I am trying to authenticate a Xamarin.Forms app against my Azure Mobile App backend (which has been set up to use Azure AD authentication) using Microsoft Authentication Library (MSAL). This is so that the app can access tables API Controllers etc, but I am having issues authenticating fully.
In the app (client side) it kind of seems like I am able to successfully login because I got the Azure AD login screen in Safari web browser but straight after entering my credentials I get redirected to the app and I am presented with the following error from MSAL:
You do not have permission to view this directory or page.
I did some digging and attached a debugger to my Mobile App backend and that revealed the following:
Microsoft.Azure.AppService.Middleware Verbose: 0 : Received request:
POST https://myapp.azurewebsites.net/.auth/login/aad
Exception thrown:
'System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException'
in Microsoft.Azure.AppService.Middleware.Modules.dll
Microsoft.Azure.AppService.Middleware Warning: 0 : JWT validation
failed: IDX10500: Signature validation failed. Unable to resolve
SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
) ',
RawData: eyJ0eXAiOiJ......
token:
'{"typ":"JWT","alg":"RS256","kid":"-sxMJMLCIDWMTPvZyJ6tx-CDxw0"}.{"aud":"d03a8a86-2d38-4017-a8e6-d1813c7a8b99","iss":"https://login.microsoftonline.com/03afca2b-f47f-4d0b-9a25-d464aff5d399/v2.0","iat":1550228705,"nbf":1550228705,"exp":1550232605,"aio":"ATQAy/8KAAAAJ5N6SdnFdK7rYxWxvwbUKLAjZesFNkwaj2jR7tQg+E10FU5giL0DQM7SWbfwwYNG","name":"GFSSD
TEST","oid":"ea10e59f-4466-451c-b7df-e9727ae5b899","preferred_username":"gfssd#mycompany.com","sub":"aPg-fkuZz4lwGIPSGbQ-nOoj7BPwT4_bBsb9UvATAdI","tid":"03afca2b-f47f-4d0b-9a25-d464aff5d399","uti":"tpY2tvyphUib1O2N4wIQAA","ver":"2.0"}
Microsoft.Azure.AppService.Middleware Information: 0 : Sending response: 401.83 Unauthorized
Any ideas why it doesn't seem to authorize properly?
EDIT:
Related
we have a problem and i dont see anything which i can do for now. I've already followed for example this article but i does not work for now: Azure Function App as Backend
Azure AD Authentication is configured in our Azure Function App and with postman i can connect with a bearer token to the function app.
Function App Authentication is configured with error 401 for apis
I can see in the browser that there is always this error when we open the frontend app. There is no access to the Azure AD secured backend function app from the frontend: Failed to load resource: the server responded with a status of 401 (Unauthorized)
i exposed the api from the app registration of the backend function app and gave them invoke delegated rights to the frontend app registration like in the blog article. CORS is configured too.
App Reg Invoke Config
is there anything i can do? We login to our Frontend App Service with Azure AD credentials and this token should give access to the backend service function app too so there is nothing unprotected in the public internet. But frontend get always this 401 error.
I tried to reproduce the scenario from my end :
When you decode the bearer token ,
Check issuer url and audience received
Also if issuer url has v2 endpoint ,Make sure the accessTokenAcceptedVersion is set to 2 other wise null or 1
Manifest:
{
"id": "4axxxxxxx039",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
...
}
Try including function app url https://kafnapprepo.azurewebsites.net
in allowed audiences. Along with the clientId of the app and AppId uri
and make sure the permissions are granted admin consent.
I followed this resource: https://icareb2cdev.b2clogin.com/icareb2cdev.onmicrosoft.com/B2C_1A_DEMO_CLIENTCREDENTIALSFLOW/oauth2/v2.0/token
Azure B2C App registrations:
Protected web api
Expose an api
App ID URI = https://{my tenant name}.onmicrosoft.com/{protected web api client id}/.default
Daemon console app
API Permissions
API = protected web api
Permission = access_as_application
Type = Application
Admin consent requested = Yes
I acquire a token using the OAuth client credentials flow:
POST https://{my tenant name}.b2clogin.com/{my tenant name}.onmicrosoft.com/{a basic user flow SUSI policy}/oauth2/v2.0/token
scope=https://icareb2cdev.onmicrosoft.com/{protected web api client id}/.default&
grant_type=client_credentials&
client_id={daemon console app client id}&
client_secret={daemon console app client secret}
Error response:
{
"error": "invalid_grant",
"error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: REDACTED\r\nTimestamp: REDACTED\r\n"
}
I ran into the same issue, please double check your Manifest and make sure that "signInAudience": "AzureADandPersonalMicrosoftAccount" and not your organization only. Do also ensure you followed the steps same as other answer.
We are new to O365 Authentication and trying to authenticate the user.
Here i am getting this error while trying to login with, office 365.
Create app in active directory add app id and return urls in app, and this is the document I followed, https://blog.xamarin.com/put-adal-xamarin-forms/
here is the error we are getting,
AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'
Trace ID: e580114e-2dd9-4cc4-b903-6cef743a2900
Correlation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597
Timestamp: 2018-12-05 12:51:23Z
{System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized). ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'\r\nTrace ID: e580114e-2dd9-4cc4-b903-6cef743a2900\r\nCorrelation ID: 6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597\r\nTimestamp: 2018-12-05 12:51:23Z","error_codes":[70002],"timestamp":"2018-12-05 12:51:23Z","trace_id":"e580114e-2dd9-4cc4-b903-6cef743a2900","correlation_id":"6e58ff9d-bea4-4ad3-9fe3-e27c92fc9597"}: Unknown error
--- End of inner exception stack trace ---}
Ok ,Maybe you have registered your app as a confidential client (web app or web api).
You cannot authenticate with username and password when the app is a confidential client. Only public clients, sometimes known as native clients, can do U/P authentication.
Trying to Change to native client.
Refer to this link to try
I am trying to build a VSTS extension that can communicate to azure web app. I was able to achieve this but without authentication. I was referring to the Microsoft documentation.
I took the token generated from browser i.e console.log(token) and verified it in this website.
It says Invalid signature.
The logic mentioned for .Net framework to validate the generated token does not work. It gives me following error:
IDX10500: Signature validation failed. Unable to resolve
SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xA0EBDCCF933FEE9F878C82A5157CFDDEEFD5D19A)
)
',
token: '{"typ":"JWT","alg":"RS256",......
Replace VSS.getAccessToken() to VSS.getAppToken() can solve the issue.
I am trying to setup Authentication with a Javascript backed Azure Mobile Service. When I call my code to login in I get:
Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException: Error: The Facebook Graph API access token authorization request failed with HTTP status code 400
Here is my code to call my Login:
public async Task<MobileServiceUser> Authorize(MobileServiceAuthenticationProvider provider, JObject jObject)
{
return await App.Client.LoginAsync(provider, jObject);
}
Is this an issue with a setting in the Facebook app? Or is it something in my code? Or a setting in the configuration of the Azure Mobile service.