I'm facing an issue of communication from Azure to Mashery (and so Mashery to my code but it's work).
I'm in a professional Azure environment.
From a user's request, Azure has to send his request to our program in my company's cloud (thanks to the messaging endpoint of the bot azure). However for security, Azure has to send it through Mashery.
In consequence my code needs to receive users' requests with a security layer using Mashery : Azure has to be authenticated by Mashery.
It's required to work properly with the SDK. The SDK requires a bearer in the header of the message. However there is no bearer currently.
How can I setup Azure to authenticate itself to Mashery (before sending the user's request at the messaging endpoint) ?
Related
I am working on a project, in which I am building a publish-subscribe system through Azure Web PubSub Service. The JavaScript clients (subscribers) are connected through socket and able to receive the published message on the Hub and in the Group. For this I followed this tutorial: https://learn.microsoft.com/en-us/azure/azure-web-pubsub/tutorial-pub-sub-messages?tabs=javascript
Everything is working fine, as I am in the POC phase yet. So currently I am publishing messages through JavaScript from above tutorial. But now I am starting to integrate it in my existing app which is developed in PHP. So I am thinking to use following Azure REST API for Web PubSub operation: https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub
Before this I worked on the Azure Graph APIs, in which I did an App Registration at Azure Portal with some Redirect URLs, and assign some permissions to access the resources. I did this for Outlook Mail, Overdrive, SharePoint and its very straight forward process to get the access token (JWT) to access the resources.
But I am stuck and unable to get the access token for Azure Web PubSub API. I need token to just Publish a message from PHP end by REST API. I checked in App Registration's > API permissions section, there is no permission for the Azure Web PubSub Service. I checked the same app in Enterprise application also. Did some hit and try, but didn't get the access token. I know the issue is with the permission.
Please help me to get the token for this, so will call the Web PubSub API, Or if I am missing something please help me to trace. Any suggestion are welcome.
Thanks.
I think you can make use of the following REST API endpoints:
Web Pub Sub - Grant Permission
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/grant-permission#webpubsubpermission
Web Pub Sub - Generate Client Token
https://learn.microsoft.com/en-us/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token
We developed an API hosted in Azure and we decided to experiment a frontend in Azure DevOps with a web extension in react.
Without authentication, it worked :D
So, let's move on OAuth2.
In the past we developed task extensions with custom service connections. So we decide to experiment them with the acceptance criteria of an authentication based on AzureAD (or related to as Azure DevOps) with userId in claims in API scope and keep benefit of Azure DevOps not to ask a second authentication to users. (no MSAL for now....)
Simple first solution was to use core sdk getAppToken function. But token was not containing userId information.
We them tried service connections :
Client credentials
Native azurerm service connection works but with some limitation. We can't use a datasourcebinding with datasourceurl as it should begin with {{config.url}} or {{endpoint.url}}. And endpoint.url is "https://management.azure.com", so we can't call our api :
We also tried to use managed service identity service connection type (ms.vss-endpoint.endpoint-auth-scheme-managed-service-identity for curious). Because in task extension frontend, Azure DevOps is using user credentials to request Azure for any datasourcebinding.
But Microsoft seems to block this kind of authentication to their type azurerm :
Let's now try OAuth2 configuration :
So we created a custom service connection and defined authentication and datasource like ServiceNow endpoint :
https://github.com/Microsoft/azure-pipelines-extensions/blob/master/Extensions/ServiceNow/Src/vss-extension.json
OAuth2 configuration url : https://login.microsoftonline.com/XXX/oauth2/v2.0
AuthorizationUrl : {{{configuration.Url}}}/authorize?client_id={{{configuration.ClientId}}}&response_type=code&redirect_uri={{{RedirectUrl}}}&scope=api://XXX/.default
AccessToken and RefreshToken datasourcebindings requestUrl {{{configuration.Url}}}/token"
Everything was in place to use a configuration.url for code and token. Whereas endpoint.url was pointing to our API in Azure with a custom domain.
But it failed because I realized when a code is requested through service connection of kind OAuth2, serverurl is magically replaced by configurationUrl...
I didn't understand this issue with executeServiceEndpointRequest function call :
Backend code is inspired from mkaszub post : https://github.com/microsoft/azure-devops-extension-api/issues/12
It comes before real request and after service connection get.
The strangiest thing is that next call to API itself failed but not because or bad url. First endpoint.url at service connection creating was still there...
