Authenticating a user in Azure AD through a web api? - azure

I'm working on integrating Azure AD authentication with various apps on different platforms.
Is there a way to get an authentication token id from a user logging in through a web api like 'azureadlogin.com/login?user=ted&password=passwordhash'
There seems to be ways of doing it through node or javascript or C# apps but I'd really like to just have a simple web request way of doing it as there are many different apps on different platforms that need to make use of this feature.

No.
There is a way to authenticate with username + password by doing a POST request and using Resource Owner Password Credentials flow, but I don't recommend it.
ROPC will not work if:
User's password has expired
User is MS account/federated from on-prem AD
User has multi-factor authentication enabled
You have a wide selection of authentication flows which work in all these scenarios too, and don't involve the user giving their password to you.
For example:
Authorization code flow
Implicit grant flow
Device authentication flow

You can use username/password authentication. But if your app has user interface, so it could popup the regular Azure AD login page, I would recommend not to use it. A major reason for using Azure AD (or other identity providers) is that the user doesn't want your app to know his password.
There's a sample which does what you want. The code in question is here.
The sample uses .NET and the ADAL.net library, but you can do similar stuff on other platforms.

Related

Can we use client credentials flow on regular Azure users?

We would like to use Azure client credentials flow to do authentication for our service accounts. The thing is our service accounts are just regular users in Azure AD. They are not registered apps. The way our company sets up Azure makes it very heavy to register apps, so we would like to avoid it. So the question is, can we use client credentials flow for regular users in Azure? We need this as in our CI/CD we cannot popup a browser and let users do device-based authentication. We need the user to be able to authenticate in an automated way.
You can't use client credentials flow where an Azure AD user is involved in the authentication flow.
Micrsofot Documentation - client credentials flow
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
But you can use one of the following supported authentication flow where a user is involved;
Micrsofot Documentation - authorization code flow
Micrsofot Documentation - implicit grant flow
Micrsofot Documentation - device authorization grant flow
Device authorization grant flow might work in your case?

Is it possible to redirect authenticated Azure AD users (by ROPC) to Microsoft Teams?

I have been working on the development of a portal for a long time and one of the important modules of this portal is that it can login to 3rd party systems without asking username/password. It can be called a simple SSO.
At this point, I am trying to do this for Microsoft Teams :) I have user management authority in Azure AD, so I developed it with the ROPC user flow. I successefully get token, but I could not find any document on how to redirect the user to Microsoft Teams page. Is it possible to do this or not?
Thank you in advance for your help.
ROPC only supports a sign in flow. ROPC flow using on other flows(Microsoft teams) there won't be Single sign on, you will be just using the token endpoint. We would recommend you to use other flows if there are any specific requirements with the teams use Microsoft Graph API. And W.r.t Native app SSO using ROPC will not exhibit SSO across apps. Native App SSO using MSAL or any library that can allow cookie sharing across Apps will support SSO.
Microsoft recommends you do not use the ROPC flow. In most scenarios,
more secure alternatives are available and recommended. This flow
requires a very high degree of trust in the application, and carries
risks which are not present in other flows. You should only use this
flow when other more secure flows can't be used.
ROPC involves a user credentials while client creds are application credentials. More damage can be done if a user identity get stolen. app identity gets stolen you can't easily exploit it the same way as a user.
Please refer this doc if you are looking to Develop SSO Microsoft teams tab

Using Header Variables for User Authentication

I am not sure if I am asking this question correctly or not, but if a user is authenticated through MS Azure, can Azure send the identity of the user to another system through HTTP header variable?
If so, what if the HTTP server on the other system is Apache based and not IIS. Is it still possible? If yes, how is it done?
Thanks
The closest option available in the Azure AD offerings is Header based SSO.
Header-based single sign-on works for applications that use HTTP
headers for authentication. This sign-on method uses a third-party
authentication service called PingAccess. A user only needs to
authenticate to Azure AD.
If you could expand your question a bit more, maybe we can help with a better answer
So the flow as I understand is like follows..
Salesforce redirects the user to Azure AD
Azure AD authenticates the user (uses SAML) and sends the SAML token back to salesForce
The user who signed in to SalesForce now redirects to a Siebel App?
The expectation is that the user would not have to authenticate again for Siebel?
The quick answer is that Azure AD will authenticate the user using header-based, SAML or OpenID only if the Siebel app is registered with Azure AD.
Without registration, Azure AD has no knowledge about this app (Siebel) and wont deal with it.
During registration, Siebel developers can choose if they want to use SAML, header based or OpenId for authentication and Azure AD will automatically Single sign-on an already signed in user (like in this example the user has already signed-in to SalesForce) to Siebel and wont prompt the user for credentials.

How can I authenticate a windows app with AAD B2C without the B2C login pages?

I have an mvc app that provides both a website and a webapi. I'm happily authenticating users of the website. Now I need to allow a windows app to call the web api methods directly. I don't want the windows app to redirect to a login page. I need the windows app to hold either a secret key or a username/password. That way it can authenticate itself automatically.
I'm concerned that it seems b2c cannot handle client credential flow - which I think I want. Is there a way to silently provide the username and password to B2C?
Azure AD B2C does not implement client credentials or ROPC flows of OAuth2. But ROPC is on Azure AD B2C roadmap.
In your case, if you have multiple users using the Windows Application, then you need ROPC because the token retrieved using that mechanism has user context (achieved via user authentication).
Using client_credentials flow means that your Windows Application needs to keep the secret and will authenticate as application only, without any user context. This is ok for daemon and background processes running in a protected environment, but not for apps that you expect to be used by users.
At this point, your best option will be to redirect to Azure AD B2C login pages. Although it is not the same as native experience, the advantages here are that if as you add more options (e.g. MFA, string and language customization, new login options in the future), your client application will not need to be changed, and all your UIs will get those features.

Single Sign on - Multiple application azure AD B2C

I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.

Resources