I'm building an ASP Net Core 2.1 website using Azure AD B2C based on this example code. However, I am using the Microsoft-recommended b2clogin.com domain because the microsoftonline.com domain is being deprecated.
During signup, after the identity provider authenticates successfully, it should redirect the user to an Azure AD B2C generated page where the user fills in some additional fields. Those fields drawn from the standard attributes offered by Azure AD B2C (i.e., I haven't defined any custom attributes). Everything works as expected with Microsoft Account authentication.
However, when authenticating against Google, there is no redirect back to that Azure AD B2C generated page. Instead, the user is sent to the default page of the site.
I thought I set the proper redirect uri in the Google Cloud Console:
But since the redirect is not working, I'm wondering if I need to set it somewhere else.
Turns out the problem was caused by the fact that I had completely filled out the custom attributes page when logging in via the Google identity provider, but not the Microsoft Account identity provider. So all Google cared about was authenticating me, and then tossing me back to my app.
Microsoft, OTOH, needed me to fill out all the required custom fields, so it sent me to the custom attribute page.
I had mistakenly assumed authentication always took me to the custom attribute page, but that's not the case.
Related
We are using Azure Active Directory B2C in combination with Azure Front door. When signing in with a password and username it works fine, but when signing in with a social provider it shows the wrong domain.
Before sign in:
After sign in with social provider (loading before continuing with, in this case localhost)
The difference here, is that before the sign-in we have login.timchermin.com/login.timchermin.com and after we have login.timchermin.com/lokaalaybler.onmicrosoft.com. I would prefer the onmicrosoft.com to also be login.timchermin.com.
I tried putting https://login.timchermin.com/login.timchermin.com/oauth2/authresp in the google cloud app setting. But this will give the following error.
(How) Can I make it so that my authresp also includes the domain in after the first / ?
I am also using custom policies, if that makes a difference.
The domain login.timchermin.com is also set as the primary domain.
Please make sure that you have all redirect URLs registered properly in your social IDP. This is my configuration for the Facebook login. I also use Front Door with Azure AD B2C:
Redirect URL should be aligned with this pattern when using custom domain:
https://your-custom-domain/name-of-your-ad-b2c-tenant.onmicrosoft.com/oauth2/authresp
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
I'm trying to get an AspNet Core 2.1 website to authenticate via Azure AD B2C. I've configured the Google and Microsoft Account signups in my tenant per the online instructions I found (e.g., this for Google).
But neither signup/signin option works. Links to them display on the default Azure AD B2C login page, but clicking the links triggers an error:
for Google, it causes a redirect_uri_mismatch error
for Microsoft Account, it returns a "we're experiencing technical
difficulties" error page, which has persisted for more than 24 hours,
so I doubt there's been any kind of outage
This is all occurring in a development environment, so I'm not using a publicly-registered domain (e.g., the reply uris all point back to localhost). Is that possibly the problem? If so, how do I set up the development environment correctly?
Additional Info
I solved the problem with the google identity provider.
But I'm still getting the same error with the Microsoft Account provider. However, I just noticed that there's an error message buried within the URL for the error page which doesn't get displayed on the page itself:
error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
The first suggestion in the error message -- targeting login.live.com -- doesn't work. The Microsoft Application Portal complains about a domain mismatch.
But I don't see how to apply the second suggestion, because I don't know where the redirect_uri is generated by/stored in my web app (i.e., I defined the redirect uri in the Microsoft Application Portal, but I don't see a corresponding configuration parameter in my webapp).
Ensure that you are registering the same base reply urls in your social providers, that your application is calling from B2C.
For example:
You if your app calls https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize then the reply url in your social provider should be https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp
However, some app examples call https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/v2.0/authorize (notice the "te") so you therefore need to add a reply URL of https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/authresp
I generally add both.
Are you able to sign-up with the local email account at first?, if not this link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app
would be helpful which has a sample web app and the steps, once you are able to sing-up and authenticate , you can add identity providers as Google, Microsoft, Facebook etc., and then you can edit the sign-up or sign-in policies and add the identity providers of Google, Microsoft etc.,
I hope this helps, cheers!! please let me know if you face any issues
Suraj Revankar
Turns out the documentation I was following for setting up the MicrosoftAccount identity app was incorrect, or I was following the wrong instructions.
Basically, you need to redirect to
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
not
https://localhost:[port#]/signin-oidc
like the documentation I was originally following suggested.
Check out this question and answer for more details.
I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.
The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?
Thanks in advance!
MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/
Sadly, it seems like this is not possible within the Azure B2C Preview.
From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.
Be careful with this, check if your site is not vulnerable to username enumeration:
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
Then the next time they can login through B2C
My relying party application uses Windows Azure ACS for user Authentication. I have ACS configured to use Windows Azure Active Directory (WAAD) as an identity provider. This is working for the most part and users can sign into my application using identities I have provisioned for them in WAAD. However, the problem I have is that if a user is signed into another Microsoft account, and in the same browser instance tries to sign into my application they get an ugly ACS error "ACS20012: The request is not a valid WS-Federation protocol message". For example, if I open Chrome and sign into the Windows Azure Management Portal using my Windows Live Id, and then open a new tab and try to sign into my custom app I will get that error. If I open a new browser or clear my cookies I can sign in just fine.
Shouldn't I be able to sign into both apps in the same browser instance?
Nope.
This is to ask to be signed into two Google Accounts (or two Live ID, or whatever two accounts) in the same browser's instance (which actually might be possible using Chrome, but the general case is NO). This is simply impossible today.
It is however ugly to see that error message in the ACS site. Have you configured an ERROR URL for your relying party application in the ACS? Although this property is optional, I strongly advice customers to actually use it, and properly handle requests to it. I haven't tried your particular scenario, but I assume ACS will redirect the user to the Error Url, once you configure it, so you at least know what happens.
Please configure the Error Url for your Relying Party and let us know whether user will be redirected to your site. You shall be then able to generate some proper error message.
UPDATE
If you say this only happens when you are logged-in the Azure management portal, than this (my speculation!) is almost same as sign-in with WAAD. Since the GA of WAAD there had been some changes. If you follow the actual login flow with Fiddler, you will notice that when sign-in to management portal has a bit different flow, then sign-in to Hotmail for instance. If you sign-in to Hotmail, you are just redirected to login.live.com you login and head back to Hotmail.
Now if you inspect the traffic when navigating to manage.windowsazure.com you will notice that there is a first redirect to login.microsoftonline.com (this is WAAD handled!). Then there is redirect to login.live.com (this is for your Live ID account). My speculation here is that WAAD from login.microsoftonline.com federates Live ID (login.live.com) for authentication. That's why you are actually logged in with WAAD, and that's why your app fails.
Please perform the following experiment to confirm whether I am wrong or not:
Delete all your browser's cookies
Go to Hotmail and login with your Live ID account
Now open new tab and open your custom application that federates WAAD via ACS
I suspect that now you will be able to login to your application.