I have a few users added to my Azure AD account, I would like to get the roles and user information on these users by calling an Azure API from Postman in the form of claims. I tried calling the following URL with the parameters as :
https://login.microsoftonline.com/myTenantId/oauth2/token
Body:
grant_type : password,
client_id : client id,
client secret : client secret
I receive the access_token in the encoded format in the response, When I decode it on https://jwt.io/ I see the decoded data, but there's no user roles in the access_token.
I would like to get the user information and the roles in the form of claims in same response.
What approach would I need to take on this ?
If the role you mentioned refers to directory role, the answer is no, it won't be returned in the token. Just like juunas said, you can call graph api to get directory role information.
If the role you mentioned refers to application role, the answer is yes, you can get the role information in id_token. The prerequisite is that you have assigned some roles to the user.
Here are the detailed steps. You can also refer to this article.
edit the manifest to add some custom roles.
Something like this.
{
"allowedMemberTypes": [
"User"
],
"displayName": "Test",
"id": "c200e304-fff3-49f1-a4df-e406741ea680",
"isEnabled": true,
"description": "Bla bla",
"value": "test"
}
2.assign users to roles.
Click Enterprise applications->All applications->
Click your application->click Users and groups->click Add user
role assign.
Here is the request to get id_token.
You will find the roles in id_token.
Related
I am following Authentication code flow with PKCE and my Identity provider is Azure Active directory.
I have created a App , "client-app" from App Registrations. In the manifest I have added appRoles like the following.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "StoreGroupManager",
"id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
"isEnabled": true,
"description": "Consumer apps have access to the consumer data.",
"value": "StoreGroupManager"
}
]
I am assigning this role StoreGroupManager to Users. Now when I follow Authorization code flow with PKCE and obtain the id_token , refresh token and access_token. I can see that the id_token has a claim roles but not the access_token.
I need to have roles claim claim in the access_token. Can this be possible?
The following is the decoded id_token.
Roles will be in the access token if the app registration for the API that the access token is for defines those roles and they are assigned to the user.
So if you use the same app registration for the client and API, they should be there.
But if you have separate app registrations for the client and API, you will need to define the role in both apps and assign the user to it on both of them as well.
I'm finding Azure B2C really confusing. Currently I am using oauth2_proxy behind an nginx ingress controller in a test (single node) AKS kubernetes environment. I have made a slight change to oauth2_proxy to redirect upon error to chain Workflows together (like password recovery link etc.) and everything is working so far. I get an authorisation cookie from oath2_proxy and the ingress controller lets me through.
My next step is to work out what the username is, and maybe gather some more informaton. I think I can get some of the information in the id_token, but I am failing to see "email" and "preferred_username". Apparently these are only available if my token has the "email" and "profile" scopes, but I cannot work out how to get those scopes on my B2C App.
Currently I have a test application. In it's API permissions area I have a single "read" permission so that I have a resource to request to get an access_token. I also have "email", "offline_access", "openid", "profile" and "User.Read" permissions from "Microsoft Graph" - all permissions are granted by the admin on the API permissions screen.
The process I have been following up to now for testing is to run a signin workflow, selecting my API in the resources dropdown. I then copy the "Code" into a token request in postman, and then try both the "https://graph.microsoft.com/v1.0/me" and the "https://graph.microsoft.com/oidc/userinfo" endpoints with both the "id_token" and the "access_token". Both of these respond with "InvalidAuthenticationToken", message "Access token validation failure".
I had since noticed that my resources dropdown still only contains "read" and "openid" access rights, so I have been copying the "run userflow" url and inserting the scopes for "email", "offline_access", "openid" and "profile". I have also ensured that my call to the "token" endpoint contains these scopes. The response from the token endpoint only returns scopes "read offline_access openid", so "profile" and "email" are missing.
I don't know how to configure my app registration in B2C so that the "email" and "profile" scopes become available. Since "openid" appears in the resource drop down, I would expect "email" and "profile to turn up in there, but they don't. My token calls definitely show that the scopes that I need are not returned.
My workflow url looks as follows:
https://********.b2clogin.com/********.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signup_signin&client_id=********&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid%20user.read%20email%20profile%20offline_access%20https%3A%2F%2F********.onmicrosoft.com%2Ftestapp%2Fread&response_type=code&prompt=login
My token call looks as follows (using the code value from the workflow):
https://********.b2clogin.com/********/b2c_1_signup_signin/oauth2/v2.0/token?grant_type=authorization_code&client_id=********&response_type=code&redirect_uri=https://jwt.ms&response_mode=query&scope=https://********.onmicrosoft.com/apptest/read openid offline_access email profile&code=******CODE FROM WORKFLOW CALLBACK******
Token response is like:
{
"access_token": "******BIG LONG BASE64******",
"id_token": "******BIG LONG BASE64******",
"token_type": "Bearer",
"not_before": 1591607270,
"expires_in": 3600,
"expires_on": 1591610870,
"resource": "********",
"id_token_expires_in": 3600,
"profile_info": "******BASE64******",
"scope": "https://********.onmicrosoft.com/testapp/read offline_access openid",
"refresh_token": "******BASE64******",
"refresh_token_expires_in": 1209600
}
OIDC endpoint call like this:
https://graph.microsoft.com/oidc/userinfo
HAS HEADERS
Content-Type: application/json
Authorization: Bearer ********BASE64 from access_token********
Any help would be appreciated. i.e. how do I return additional scopes + how do I call the OIDC UserInfo endpoint.
