We are trying to integrate Azure AD B2C into a SPA. We want to include Roles in the ticket so that we can use AuthorizeRoles & IsInRole in the api. We have looked at a couple of examples.
Example 1
Example 2
The first example isn't a SPA and doesn't include roles. It is accepted that including membership & groups in the ticket using Azure AD B2C isn't supported as per below link.
Azure AD B2C Group Membership Feature Feedback
The workaround as suggested above seems to be to use the "OnAuthorizationCodeReceived" event as per below to inject/add your own Role claims to the ticket.
Workaround
The issue we have is that we are using a SPA so we need to follow example 2, we also need to be able to add our own manged roles into the ticket which isn't a supported feature but Microsoft have said there is a workaround as shown. The workaround however doesn't work with MSAL.js as in example 2.
How can we include our own managed Roles into the ticket using the MSAL.js library so we can integrate Azure AD B2C into our SPA enabling us to use AuthorizeRoles & IsInRole in the api?
A few things first, you mentioned you are using the MSAL.js library and this means the v2 endpoint. Currently (as of 05/16/2018), the v2 endpoint has limitations on roles and groups, see v2 limitations where it states:
The v2.0 endpoint does not support issuing role or group claims in ID tokens.
ID tokens are used in the implicit flow with the v2 endpoint, see here Azure AD v2 Spa Guided Setup and read about half way down under More Information
Bottom line is to be absolutely sure the v2 endpoint (and MSAL libraries) can support your requirements.
For myself, we ended up going with the v1 endpoint and ADAL libraries in part because of limitations like this. But here are some examples of using roles in code. Note that these repos are fairly new and I'm still building out the documentation. There are two repos, one an stand alone angularjs ui project and another is a set of APIs (they are demos I used at a codecamp presentation). Read on below about roles in AAD. Only the UI example uses the ADAL libraries (note: the ADAL and MSAL libraries are about managing the tokens in the clients and are not the libraries used for locking down the back ends).
APIs: https://github.com/BgRva/aad_adal_api_dn_std/tree/Step_C
UI: https://github.com/BgRva/aad_adal_ui_ng_js/tree/Step_C
Some notes about Roles in AAD:
Roles are application specific, so in the examples above, the same
roles have to be registered for all the applications that will use
them (this includes the role Id as well)
You can give multiple roles to a user in AAD, you just need to add them multiple times to that application with a different role selected.
Manually adding users to roles will not scale and requires lots of clicks in the portal. It can be easier managed with groups but only at the AAD Premium Level 2 do you get this benefit
Supposedly there is a way to programmatically add roles but I have not found anything about it
Cheers
Related
I am looking into using Azure AD B2C to support external identity providers. It looks pretty simple to set up HRD and have the domain route to the correct provider (https://github.com/azure-ad-b2c/samples/tree/master/policies/home-realm-discovery-modern).
I'm getting confused if there is something within B2C or even within Azure that will support customers registering their own IDPs to our B2C tenant? Or it it's something I need to build myself. I may have 100s if not 1000s of customers using their own providers so I want to avoid manually upserting them.
I saw some companies had apps in the Azure App Gallery (ex: Dropbox, Salesforce, etc) that handled setting up SSO and registering an identity provider.
The Apps gallery is for Azure AD, not B2C.
You would have to do something yourself.
Given that it's just an XML file, you could have a config. file that contains the parameters and then write code that adds the technical profiles, adds the domain to the list as per the sample etc.
It would take into account that some are OIDC and some are SAML.
You would also have to add the client secrets etc.
This script from #JasSuri shows an example of how to do that.
I have a simple Azure App Service that exposes two REST endpoints. Is it possible to set up an authentication scheme so that each endpoint can only be accessed by a specific group of Azure AD users?
Endpoint A (HTTP/GET) <- Accessible by User Group A
Endpoint B (HTTP/POST) <- Accessible by User Group B
If not by configuration, is it possible to do this programmatically?
Thanks in advance.
The short answer: yes, that is possible.
The longer answer: this is not something that can be done with a single configuration setting or one line of code. The exact steps depend on the language you used to write the API.
In general, you need to add AAD authentication to the application. Make sure the token you're getting from AAD includes security groups in its claims. Then, add authorization based on the security groups in those claims.
For ASP.NET, here's are two great articles:
Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform
Add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform
Interesting links:
Microsoft Identity Platform
Microsoft Authentication Library (MSAL)
We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.
I'm looking at the B2C API demos, and API documentation and I'm unable to determine the preferred method for managing authorization.
Azure AD supports assigning AD Users/Groups to apps, and also roles. Seemingly B2C doesn't support this. (I experimented by using AAD tasks against a B2C tenant. Hopefully I did it correctly)
Given that a singular B2C tenant will offer web sign in, and most likely API access as well, what is the benefit of creating more than one scope as exhibited in the TodoList:TodoListScope.
Can I conditionally add additional scopes? Using B2C or store it in the graph/application somewhere?
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C
Or more abstractly, how should I perform authorization to the many different APIs (and apps) when an id_token is exchanged for an access_token?
Perhaps API Management will give me ideas on how to perform RBAC or other permissioning. Added them as a tag as well
There is an RBAC Github sample here that requires you to use work accounts which are called "B2C Users" in the portal below.
Users created this way, can be added to groups located within Azure Active Directory (by script). Testing still in progress
We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.