I’m using MS ADAL for login authentication in ionic 3.
Plugin: https://ionicframework.com/docs/v3/native/ms-adal/
Login screen appearing , when i'm login, its sending issue,
getting error :
"AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."
code:
authContext.acquireTokenAsync(‘https://graph.windows.net’, ‘4324dsad-b5c3’, ‘http://localhost:8000’,"","")
.then((authResponse: AuthenticationResult) => {
console.log(‘Token is’ , authResponse.accessToken);
console.log(‘Token will expire on’, authResponse.expiresOn);
})
.catch((e: any) => console.log(‘Authentication failed’, e));
According to the error, you may login with a personal Microsoft account. But Azure AD authentication library (ADAL) uses v1.0 endpoint, it does not allow personal Microsoft account to sign in, the v1.0 endpoint allows only work and school accounts to sign in to your application.
See this link:https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison#who-can-sign-in
Related
I found in documentation that is only possible using the console. That is true? I think that should exists a way that I can do that via api, no?
Ref: https://cloud.google.com/identity-platform/docs/multi-tenancy-managing-tenants
How can I create a tenant with social provider with firebase admin SDK?. I found in documentation that is only possible using the console
The doc you refer to explains that:
Using the Admin SDK, you can
manage tenants programmatically from a secure server environment
instead of using the console. This includes the ability to create,
list, get, modify, or delete tenants
and you can find the following example for creating a tenant. Note that by "secure server environment" the doc means a server you own on which you execute Admin SDK code or a Cloud Function.
admin.auth().tenantManager().createTenant({
displayName: 'myTenant1',
emailSignInConfig: {
enabled: true,
passwordRequired: false, // Email link sign-in enabled.
},
// TODO: Remove if you don't want to enable multi-factor authentication.
multiFactorConfig: {
state: 'ENABLED',
factorIds: ['phone']
},
// TODO: Remove if you don't want to register test phone numbers for use
// with multi-factor authentication.
testPhoneNumbers: {
'+16505551234': '145678',
'+16505550000': '123456'
},
})
.then((createdTenant) => {
console.log(createdTenant.toJSON());
})
.catch((error) => {
// Handle error.
});
I know this is a bit late but it looks like adding social logins to a tenant via the admin sdk is not supported at the moment. See this doc
My best reporoduction of the table in markdown
Feature
Google Cloud Console
Admin SDK
Email
X
X
OIDC
X
X
SAML
X
X
Social
X
Phone
MFA
X
X
Anonymous
X
Your client side code is what enables the various social provider sign-in's. In other words, the admin SDK has nothing to do with it.
To setup the various social providers, see Firebase Authentication.
I have an Azure AD B2C tenant setup with an Angular app on the front-end using Authorization Code Flow with PKCE and a back-end api. Everything is working fine. I now have a need to allow the user to access certain pages on the front-end anonymously. I would prefer to still protect the apis these pages will call using the same access token.
I have followed the article here to set up Client Credentials flow. I am able to get an access token successfully using Postman and use it to call my back-end apis fine. However, when I try to do the same from the Angular app, I get the following error:
{"error":"invalid_request","error_description":"AADB2C99067: Public Client XXXXX-XXXXXX is not supported for Client Credentials Grant Flow\r\nCorrelation ID: 2b3346ef-1828-4900-b890-06cdb8e0bb52\r\nTimestamp: 2022-07-28 04:12:21Z\r\n"}
Below is the code snippet I am using in Angular to retrieve the access token.
const urlencoded = new URLSearchParams();
urlencoded.set('grant_type', 'client_credentials');
urlencoded.set('client_id', '<clientid>');
urlencoded.set('client_secret', '<clientsecret>');
urlencoded.set('scope', '<scope>');
const httpOptions = {
headers: new HttpHeaders({ 'Content-Type': 'application/x-www-form-urlencoded' }),
};
const url = 'https://<b2ctenant>.b2clogin.com/<b2ctenant>.onmicrosoft.com/<customPolicy>/oauth2/v2.0/token';
return this.httpClient.post(url, urlencoded, httpOptions);
Any ideas what could be missing?
Thanks!
Though azureadb2c supports client_credential flow.One may not use them with SPA apps.
This scenario is not supported by MSAL.js. Client credential flow/ grant type will not work in SPAs(Angular) because browsers cannot securely keep client secrets.
As they may end up in the browser, visible to everyone and to attackers that load them.
