer behind API Management gateway, but looks like this doesn't make sense or is impossible. I found this as a helpfull reference: Generate Access Token and validate against IdentityServer4 through Azure API Management in which the second answer is quite important remark.
Based on that I think that I need to leave the Client to use IdentityServer to authenticate as this requires UI interaction but then somehow set a global policy in API Management to authorize the user using mentioned Send-Request policy. And then change backend to accept the JWT tokens from this policy? Is my thinking correct? How to implement that?
Or I should just pass the authorization-header from client request through API Management?
All those things are new for me so it could be that I missed something or messed up the terms...
The way you integrate APIM into picture may depend on goals you want to achieve with APIM. You could hide IdSrv behind APIM since there is Client credentials flow that would allow APIM to authenticate/authorize itself to an API, or you could have user authorize APIM once via Auth code grant and then store refresh tokens and use them to talk to an API. But I'm not sure that would be best since it quite a bit changes you system and forces you to solve other problems instead, like how to authenticate user to APIM. In some cases this may be a good approach, it's up to you to decide.
If you're fine with keeping IdSrv facing user, then we have APIM receiving a token with every request. You could then have a global/API policy in APIM that would send token received from user to SUbscriptionService to check user authorization to make a call) can do that with send-request policy), and either let the call pass or deny. This approach is most useful if you want to use different auth mechanism between APIM and backend, because if APIM is doing authorization work, your backend could avoid checking any user access, and instead just authorize APIM to do everything.
Check out this sample on how to authorize requests using external service: https://learn.microsoft.com/en-us/azure/api-management/policies/authorize-request-using-external-authorizer
it is quite late from asking this question but here I described how we have done that. We cover UI clients and Device clients with SSL Certification auth on APIM. In short words:
UI Client is being redirected to ID Server Loging page
APIM is doing Token validation with ID Server
APIM is doing SSL Certification verification in DB and returning back token like data for devices to pass some "device account" information.
More details can be found here:
I made a custom policy for Azure B2C, added jwt.ms as a reply URL and everything seems to be working fine. When I log in, I get redirected to jwt.ms showing the token and it's contents. However when I try to link my angular frontend to this custom policy, it does not seem to work. In need the response type id_token token, but when I use this response type I get the error "This application does not have sufficient permissions against this web resource to perform the operation."
When I use the response type id_token it seems to work fine and I get a reply with the JWT token.
I thought the problem might be in the Implicit grant settings under applications, so I have tried enabling Access tokens and ID tokens for all applications but this did not help.
Implicit grant settings
The request looks as follows:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&response_type=id_token%20token
&scope=openid%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fapi%2Fuser_impersonation
&nonce={nonce}
&state={state}
So if you replace the characters it looks like this:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http://localhost:4200/&response_type=id_token token
&scope=openid https://{tenant}.onmicrosoft.com/api/user_impersonation
&nonce={nonce}
&state={state}
I expect the login flow to return both the JWT ID token and an access token.
Edit:
I created a whole new B2C tenant with a standard Signupsignin user flow and I still experience the same issues. So I concluded that it is not a custom policy issue, but an issue caused by a configuration in Azure or the front-end application.
After a lot of experiment I come to know about your problem. I guess you are not trying in a right format. Even I don't know which document you are refereed to. Okay the first problem is...
You are getting this error "This application does not have sufficient permissions against this web resource to perform the operation"
Reason
You have not set API access in your target application on azure portal. To achieve that you have add API access on your application.
Let say you have two Published scopes on your B2C tenant application like below:
Create API Access
To avoid above error Add API access. To do that , go to your application select API access after that you will see a Add button on top. click and right side API access window will be open just click Ok. See the below screen shot:
After successful API Access It should looks like below
Note: Hope It will solve your error while you are trying to send request.
B2C id_token and Access Token
Follow the below steps for Id_token
ID Token Access Process
https://YourB2CTenant.b2clogin.com/tfp/YourB2CTenant.onmicrosoft.com/YourPolicy/oauth2/v2.0/authorize?
client_id= YourApplicationId
&redirect_uri= Your reply from Application
&scope=openid
&response_type=id_token
Take a look below at Id_token:
Note: Just fill out the above format and paste at your browser with no space between. If is it correct then a sign in page will be
prompted. After sign in you will be given id_token on your browser.
B2C Access Token
Follow the below format In POSTMAN:
Grant Type:authorization_code
Callback URL: Your Reply URL
AuthURL:https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/YourFlow/PolicyName/oauth2/v2.0/authorize?
Access Token URL:
https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token?p=YourFlow/PolicyName
Client ID: Your Application Id
Client Secret = Application Key
Scope= any of your Published scopes
Post Man request Process
Go to postman and click on Authorization Tab and Select type as OAuth 2.0 See the below screen shot:
For getting access token click on Get New Access Token You will be prompt following window fill out it with above mentioned format.
After hitting Request Token button you will be prompted a sign in window after successful login you will get access_token in response. Like below:
Note: In B2C there is no supported way to get `Id-Token and access_token together in a single request. You have to achieve it in
separate request. For more details you could refer here
If you still have any problem please feel free to share here in comment. Thank you and happy coding!