How to differentiate between SAML verified and other apps on okta api. Is it possible to achieve this via filter or we have to do some offline processing on responses of all apps received.
I am trying to achieve the above query using get request on postman.
there is no standard filter provided by okta ,
you can get all app responses from okta then filter apps from received jsonArray with signOnMode as SAML_2_0.
Related
I'm using OneLogin's Java SDK/Client to retrieve Events, Users, Groups and User Roles data.
I'm wondering if there is a URL length limit because the REST API endpoints to get data are invoked using HTTP GET method.
I don't think you gonna have problems with the queries you build.
OneLogin supports SAML, and the SAML Messages length is kinda big.
I am trying to create an application with the following requirements.
Login page for entire application that authenticates against AD
(currently using passport-activedirectory)
This also needs to authenticate against a jira api for the user to create tickets through my application. Should this be done at
initial auth or once the route is hit to send the request to jira?
It's possible that other api's will need to be authenticated against.
I'm trying to figure out the best way/standard way to do this so the user will only have to authenticate through my web application once.
Any direction is appreciated.
Thanks
I've got a SPA application and an associated API from which it gets its data. (Aurelia and Nodejs)
I have recently worked out the Authentication on the SPA so that it uses MSAL to authenticate users against our company's AAD and is able to retrieve a token that the app can then use to access the MS Graph as well.
However, I also want my API to authenticate against the AAD. What I'd like is for the API to be able to accept the token from the SPA client.
While I am able to send the token from the client to the API (Authorization: 'Bearer'...) I'm not sure what to do with it on the server side to then verify with the identity provider that the token is valid.
For the most part, I don't want the API to have UI concerns (i.e. an authentication/login screen). It should simply reject any requests that do not carry the correct token.
I hope to eventually have both client and server apps being hosted as App Services on Azure, but for the time being they are hosted internally. I think there is a way to ensure the solution works regardless of where the apps are hosted.
Thanks for your help!
I am not sure I understand the relationship between the title and the body of the question: I will answer the body :)
In https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-javascript-msal-singlepageapp/ you can see an example of web API token validation in Node JS. The service side logic just needs to be adjusted to point to the Azure AD tenant you are using.
The above will work regardless of where the API is hosted, given that the parameters being validated are all about logical identifiers.
I have a REST API, written with express directly. Nowhere in it do I use session, and authentification is for now done using JWT.
However, I dislike having to handle, save and secure user's credentials, that is when I heard about Azure Active Directory.
Adding passport to my app was easy enought, but that's when trouble started.
First, I had to search what strategy I needed, and all of them seems to require the server to maintain sessions/remember who is logged in, all the while using JWT internally. That seems contradictory, JWT is supposed to remove the need of maintaining session.
Finally, I found this MS example which use the Bearer strategy without session.
After setting it up (changing the config file for the right tenant, client ID, changing the routes for a test app more representative of my API), I tried to use them. The protection work well since I am indeed "Unauthorized". But how do I get a valid token to send?
The MSDN guide that use that quickstart don't mention it at all, just redirecting to the AAD library for Android or iOS, implicitely telling me to develop a test app in another language when I just want a crude tool to test if my test server work at all!
That is especially frustrating since I am pretty sure it is "just" a series of HTTP(S) request on the tenant, and the call to the api with the token attached, but I can't find anything to do just that.
/!\: I know asking for something as vague as "How can I do that" isn't a good question, and this question isn't one. What I am asking is why I couldn't find some tools like POSTMan that implement OAuth and allow to quickly test and debug a OAuth protected API. What are the reason that push MSDN to tell me to write a custom tool myself instead of providing a barebone one?
The code sample you mentioned in the post is using the Azure AD V2.0 endpoint. We can use OAuth 2.0 code grant and client credentials flows to acquire the token from this endpoint.
To compose the OAuth 2.0 request directly you can refer the links below:
v2.0 Protocols - OAuth 2.0 Authorization Code Flow
Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow
In addition, the access tokens issued by the v2.0 endpoint can be consumed only by Microsoft Services. Your apps shouldn't need to perform any validation or inspection of access tokens for any of the currently supported scenarios. You can treat access tokens as completely opaque. They are just strings that your app can pass to Microsoft in HTTP requests(refer here).
If you want to protect the custom web API with Azure AD, you can use the Azure AD v1.0 endpoint.
For getting a valid token to send to your API, you'll need to do an auth request to login.microsoftonline.com and get an access token (in the JWT format). Then you can send this token to your api in the http body: "Bearer ey...".
If you want a full sample with a client app that hits that API sample you tried:
Dashboard w/ all the samples for Azure AD Converged Apps
Simple Windows Desktop App
Angular SPA
Node Web API
In asp.net web api, when you want to secure a action or REST endpoint, you use authentication, like token-based solutions. But, what if there is mobile app client for the api, and this have a sign up form, so I want only this mobile app could send Sign-Up request to my API, and prevent other fake clients (like POST-Man or a-alike) to send request to sign-up api?
Best
this is exactly the scenario covered by token based systems.
Your mobile app simply becomes a client with its own identifying data, then the API does its thing and only accepts requests from authenticated applications. This is exactly the kind of scenario you can cover with your own OAuth2 system.
Have a look at this article : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
It will guarantee that only your mobile app can access that API.
Is this what you are after?