We have developed an asp.net web application in which we perform authentication using Azure B2C and also calling Azure Graph API to fetch additional custom attributes. I am able to successfully authenticate using OpenIDConnectMiddleware. But when I try to get the user information using Azure Graph API it hangs.
AuthenticationResult result = await authContext.AcquireTokenAsync(this.aadGraphResourceId, credential);
should be like this right
AuthenticationResult result = await authContext.AcquireTokenAsync(this.aadGraphResourceId, credential).ConfigureAwait(false);
I am calling wait in blocking method
Change that Wait to await. When using asynchronous code, you should go async all the way. If you don't, then you can cause a deadlock.
Related
I am trying to use a python azure function to call an API running on an Azure app service.
(I have managed to get the webAPI to call the function-trigger (managed-identity and all that), but the function needs data that can be retrieved from the API.)
In order to simplify authentication, my thought is to use the managed-identity within the python function and create a JWT that accompanies the requests.
credential = DefaultAzureCredential()
token = credential.get_token("api://<APPLICATION_ID>/.default")
// make call to API using token as authorization
// response 200
This currently works. APPLICATION_ID is registered within Azure AD.
It feels wrong to request a token, using the functions APPLICATION_ID as a scope. When the API in reality has nothing to do with it. But my attempts at using any other scope is met with errors.
It depends on the service/resource you want to access that decides the scope.
e.g. if you want to access storage, the scope is "https://storage.azure.com/.default".
(I work in Microsoft Azure SDK team)
I am using Microsoft azure ad a authentication. When I am trying to change the user password with graph api it will give me an error
I have also set permission that is required for password change, but then it will also not work
I have wrote code in node.js with like this
const changePassword = {
currentPassword: ctx.request.body.currentPassword,
newPassword: ctx.request.body.newPassword
};
const client = createAuthenticated.createAuthenticatedClient();
await client.api('/me/changePassword').post(changePassword);
The changing password api can only support delegate permission, it has been indicated in api document, and it also appeared in your error message.
Delegate api permission means you can't use client credential flow to generate access token/credential to call this api, you can only use such as ropc flow or auth code flow to generate the access token.
I think you've read this sample to call the api, but you didn't choose a correct authentication provider. If your app is a website which required user to sign in, then you may choose this one. But pls note, the client-credential-flow is not suitable for this scenario.
=======================Update====================
The html+js code in my this answer provides a sample which integrate msal to let user sign in and generate access token for calling graph api.
Change AzureMgmtScops value to scopes:["Directory.AccessAsUser.All"] then it will return you an access token with this permission, then pls use this token to send a post request like this, I think you can then finish your task. But this way will not change your server side, it's suitable for the structure which is frontend-backend separated.
I previously used Microsoft.graph package to work with Graph API. Used client credentials to authenticate as an application and able to get site details and others also with below code snippet.
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var delta = await graphClient.Sites.Request
I want to get the same data by making the Http request and get response from it.
https://graph.microsoft.com/v1.0/sites
I have to call the above request to get the site details , How to get Auth token and get response from it?
Before you can call graph API, you will have to register your app in Azure AD and you will then be able to call some APIs to get an access token to make authenticated requests. You can find here the documentation from microsoft https://learn.microsoft.com/en-us/graph/auth-v2-user to get an access token and call the API on behalf of a user, or you can make anonymous calls by following this one https://learn.microsoft.com/en-us/graph/auth-v2-service.
When you have a token, you can use it to call Microsoft Graph API (just be sure to have to correct rights for your registered app to call Graph API)
Azure AD B2C with UWP sample on GitHub requires some optional steps as described on the GitHub readme which asks for us to create a web API in step 4 and hence use API scopes for that web API in the code written in app.xaml.cs
public static string[] ApiScopes = { "https://fabrikamb2c.onmicrosoft.com/demoapi/demo.read" };
Problem : I don't have a backend API for my project yet and I don't want to make a traditional web API for my project, I will be using Azure Functions for a serverless API.
But the Sign In button leads to getting authenticationToken with following method:
authResult = await App.PublicClientApp.AcquireTokenAsync(App.ApiScopes, GetUserByPolicy(App.PublicClientApp.Users, App.PolicySignUpSignIn), UIBehavior.SelectAccount, string.Empty, null, App.Authority);
As you can see above that App.ApiScopes are provided here which is a must parameter in this method, if I provide a list of string[] with an empty string only here, I am able to login but I don't see any token in the output in my UWP UI.
So how can I bypass this API scope problem and have a working sample for myself, or do I have to create a web API for some kind of security reason I mean is that a mandatory part?
You can use your app's client_id as the scope in order to get a token issued to itself.
This approach is fine if you want to tightly couple your client and API, however if you end up having multiple Azure functions, multiple clients and don't want all clients to be able to call all functions, you'll need to start splitting up their app registrations and define scopes accordingly.
During the recent Microsoft Cloud roadshow in London, something that came out of one of the talks on App Service was using AAD B2C for authentication.
It is possible currently to add Azure AD as an authentication for an API App:
Calling this API app from a browser based web app with no authorization header results in a 302 redirect immediately followed by a 401 response.
It was mentioned at the cloud event that it would be possible to call an API app anonymously from a web app, and have the azure App service handle the redirection to the AAD login page, get the token on successful login and then pass the call on to the API app and return the data.
However, I am struggling to see how this can be achieved without any responsibility on the calling web app to handle the redirect. Normally you would handle a 401 response from an API by obtaining a bearer token via AAD on the client side and sending it through as the authorisation header with the api request.
I have been through numerous examples on the Azure site and others and all of them are handling the logon/obtaining the token in the client web app.
Is this even possible?
UPDATE I just realized (as pointed out by #Darrel-Miller that you don't really want to allow the user to put the credentials in.
The only thing that is still unclear to me, is where do you want to provide the credentials for AAD?, What is it exactly what you would like to accomplish.
Even more, why would you use AAD if there no user interaction at all.
If all that you want is a secure connection you can just use the standard application key for the web api without enabling AAD. And its as pretty straight forward to just add the MS_ApplicationKey to your header and you are good to go.
As you described in your comment you have a webclient that tries to do the requests and gets the 302, that is why my original answer wast that you would use ADAL. But now that I get deeper into what you want probably what you want to use is KurveJS :
https://github.com/MicrosoftDX/kurvejs
And it has the AAD app model v2 with Active Directoy B2C.
This makes it easy to add third party identity providers such as Facebook and signup/signin/profile edit experiences using AD B2C policies
You can read more about it here:
https://github.com/MicrosoftDX/kurvejs/blob/master/docs/B2C/intro.md
Do you mean this??
https://msdn.microsoft.com/en-us/magazine/dn463788.aspx
Just use ADAL nuget package to handle the call...
You can read this from the post:
As soon as the execution hits the call to AcquireToken, you’ll get the authentication dialog shown in Figure 8. ADAL takes care of contacting the right endpoint and rendering the authentication experience provided by the server in a pop-up dialog without requiring you to write any UI code.
I hope this works for you!