Conclusion, fail to use OAuth2 configuration in Azure DevOps with an Azure API.
So, do you know how to call an API inside Azure DevOps web extension with a user generated AzureAD token ?
Solution we think of :
MSAL should be the way to go for standard authentication, but we will need to ask for user to login. Even he's already inside Azure DevOps. Any trick to avoid this ?
MSAL with frontend outside Azure DevOps, inside Azure. But we loose Azure DevOps integration. And using extension with hub collection, would brings unique API frontend places.
Anyway, Thank you for time you spent reading me.
I created a message extension for an App within Microsoft Teams that when clicked sends the message from Teams to my web service.
(one of these https://learn.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/how-to/action-commands/define-action-command)
I don't need to authenticate the user, but I want to authenticate that the incoming request came from Microsoft instead of someone maliciously sending me data.
The Authentication method described by Microsoft here; authenticates the user individually on the system. Which I don't want as the user might not have an account.
There is a Bearer token in the header of the action's incoming request to my web service. Can I somehow utilize this to validate it?
You shouldn't validate the Bearer token sent from MS Teams to your MS Teams App.
The right way to do it is use the "client credentials grant" between your MS Teams app and your web service. The grant is described here: https://www.rfc-editor.org/rfc/rfc6749#section-4.4
Your MS Teams App will be the client. Each request your client sends to your web service will contain a token issued by either your web service or an external identity provider your web service trusts. This token will be validated by your web service to ensure the request is genuine.
This grant is suitable for service-to-service communication you described.
I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.
At the moment I have an app that uses Azure Mobile App Services to manage offline sync as well as authentiation. Authentication is done with Azure Active Directory and the way that I have it setup is that the web api is published as an app service on azure and it is configured as an app in the Active Directory Section. The Native App which is done in Xamarin.Forms is also configured in azure so that whenever the app makes a request it can properly authenticate with the api.
What I want to do now is take this web api and put it in an on-premise server. I have to do this in order to optimize some latency issues that I am having when retrieving data. My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
Where I am mostly having issues is with the authentication part of the implementation.
I appreciate any help.
According to your description, you are using Authentication and authorization in Azure App Service for build-in authentication without having to change code on the app backend. Authentication / Authorization for Azure App Service (Easy Auth) is implemented as a native IIS module that runs on Azure side, details you could follow Architecture of Azure App Service Authentication / Authorization.
My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
AFAIK, we could not install the native IIS module easyauth.dll. Based on your scenario, you need to do some additional work to achieve your purpose.
For .NET backend, you could use Microsoft.Azure.Mobile.Server.Authentication OWIN middleware to validate tokens (the JWT authenticationToken). Note: This middle-ware is used to local development and debugging the mobile app .net server on your side.
For Client-managed authentication flow
You need to add a additional endpoint in your app backend for receiving the access_token returned by AAD to the client user, then your app backend would use the access token to access the signed-in user endpoint (e.g. https://graph.windows.net/me?api-version=1.6) to retrieve the user basic info, then encode user info into a JWT token and return to your client. Here is an example for generating the JWT token, you could refer to it.
Note: The App Service build-in authentication would also generate the JWT authenticationToken to the mobile client. For this approach, you retrieve the signed-in user information manually and follow the custom-auth to generate the token by yourself.
For Server-managed authentication flow
You need to provide a login endpoint and redirect the user the AD authorization endpoint, then your app backend receive the authorization_code and retrieve the access_token, then access signed-in user info via the access_token, then encode the user claims to JWT authenticationToken and redirect the token (e.g. https://{your-domain}/.auth/login/done#token={the-json-string-of-LoginResult}) to the client user.
Note: The above two approaches are used to implement some similar features from Easy Auth in your on-premise server.
Moreover, you could just use the middlewares UseWindowsAzureActiveDirectoryBearerAuthentication for AAD v1.0 endpoint or UseOAuthBearerAuthentication for AAD v2.0 endpoint to project your web API instead of the authentication middleware provided by Microsoft.Azure.Mobile.Server.Authentication. Here are some tutorials, you could follow them:
Azure AD .NET Web API getting started
Secure an MVC web API with AAD v2.0 endpoint
For this approach, your mobile client could leverage the ADAL or MSAL client library for acquiring the token. Then when you implement the MobileServiceClient instance, you could specific a custom DelegatingHandler for adding the authorization header with the value to the access token you acquired as the bearer token against your Web API backend. Details you could follow the How to: Customize request headers section under Working with the client SDK.