Thanks.
I struggled with a similar issue a while back, where I wanted my API to use the access token to look up user info. Azure AD does not work in a standards compliant way:
Calling User Info requires a separate graph token
You have to use a token exchange request to get the graph token
Here are some resources of mine which I think are related and will hopefully give you enough info to resolve your problem. I think right now you are getting the error from Step 14 of the blog post.
Token Exchange + User Info Lookup C# Code
Blog Post on Azure AD Settings related to Graph / User Info
I have added an app registration with custom user roles through the manifest
I have successfully protected an API endpoint by way of the [authorize] atribute and roles.
I have now changed the names of the roles in AD but when I try to access the API endpoint I can see in the access token that the roles have not changed.
How long does it take for roles to change for a user? Do I need to do something else other than just change the names of the roles? Force a cache refresh somewhere? What am I missing?
I am using a private browser window to eliminate any stale cookie noise
I can see in the access token that the roles have not changed.
Shouldn't the user role be reflected in Id token?
The decoded Id token.
How long does it take for roles to change for a user? Do I need to do
something else other than just change the names of the roles?
We should change the value of the role, not the displayName. And it will take effect immediately.
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator2",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "SurveyCreatorValue3"
}
I changed the role value from SurveyCreatorValue3 to SurveyCreatorValue4. We can see the update in the Id token.
We have ADB2C tenant with a Identity Provider setup to an Okta setup in another Organization via Open ID Connect.
We have a Admin UI to add users. I see that GraphAPI has a createUser which takes a json with Password and changePwdOnFirstUse setting. This is fine to add a direct member to ADB2C.
The problem I have is that, how can I add the User from the other Okta
Organization so that when this user logs in to my App (and is authenticated by Okta), can login to my App.
At present, after authentication from Okta, we see User not found Error.
I suppose, I cannot add this user via Graph API using same createUser method as this user password is not something we are supposed to manage.
How do I add this other Organization user to ADB2C, so that I do not see this "User not found" issue?
Thanks.
Using Azure AD Graph API, you can create an external account user, with the userIdentities property of the user object being set to the sub (subject) claim of Okta's ID token:
{
"accountEnabled": false,
"displayName": "John Smith",
"mailNickname": "john.smith",
"otherMails": [
"john.smith#company.com"
],
"userIdentities": [
{
"issuer": "{okta-id-token-iss-claim-value}",
"issuerUserId": "{okta-id-token-sub-claim-value}"
}
],
"userPrincipalName": "{guid}#{your-tenant-name}.onmicrosoft.com"
}
where issuerUserId must be set to the base64 encoding for the sub claim of Okta's ID token.
I'm using the Azure AD Basic tier with an ASP.NET Core API, I've followed the RBAC sample. I've set up an application with roles in my manifest like so:
appRoles": [
{
"allowedMemberTypes": [ "User" ],
"displayName": "Read Device",
"id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
"isEnabled": true,
"description": "Can read a device.",
"value": "read_device"
},
...
]
I've setup my API to use the UseJwtBearerAuthentication middleware like so:
application.UseJwtBearerAuthentication(
new JwtBearerOptions()
{
AuthenticationScheme = "Azure Active Directory",
Authority = options.Authority,
Audience = options.ClientId,
TokenValidationParameters = new TokenValidationParameters()
{
RoleClaimType = "roles",
ValidateIssuer = false
}
})
I've given my user the above 'Read Device' role:
I'm using Swagger UI to make the call to get the auth token. It calls the following URL:
https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
response_type=token
&redirect_uri=http%3A%2F%2Flocalhost%3A5100%2Fswagger%2Fo2c.html
&realm=-
&client_id=[Client ID]
&scope=http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
&state=oauth2
&resource=[Client ID]
I suspected that I am not passing the correct values to the scope parameter, so I have tried asking for every scope I can think of:
&scope=openid
%20email
%20profile
%20offline_access
%20user_impersonation
%20roles
%20http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
%20read_device
If I set "groupMembershipClaims": "All" in my manifest I can see group claims but I want roles instead. I'm able to login to call my API, however I never get any roles back in my JWT token, so I'm unable check the users role. What am I doing wrong?
It turns out I needed to request an id_token instead of a token. An id_token contains extra claims/scopes/resources about the user. I also needed to provide a nonce parameter containing a new random GUID on every request. Thus, I ended up with the following URL:
https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
response_type=id_token
&client_id=[Client ID]
&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F
&nonce=9ac5ad8d-df44-48e6-9bd6-e72743b3625c
If you are want to enable the role be assigned to users or groups(allowedMemberTypes=User) :
If you want to perform authorization using role claims , you could
follow the steps in this code sample , you could find the roles
claim is in the id_token .
If you want to make a client app to call your web api , when user
sign in ,app could check the access rules based on the role
claim,
you could use delegate flow(OAuth Authorization Code Grant,Implicit
Grant Flow..),roles claim is in the access_token ;
If you want to specify the role be assigned to client applications(allowedMemberTypes=Application), you could use OAuth Client Credential Flow ,appRoles of resource app/api that are assigned to the client app, and you will find the roles claim in the access_token ,check the detail steps from here.
Please click here for more details .
In my case I had mistakenly configured the App Registration to emit Security Groups as roles claims, thus overwriting the App Roles from the manifest. Removing the optional groups claim and logging back in correctly emitted the App Roles names in the roles claim of the id_token.