Can we control the requesting permissions for the GitHub IDP in B2C?
I've configured my B2C tenant to allow sign-in's from GitHub but I'm concerned about the requesting permissions of Full Access❗
This application will be able to read and write all user data.
Sample app: https://angular-6-b2c.azurewebsites.net/
No, we can't control this 😤
I did find this info on GitHub docs: Understanding scopes for OAuth Apps
If I manually change the scope to user:email in the sign-in request URL, I get:
Source: Request Link
There are no options to control this parameter:
UserVoice item: Reduce GitHub Account Permissions | No Write Access
Related
I have one application integrated with Azure B2C directory. Our problem is, login page is redirecting to Azure B2C portal (Own custom page) for authenticate or Authorize users and then revert back to the original website.
I need to open popup with my own website login design and at the backend, I am able to call Azure B2C REST api to validate users.
How I can create REST API for Login in Azure B2C portal?
Let me know if you have any information about the same.
As juunas said in the comment, you could use resource owner password credentials(ROPC) flow to validate users at the backend. You could call the API with the POST request at the end. Note: ROPC supports local accounts only.
Try to create resource owner user flow first.
You need to replace the username and password with the user's to be verified.
POST https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_<ROPC_Auth name of the flow>/oauth2/v2.0/token
username=<username>
&password=<password>
&grant_type=password
&scope=openid <application-id> offline_access
&client_id=<application-id>
&response_type=token+id_token
I have a c# service, the service is running somewhere in the azure cloud without an user interface. some specific events should trigger new messages to a team channel.
According to this documentation, the Create Message https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http is only supported by delegated account, not by the application tokens.
How can i create a delegated token for my service application without specific user account and without a login interface in the cloud?
Which Authentication Provider is the right one? https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=CS
As you mentioned in the question : chatMessage , supports only the Delegated Permission type.
What exactly is Delegated Permission Type?
A permission which specify scope-based access using delegated authorization from the signed-in.
The reason on the emphasis of the above point is being that - for Delegated permission we would need the context of a user account
Coming back to your questions :
How can i create a delegated token for my service application without specific user account
You can obtain a token without a specific user account but this will not help your cause.In order to overcome this, I would suggest a creation of service account - this account has permission over the teams.Part 2 of this questions suggests which provider can help without the login prompt.
The steps include :
Register your app.
Configure permissions for Microsoft Graph on your app.
Get administrator consent.
Get an access token.
Use the access token to call Microsoft Graph.
Detailing of the steps is included in the article here : https://learn.microsoft.com/en-us/graph/auth-v2-service
without a login interface in the cloud
Now you could use the below option :
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
In this provider, you will be passing the creds of the service account.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<YOUR CLIENT ID>
&scope=user.read%20openid%20profile%20offline_access
&username=<YOUR USERNAME>
&password=<YOUR PASSWORD>
&grant_type=password
You can generate the token for your service account by above request and application can consume the chatMessage API.
i am currently implementing a "System-of-Systems" authentication architecture in Azure Active Directory B2C (AAD B2C). In these scenario there is an initial SSO application that redirects the user to a general dashboard. The dashboard should enable the user to use additional services (service applications). (For example a tile view)
To use these additional services, the user must grant explicit permission for each external service. With this delegated permissions, the user authorizes the service to access certain data (for example, IoT data or personal data).
These AAD B2C application is characterized in this scenario by a client and backend application (api) (for each service). The client application contains scopes (delegated permissions) from the backend application, which are stored as a JWT validation - Policy in each Azure API Management endpoint.
Authentication against these assigned backend scopes already works with the Microsoft Login Provider (Identity Provider), but not with the local Identity Provider (for E-Mail).
Here: My Scenario
I changed the access level from Admin to User in the application manifest: (Here)
Microsoft Access Panel (works here)
My Problem the Local Idenitity Access Panel for users (that doesn't works) -> should look like this: Microsoft Docs (consent dialog)
For the following request:
https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SignUpAndSignIn&client_id=xxxxx-xxx-xxxxxx&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid https://[tenant].onmicrosoft.com/backend/Backend.Read&response_type=id_token token&prompt=login
... I always get the following error message:
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
The approval framework is not displayed for the user, therefore the request is rejected by insufficient permissions.
Do you know how to solve this problem? Are there any walkarounds or configuration options?
Thank u & Best regards
You missed some scopes of your application. Navigate to Applications (Legacy) -> API access, the scope need to add all scopes that you select.
The scopes that you defined are in Published scopes, you could add Full Scope Value in the URL.
This is my URL, and it works well:
https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SignupSignin&client_id=xxxx&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline_access https://[tenant].onmicrosoft.com/api/demo.write https://[tenant].onmicrosoft.com/api/demo.read https://[tenant].onmicrosoft.com/api/user_impersonation
&response_type=id_token token&prompt=login
For more details, you could see a tutorial and implicit flow.
I am trying out the sample code on GitHub called active-directory-b2c-dotnet-webapp-and-webapi and when I run it against the AD B2C directory in the sample it works fine but I'm having an issue trying it out against my own AD B2C directory. I get the following error:
The application with ID 'xxx' cannot get an ID token either because the openid scope was not requested or the application is not authorized for it
Isn't the openid scope included automatically? I setup a Web App and a Web API app as per the instructions provided. When I look at the scopes that the Web App has access to, the openid scope is not listed there. Is this something I need to add manually?
When we change the API permission for an app, the openid permission gets overwritten. We can re-enable it if this happens. The option will be available at API Permissions blade under https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
Open the API Permissions at the above link, Add a Permission, Select Microsoft Graph --> Select Openid and save. There you are! :)
In addition to the openID step outlined above, also do the below:
Go to the API access under the Application in B2C for the app in question and add a permission against this same app saying "access this app on behalf of the signed in user".
No other steps needed.
I found the issue was with app registrations > API Permissions. When adding permissions in the Request API permissions screen, make sure you select "Delegated permissions: Your application needs to access the API as the signed-in user."
If you selected the other option, then recreate your configuration and try again.
openid scope is not included automatically. It should be present by default in the sample, but if it was removed, then the request will fail.
I am using Azure v2.0 for user authentication. The access token that I receive is used to fetch onenote content using microsoft graph api. And I do store refresh token at my end to access content on behalf of user at any time. Now user opt's out of my system I want to revoke the permissions given by user to my app.
How I can revoke the access without depending on user for that. User may not manually go and revoke the permissions. Is there any api provided for same purpose.
Is there any api provided by Azurev2.0 for the same
Sorry for the delayed response here. Unfortunately we don't have a specific revocation API. And while this is theoretically possible through existing APIs, where the oauth2Permission resource type holds the consent grant (see https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/oauth2permissiongrant_delete), your app will need to be granted a privileged permission to perform this action. Contrary to the linked topic, I don't believe that the Directory.ReadWrite.All application permissions actually allows this operation.
Please create a UserVoice request to ask for this API.
Hope this helps,