I have a backend API written in nodejs(authorization with oAuth2) using azure-passport-ad, my frontend angular 5(openId connect), and I`m using Azure AD for authentication, the thing is that our users will have two roles
"student", "admin", how can I make that difference of roles, does the token retrieved by the idP gives me a field with the kind of roles that users has?
You can define the roles in Azure AD as shown here: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
To define roles in an app, you will have to modify its manifest in AAD to something like this (other properties removed for brevity):
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Administrator",
"id": "179c1dc0-4801-46f3-bc0d-35f059da1415",
"isEnabled": true,
"description": "Administrators can access advanced features.",
"value": "admin"
}
]
}
Then you can assign users to these roles via the Users and groups tab for the Enterprise application/service principal's blade.
The ID tokens sent to your app will then contain the role(s) like so:
{
"family_name": "User",
"given_name": "Test",
"name": "Test User",
"roles": [
"admin"
]
}
You can check that claim after the token has been validated by Passport.
Related
I have a problem with creating another user by Admin API. I don't have an organization_id property in /userinfo response. I need it to create new users via my app. There I also use recommended scopes.
This response I have after call /userinfo
{
"sub": "xxx",
"name": "Some Name",
"given_name": "Name",
"family_name": "Name",
"created": "2022-02-02T16:38:29.457",
"email": "some.email#gmail.com",
"accounts": [
{
"account_id": "xxx",
"is_default": true,
"account_name": "Name",
"base_uri": "https://demo.docusign.net"
}
]
}
Also when I used Quickstart App I faced the same problem. I can't create users via this app. Because an organization_id property is missed.
Quickstart App error
Thanks.
#docusignapi
To use the Admin API you have to have an organization for your account.
Once you create an organization - you will have an organizationId which is used for this API call.
How to create an organization for your DocuSign account.
Is there any login REST-API for created users in keycloak?
I used API
{{root}}/realms/{{realm}}/protocol/openid-connect/token
but it gives only access token but I need full information of the user.
I think what you are looking for is user info API which provides information of currently logged in user:
Try this: (by passing the token obtained from url you mentioned : {{root}}/realms/{{realm}}/protocol/openid-connect/token)
GET "{root}/auth/realms/yourRealmName/protocol/openid-connect/userinfo"
A sample response from my setup:
{
"sub": "d32be694-f438-44a5-95f2-7434ff37ca1e",
"email_verified": false,
"roles": [
"Administrator"
],
"groups": [
"Administrator"
],
"preferred_username": "administrator"
}
I'm designing a solution for an ERP requirement. The Client insists on using AAD for one point management of users for different applications.
Since AAD has the capability of rendering Oauth service, I'm intending to use it as my OAUTH server and utilize its tokens inside my WebAPI services. But was wondering how I can capture the failed user login attempts as I need to apply locking mechanism.
When I found that AAD can handle this locking mechanism also through some configurations, I'm now left out with a question whether I can just use AAD for my user store, meaning I will have the users, their credentials and their roles stored in AAD, while I will have the permissions for each role and other data stored in my application's database.
Is this a feasible solution? or is there a different way of handling this?
Note: We are using noSQL database.
Yes, this is a feasible solution. You can use application roles to assign roles to users.
You can define the application roles by adding them to the application manifest. Then you can assign these roles to a user.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"value": "SurveyCreator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Administrators can manage the Surveys in their tenant",
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"value": "SurveyAdmin"
}
],
The user list with roles listed.
I'm trying to call above API provider via REST with the following URL:
https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview
However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.
This endpoint doesn't seem to be documented though.
Anybody know what is required to call this API endpoint with a service principal?
Thanks,
David
Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.
According to doc, you can use the custom role to do the operation.
This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.
For more details to create the custom role, refer to this link.
Sample:
{
"Name": "Test Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "xxxxxx",
"Actions": [
microsoft.aadiam/diagnosticsettings/write,
microsoft.aadiam/diagnosticsettings/read
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Update:
You can use a user account with global admin role, refer to the steps below.
1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.
2.In the request we caught, copy the Bearer token.
3.Then we can test the api in the postman.
Request URL:
Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
Request Header:
Request Body:
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
}
}
It works on my side.
I test it with global administrator user, it works correctly for me.
The following is the detail steps:
Create an native azure AD application and grant permission for it.
2.create an global administrator user, please also change the default password.
Note: the user format should be xxxx#xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test
3.Assign the owner role to the subscription
4.Then we could use the following way to get the access token
Post https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}
4.Try to operate the diagnosticSettings
put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}
I have created a new user in AD B2C tenant using AD Graph API.
{
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "Alex Wu",
"passwordProfile": {
"password": "Test#123",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "Dawn"
},
{
"type": "emailAddress",
"value": "dawn#example.com"
},
{
"type": "mobile",
"value": "96587XXXXX"
}
]
}
I'm trying to login with these credential from the Android native app client using adal4j library. I'm able to login with Mobile number and UserName and I can get the access token. But when I tried to login with the Email Address I'm getting an error "To sign into this application the account must be added to the directory".
AFAIK, the Adal4j library doesn't support the Azure AD B2C flow. You need to implement this flow yourself if you want to use this flow with Java developing.
Please refer the code sample mentioned in this document to interact Azure AD B2C via the protocol you want.
In addition, to test the account login with policy we can run it from the portal like figure below. And based on the test it works well for me to login using the email of Azure AD B2C local account.