Is it possible to establish Azure AD SSO/session (with all required cookies) having only Access/ID tokens obtained using ADAL library?
Our scenario is quite similar with one described here:
We have Cordova app with ADAL library as plugin. We managed to authenticate users and get Access/ID tokens using ADAL. Then we initiate SAML SSO between Azure AD and our backend. It works fine the first time user authenticates using ADAL since it's popups microsoft login screen and after successful authentication it establishes a session with Azure AD. But when user logs out our app clears all cookies and next time ADAL gets's tokens from cache and does not provide the login screen which is OK. The problem is that SAML SSO does not work after that since session is gone (no cookies).
I know that ADAL is not quite designed to work with SAML, but maybe there are some dirty or not dirty workarounds to establish session with Azure AD having only access or id tokens?
No, it is not possible.
To get the session cookies, the user must login by themselves.
You can assist the user in logging in to the right account by specifying their AAD tenant id in the authority URI (instead of common), and by specifying login_hint=username#company.com with their user principal name in the authorization call as an extra query parameter.
They should then only need to enter their password (+ MFA etc.)
Related
The current authorization is implemented as:
The Single Page Application (SPA) developed in react.js, posts username/password from the Login page to Web API and waits for the authentication token.
The Web API doesn't implement a standard identity provider, the username/password is validated from LDAP if the user is valid it creates an encrypted authentication token, saves it in the database, and returns back to SPA.
The SPA once gets the token then moves to the home page and further makes all calls by using the authentication token.
The Web Api validates the token first for each call, if it is valid then proceeds otherwise rejects as an unauthorized user.
All this is working fine but now we have got a requirement where we have to use the Azure Active Directory along with LDAP. Is there any way that the Web API validates the username/password from AAD, and if valid then creates the same token as creating now and returns back to SPA?
Please help me in this scenario.
Thanks.
You got 3 solutions.
OAuth Resource Password Credentials - This solution comes with a lot of limitations, like no support for MFA, and no support for authenticator apps.
Azure Active Directory Domain Services. (Pretty much a managed Active Directory that is a mirror of your Azure AD, and supports LDAP)
The correct solution, using OpenID Connect/SAML/OAuth2
My application uses Azure B2C to authenticate users (Custom policies). Some users are often (some times several times a day) asked to re-authenticate when navigating the website (built with react). But some are not, and never have to re-authenticate (refresh token mechanism working as expected). Token management is done using microsoft MSAL library without any fancy customization.
My question is: how can I log/know (probably directly on the Azure B2C portal) the reasons why B2C invalidates the tokens in the first place? Is there such a feature on the Azure portal?
In JS apps, the refresh token is fixed at 24hrs.
The AAD B2C web app session cookie (fallback after RT expires), has a maximum length of 24hrs.
AAD B2C doesn't invalidate refresh tokens, they can only expire. Refresh tokens are only invalidated if your application/service explicitly calls the refresh token revocation Graph API endpoint.
In your case, it is extremely likely that users are using the app after 24hrs of last logging in.
You can offer Keep-Me-Signed-In option so users can have a long lived session cookie.
I am using vue-adal library in my VueJS application to connect to Azure AD.
AD Token valid for 1hr after login.
When my token expires i am unable to renew it from client side.
Is there any way to renew token from client side using VueJS or
Any other alternate approach can be used for this scenario?
Thanks,
Gowtham
Since you are using implicit flow, azure AD will not return refresh token in implicit flow for you to refresh the token. As per this documentation, here is the recommended approach for this.
A JavaScript application has another mechanism at its disposal for
renewing access tokens without repeatedly prompting the user for
credentials. The application can use a hidden iframe to perform new
token requests against the authorization endpoint of Azure AD: as long
as the browser still has an active session (read: has a session
cookie) against the Azure AD domain, the authentication request can
successfully occur without any need for user interaction.
I'm creating a Xamarin.forms mobile app with Azure. I have enabled Authentication/Authorization in Azure to protect the APIs in Backend.
What I need is that to ask user to login with Facebook or Google and get some information of the user such as name, email and... and then save this data in a table as user information. I like to ask user just once for login and get the data and I don't need to keep the token provided by Facebook for example and refresh it always (which I red refreshing is not supported by Facebook), but also need to keep the user logged in and has access securely to Backend APIs. I am new in this and completely confused of using Azure AD, facebook and...
What is the best way to do that? I have followed this tutorial and now am able to login with Facebook.
Maybe what you are looking for is Azure AD B2C (Business to Customer), which will provide facilities to allow your customers to create an account for your app, but also login with Facebook (see here) or Google (see here).
Since Azure AD B2C implements OAuth2, integrating it in a Xamarin.Forms app by means of Xamarin.Auth should be possible (see here). Once you have acquired the OAuth2 token, you can include the token in the headers of your HTTP requests in the Authorization header with the Bearer type (see here)
Authorization: Bearer <token>
On the server side you can then validate the token. I have not used Xamarin.Auth with Json Web Tokens (JWT), but maybe you'll be able to retrieve a JWT with Xamarin.Auth, which you'll be able to validate on yourself. Otherwise, if Xamarin.Auth is restricted to access tokens, you might have to contact the authentication server to verify the token. If the token is verified successfully, you can grant the user access, otherwise, answer them with a 401.
This question is related to
passport-azure-ad, does it parse & validate token?
I've tried to master using the passport-azure-ad module. I successfully log in my user with OpenID Connect, pick up the access_token and use it directly my REST API's which are secured by app.get('myapi',passport.authenticate('oath-bearer',
{failureRedirect: '/'}),
function(req,res){});
However, if i try to log out from the session created by OpenID connect, the token is still valid untill it expires (typically 3600 seconds).
I'm using the access_token to secure my endpoint not hosted behind a API Gateway at Microsoft, so i guess revocation of the access_token is not straight forward.
Is there any way i can check if the access_token is revoked using passport-azure-ad ? What is the best practise?
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
As if you are using a common Azure AD application in v1, you also can find the end_session_endpoint in the metadata document at, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/.well-known/openid-configuration
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.