I have a Java Web App which is integrated with Azure AD. Now when I run the app locally, everything works fine.
But When I deploy the WAR file to the Azure App Service, the authentication redirection seems to be going in an infinite loop.
The application is running in loop between login.microsoftonline.com and mysite.azurewebsites.net.
I have read in blog posts that this happens with OWIN cooke in .Net , but not sure if this is case with Java as well.
All the traffic is through HTTPS only, but still the issue exists.
Is there any setting in Azure Portal to overcome this ?
Owin middleware is only available for .NET, so yes, we cannot fault that.
The redirect would be triggering from the portion of your code that evaluates a condition like 401 Unauthorized and constructs an authentication Url and redirects the user to that.
I'd suggest you enable as much diagnostics as possible and look into logs to..
Azure AD is sending the tokens in response as expected and not an error
The code acceptig/parsing these tokens is working correctly
Related
I wasn't exactly sure how to best describe the title of the question for the issue I am having, anyways this is the problem I am encountering, I have searched for a couple of hours and could not find an answer.
I am building and app which is passing through the Azure AD sign in and redirecting back after a successful handshake. All works fine when using https://localhost:port as my RedirectURI in Azure, for example:
Under Web Redirect URIs this following works just fine:
https://localhost:7280/signin-oidc
I login with my AD credentials and I am redirected back to my app's landing page, so all good there.
The problem is however, when I use the following in the hosts file, I am just redirected back to the Azure AD sign in page, even though when I check the azure sign in logs, it states the login was successful.
Question: Is it possible to use a custom URI using the hosts file in a local development environment, when developing an app passing through an Azure sign in? Or am I restricted to using https://localhost:portNumber for my web redirectURIs? Thanks in advance.
Here is the hosts file and the web RedirectURIs in Azure. As mentioned earlier, https://localhost:port works fine. Note: I already have an SSL Certificate for the local development environment which is fine.
My hosts file:
127.0.0.1 dev.operations.co.uk
My web redirectUri(s) in Azure which I have tested:
https://dev.operations.co.uk/signin-oidc
https://dev.operations.co.uk/
We are using Azure Web App Easy Auth, and use the Web App as a reverse proxy which forwards traffic to an angular app.
The angular app uses /.auth/me and uses the token and pass it to a REST API. However, if user is idle for a long time, seems that the /.auth/me session times out and we can't get it anymore.
However, the web app doesn't redirect anymore to the MS Login page (as it does when we enter the URL at first time).
Is there a proper way to handle it?
Thank you
Edit:
For example, we are calling this using httpGet in Angular
https://myreverseproxy-dev-asse-web-d.azurewebsites.net/.auth/me
This returns JSON with the auth token.
But after a few hours that user is idle, seem it returns blank []. Probably because the session is timed out or the authentication for this endpoint has a timeout.
You have to give the redirect URL by registering your Azure Web App in App Registrations Service:
If it is already registered in App Registrations, then your app service from Azure Portal > Type "App Registrations" in Main search > Select your registered App Service > Select "Authentication" Where you configure the redirect URI:
Refer to this MS Doc1 for Redirect URI Limits & restrictions and Doc2 for configuring the CallbackPath, SignedOutCallbackPath in the code like appsettngs.json if the language is ASP .NET Core, web.config for ASP .NET, application.properties for Java, etc.
Doing some practice with AZ 204, I was attempting to set up a simple web app with .Net Core and a simple Authentication system using the login.microsoftonline.com service. My problem is that I keep getting a 404 on my redirect from the authentication sequence.
I use a redirect provided from Azure under "Get Started" using the Web platform for ASP.NET Core. The only modification I used is that I have replaced the localhost port as mine is running on a different one.
The app works fine without Authorization, With Authorization in place, it loads in the Microsoft login page, and it goes through, the process and validates the user. It goes through and manages the user consent screen, but once it's supposed to redirect back to the page (using the /signin-oidc endpoint, it seems to interpret it as a webpage and goes to the URL htttps://localhost:7032/signin-oidc.
I made the same setup progress a week ago without any 404 problems.
Service: Azure AD Registered App
Platform configuration: Web (ASP.NET Core)
Redirect URIs: https://localhost:7032/signin-oidc, https://localhost:7032/
Front-channel logout URL: https://localhost:7032/signout-oidc
ID tokens (used for implicit and hybrid flows): checked
Double checked ClientID: check
Double checked TenantID: check
UseAuthentication() is enabled: checked
You may need add UseAuthentication() in your Startup.Configure method.
app.UseRouting();
app.UseAuthentication(); // <-- Add it here.
app.UseAuthorization();
Unsure how, but as I started the project today the code runs smoothly, and the page loads properly. My guess is it might have been some problem with my internet settings on my local machine. Thanks for the suggestions and bonus help.
I want to write a script that:
Logs a user into Azure AD with the device code mechanism
Constructs a SAML SSO request URL
Makes the SAML request using the auth from step 1
Gets the SAML response back, and does something with it (not just open it in a browser)
Is there a way to do that with the Azure AD libraries?
I feel like this should be possible and I’m just missing something. Any ideas?
I've tried a bunch of stuff and experimented with code in the Python library, but to no avail.
I would prefer Python, but I can run it in a Docker image so language isn’t so important.
Context
At work, we use Azure AD for authentication, and we can log into the AWS Console using Azure AD and SSO SAML.
If I construct an appropriate SAML request URL and open it in my browser, I go through the in-browser auth flow. When I’m logged in, Azure AD returns a SAML response, and eventually my browser redirects me to the AWS console. It’s a URL of the form:
https://login.microsoftonline.com/11111111-1111-1111-11111111111/saml2?SAMLRequest=<base64 encoded string>
Now I want to do a similar flow for AWS credentials – make a SAML request to log in, read the SAML response, create credentials using assume_role_with_saml, then write those to ~/.aws/credentials. I think that means I have to access the SAML response directly – the browser just drops me at the end of the redirect chain.
Any ideas?
Other ideas
I’m aware of the aws-azure-login npm package which does this by spinning up a headless browser – but it’s unmaintained and I’ve found it to be a flaky.
Right now I have a Python script that opens the SAML request in Chrome (where I log in), then uses the browsercookie library to raid Chrome’s cookie jar and use those for its HTTP requests. That works, but it feels weird to be copying cookies this way. Also, it doesn’t work if I’m ssh'd into a remote server.
I found an answer from a year and a half ago that says “ADAL.JS does not support SAML2 tokens”. Wondering if that might have changed, or am I still stuck?
No - ADAL is OpenID Connect and returns a JWT token.
Why do you need to use SAML? Could you not use OpenID Connect?
Azure AD does not support SAML tokens for the device code flow.
MSAL library from the Azure AD team supports this flow for apps. Please give this a try or you can write code against the protocol itself
I have a working app on my local machine that authorizes fine using both SQl and raven auth plugin.
when I try to test auth on the azure app by going to /auth/twitter I just end up in an authentication loop.
this is the exact same code (except for the callback and redirect url is pointed to the azure app)
Should this work o Azure? Is there any way of knowing why the redirect ends up in a loop? Is there any debugging output on twitter?