I'm trying to set this up but when going to Published Scopes tab for the client app I have created I am unable to configure as am receiving this message "No identifier URI has been provided", can anyone advise pls?
As #Chris Padgett said, if it's client app, you should configure "API access" rather than "Published scopes" to grant a client app permissions. For more details, you can refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-access-tokens#grant-a-native-or-web-app-permissions-to-a-web-api. Hope it will be helpful!
Related
Looking for some answer. First time using Azure AD for authentication on ASP.Net Core and we have registered the app on azure for both my local and Dev-Server. Its working running on my laptop but after deploying to Dev server and changing the Client ID Value, it keeps giving me this error
*SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'.
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()*
Thank you in advance.
Danny
Thank you #User 45323833 posting your suggestion as an answer to help other community members.
" Solution from Microsoft: This problem caused due to your app registration:
May you have defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
If a scope will be set from Graph API, the token can just be validated from Graph!
You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
To solve the problem please follow the below steps :
To protect our own custom API, you have to register an application to represent it on Azure AD and obtain an access_token/id_token for it.
Section - Expose an API: Create a new scope: name = access_as_user
Section - API permissions: Add a new permission for your registered application and your scope access_as_user
Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfully validated."
For more information please refer this GitHub issue IDX10511: Signature validation failed. Keys tried: & Microsoft Documentation: Azure AD authentication with ASP.Net core web application
I am trying to follow the tutorial for Microsoft active-directory
After inputting the client ID and secret into the code and running the code, it takes me to the login page where I login with the credentials but I get the following error:
"errorCode": "request_cannot_be_made",
"errorMessage": "Token request cannot be made without authorization code or refresh token.",
"subError": "",
"name": "ClientAuthError"
Does anybody know what is going on here?
The sample code works well: https://github.com/Azure-Samples/ms-identity-node/
When using auth code flow, we need to get authorization code with getAuthCodeUrl() first, then obtain the access token with the authorization code by acquireTokenByCode(). You may miss getting authorization code, please check yours.
Notes:
Set Supported account types as "Accounts in any organizational directory and personal Microsoft accounts". If not, change 'common' in authority with your tenant-id.
redirectUri in the sample code needs to be the same as Redirect URI in the portal.
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
I have searched with the error which I found, Did not find any matching questions. So posting question. Appreciate if some one provides some pointers to proceed.
My goal is to access graph API in my desktop client. I have started using fiddler to experiment.
I have followed instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only
registered Web APP using Application Registration portal using my Microsoft work account.
Provided 'Read all users' full profiles in Delegated permissions
Requested token and Used the token in Authorization header to call the graph API, Getting following error.
https://graph.microsoft.com/v1.0/users
119
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
"date": "2016-05-11T00:46:23"
}
}
}
In my case, I got the same error after I used Quickstart (step 1), then configured automatically .net sample (step 2), then download the code sample (step 3) as shown in the picture below.
All steps was done successfully except step 3. Microsoft code generate, generate app id, and app secret in project successfully but the tenant was set to common in appsetting.json as seen in image below.
I thought it was a valid thing, but later found out that this caused the issue.
Solution:
I copied the Directory (tenant) ID, than replace common with tenant Id, and it worked. I am not sure if this is a bug in Azure Quickstart code generation.
This sample helped me understand the flows around app-only permissions.
https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/
Key takeaways for me:
Ensure you set up the app and specify the Application Permissions needed
Do have an admin grant the app permission to run against the relevant directory.
Get the relevant token:
Notice the scope in the request below is https://graph.microsoft.com/.default
POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
Use the token to request the relevant graph resource, eg:
GET https://graph.microsoft.com/v1.0/users/demouser01#[tenant-name].onmicrosoft.com/drive/root/children
Accept: application/json
Authorization: Bearer eyJ0eXAiOi
For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.
From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked.
GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
while generating new access token, make sure to replace tenant_id with the actual tenant id
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
You'll find that this document is a better set of instructions for app-only apps.
There are two issues from your description that stand out.
You'll need to make the call with an X509 certificate for app-only flows.
You need to set up app scopes, rather than delegated scopes on your app - delegated scopes are for delegate flows rather than app-only flows.
I created a new mobile app to get consumed in my Xamarin.iOS app. My app doesnt have any registered user, all I need is to securely access the mobile app service api in my ios app.
After 10 hours of trying, I still couldn't figure a way to get his to work.
I've created a new mobile app, turned on Authentication / Authorization in setting(Azure Portal) and created a new Azure Active directory app.
I've secured my [MobileAppController] with [Authorize] tag.
To test I've requested a token
Method: POST
URL : https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token
grant_type : client_credentials
client_id : {one from AD section for the app}
client_secret : {one from AD section for the app}
I've received a token but using it to access(POSTMAN app)
https://mytestmobileapp.azurewebsites.net/api/values
with headers
Authorization : Bearer {token}
is giving me a
"message": "Authorization has been denied for this request."
Any help would be appreciated.
Thank you ...
I answered on my blog post but I am also putting this here for anyone to see.
Why do you want to call the endpoint directly? The SDK client should handle all of this (as seen on their tutorial: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-xamarin-ios-get-started-users/)
I do not think it is a good idea to re-implement the wheel by calling directly AD. There is a callback mechanism for the server to get that token from AD and I think this is what is missing here.
Have you looked at the examples at GitHub for Azure ActiveDirectory Library for ObjectiveC?
https://github.com/AzureAD/azure-activedirectory-library-for-objc
Some great examples and resources here that may help you :)
Ok finally after hours of terrible frustration I've found the answer. Thanks to the comments # https://github.com/Azure/azure-mobile-apps-ios-client/issues/14
I've setup Streaming logs and detailed error messages to figure out whats going on and I found this to be the error.
2016-01-18T20:06:31 PID[7448] Warning JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://quicktestmobileauthapp123.azurewebsites.net'. Did not match: validationParameters.ValidAudience: '8649d624-47ce-447f-9a5e-xxxxxxxxxxxx' or validationParameters.ValidAudiences: 'http://quicktestmobileauthapp123.azurewebsites.net'.
Then I realized I have to pass in resource when requesting the token.
My new token request
Method: POST
URL : https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token
grant_type : client_credentials
client_id : {one from AD section for the app}
client_secret : {one from AD section for the app}
resource : {clientId from the AD section}
Then token I've received from the above method worked fine without any issues. Azure streaming logs are amazing.
UPDATE
I've created a new question with answer going through a step by step explanation. How to add simple authentication to azure mobile/web apps with Azure Active Directory?