Note:As the application's own credentials itself are being used, they must be kept safe - never publish that credential in your source
code
If you are using it for web app , please make sure to select the platform as web or change the reply url type to be web.
"replyUrlsWithType": [
{
"url": "https......",
"type": "Web"
},
]
Please refer :
Configure authentication in a sample Angular SPA by using Azure
Active Directory B2C | Microsoft Docs
OAuth 2.0 client credentials flow on the Microsoft identity platform- Microsoft Entra | Microsoft Docs
I am trying to use Google as an identity provider in an ADB2C SignInSignUp userflow, consumed within a React Native app through a WebView.
When I am testing this I am hitting an error that I cannot seem to find the cause of. Upon signing up with google I receive the following response object:
{"canGoBack": true, "canGoForward": false, "loading": false, "target": 99, "title": "Loading...", "url": "https://TENANT.b2clogin.com/TENANT.onmicrosoft.com/oauth2/authresp?state=StateProperties%3DeyJTSUQiOiJ4LW1zLWNwaW0tcmM6NjIxMDMyYTYtZTVlZC00OTJkLTg1NmMtMTAzYzg3Mzc0YmE3IiwiVElEIjoiZDM5ZTgwY2MtNzJlNy00ZGE5LWJjODYtMGRjZGNlN2Q1MDZlIiwiVE9JRCI6IjRkOTkyMzhiLTBhOGEtNGU0Ny1hYTRkLTk5NTZiYTY3NmE5YyJ9&code=4%2F0AX4XfWhrpKK2DDX58pFTHkb_U2e8SvGnLrPvhI4grUn5ojA5R-q7q4KjcdS1tO4DYemuWQ&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none#"}
Typically I would receive the fully formatted token back in this response, which I then use for server side validation. This works when signing up with Apple and as a B2C user when pressing 'Sign up now' on the userflow.
The token returned in this is not formatted correctly and doesn't follow 'code=' in the response url as I usually get when signing in or up through the other methods, and therefore throws an error of :'AADB2C90090: The provided JWE is not a valid 5 segment token.' when trying to parse what follows StateProperties.
Does anybody know why Google would not return a valid token in the same way that Apple/Microsoft do when signing up?
Any help would be greatly appreciated
Please check few workarounds:
Try to include client id in scope along with other scopes
2.Try mentionin Response_mode=form_post in auth request
In some cases its working with other versions , so try Msal version 4.32. see Issue · GitHub
According to sign-in with a Google account - Azure AD B2C | Microsoft Docs make sure to create app registered in google’s console
Also note from the same document and this blog:
References:
jwt - Azure AD B2C - Token validation does not work - Stack Overflow
Azure Active Directory B2C - Authorization code encoding issue
(microsoft.com)
I'm trying to integrate the MS Teams API in a Web-App.
First of all i was trying to use the MS API from Postman to see the workflow.
On the Azure UI i have succesfully created an App-Registration: i have my ClientID, TenantID and i have created also the client secret.
I downloaded the Postman API from https://github.com/microsoftgraph/microsoftgraph-postman-collections and i can retrieve the App-Only Access token.
I created two users in a group and i logged them on MS Teams Application, they can chat.
I can also get the User Access Token and endpoints such
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/me
etc..
are correctly working.
I am passing the User Access Token as Bearer token for the request.
These are the API permissions i gave:
I am having issues with the endpoints in the folder Events like:
https://graph.microsoft.com/beta/me/findRooms
https://graph.microsoft.com/v1.0/me/calendars
etc..
They all give the same error:
{
"error":{
"code":"NoUserFoundWithGivenClaims",
"message":"The user specified by the user-context in the token does not exist.",
"innerError":{
"oAuthEventOperationId":"08e3abc3-3fdf-4d85-849d-7632ac0723d2",
"oAuthEventcV":"CGW24oLIeEW1qoscgMIMTw.1.1",
"errorUrl":"https://aka.ms/autherrors#error-InvalidUser",
"requestId":"8e6cb242-17fe-4a94-8c89-912606578fb3",
"date":"2021-03-09T12:04:27"
}
}
}
I haven't found anything about this error.
Can someone help me?
Thanks.
You can check your bearer token by putting it in jwt.ms and see if you have the required permissions in 'scp' claim.
If you are getting MailboxNotEnabledForRESTAPI then you need to check if you have the proper exchange license or not.
You can add license by going into Microsoft Admin Center -> Users -> Active Users -> Select your user -> Licenses
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.