I'm trying to get an Id_token over Azure Mobile App but I'm receiving an mobileServiceAuthenticationToken.
The mobileServiceAuthenticationToken is received by my iOS-App with the following implementation: Integrate Azure AD into an iOS app
I need the Id_token (with algorithm RS256) because my backend-service (java spring-boot) needs to validate this token, which is not possible with the mobileServiceAuthenticationToken. mobileServiceAuthenticationToken is based on algorithm HS256 (which needs a client secret) and does not allow requesting the Azure AD for getting user informations over the Microsoft Graph Api.
Here is a link to microsoft reference for further informations: Azure AD token reference
The id_token is not able to call the Microsoft Graph REST. To call Microsoft Graph REST, we need to acquire the corresponding access_token for it which's aud claim is https://graph.microsoft.com.
There are two kinds of flows for mobile authentication, client-flow and server-flow. Both of them should work in your scenario, however the progress is a little different.
Client flow:
For this flow, you can get the id_token and access_token for Microsoft Graph from Azure Active Directory first using ADAL SDK. Then you can exchange the id_token with EasyAuth for the authentication token and login your mobile app.
Server flow:You can config the mobile app to acquire the access_token for Microsoft Graph. Then you can implement an proxy in the mobile back-end. After that you can only need to call the mobile back-end both your owner service and Microsoft Graph.
Here are some helpful articles about this topic:
How to: Authenticate users with the Active Directory Authentication Library
App Service Auth and the Azure AD Graph API
Related
I am using Azure B2C in my react SPA to sign in the user with external identity providers e.g. Google and Facebook. I have some .net core web API that needs to be called by signed-in users only. I have followed Azure documents for my scenario. As per the docs, I need to register another AD B2C application for web API security and my client app needs to acquire the token with the scope defined in the server-side AD app and pass that token while calling the web API.
Why can't I use the same access token received from azure AD B2C as part of the sign-in flow to pass it to my web API and validate it on the server side to secure the Web API? In that case, I don't need to create another server-side AD application for securing the API.
You can, but it’s simply against the protocol spec. Each client needs to be registered and have a unique client Id/AppId.
Plus if you do it with one App Registration, your logs would never differentiate access to your front end vs access to your api.
I am developing an API(ASP.NET Core) which is accessed via separately hosted web client(React), both hosted on azure as app services.
Client app must have auth based on azure Ad(single tenant, preferably secured by azure auth based on aad).
When the user signs in to client the API must have access to MS Graph on behalf of user. Obviously both resources must be secured, I have tried using azure auth based on AAD on both app services, but I couldn't get a token to MsGraph in this approach with the token obtained from auth to ADD on API side.
Question is, how to avoid passing token to MsGraph with token for azure aad auth from client, and obtain token for msGraph based only on token from aad auth while having only one place for users to sign in and keep both app services secured?
I am using nugget for MsGraph on Api side to interact with MsGraph. I haven't found any sample that refers this specific case.
Scenario: Your application's Web API (protected by Azure AD) receives auth token from a client application (React) and needs to call a downstream Web API (Microsoft Graph) on behalf of the signed-in User.
Conceptual Documentation on Microsoft Docs: Your scenario exactly matches the OAuth 2.0 on-behalf-of flow as explained on Microsoft Docs for Azure AD here Service-to-service calls that use delegated user identity in the On-Behalf-Of flow
Code Samples:
Service to service calls on behalf of the user (From Azure-Samples on GitHub)
Calling a downstream web API from a web API on behalf of user (From Azure-Samples on GitHub)
Using Azure AD On-Behalf-Of flow in an ASP.NET Core 2.0 API (Not directly Microsoft samples, but from Joonas W's blog, who is an MVP)
Important Code
This is how you use the already passed in token to acquire a new token, with which to call the Microsoft Graph API, from your Web API, on behalf of the user.
Preparing the User Assertion:
ClientCredential clientCred = new ClientCredential(clientId, appKey);
var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as System.IdentityModel.Tokens.BootstrapContext;
string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
string userAccessToken = bootstrapContext.Token;
UserAssertion userAssertion = new UserAssertion(userAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
Acquiring a token for Microsoft Graph:
result = await authContext.AcquireTokenAsync(graphResourceId, clientCred, userAssertion);
I ended up with using only Azure Ad + auth validation by code(no azure auth).
The API uses OBO flow, the client app uses implicit flow.
Basically two separate app registrations on aad, the client which has access_as_user permision to the api, and the other one for api which has permissions for MsGraph. You configure it in App registrations(preview)/API permissions. (For detailed guide follow examples below, start with the api)
For Web client I also used scopes: 'access_as_user', 'offline_access', 'openid' in the request for the token, added true for "oauth2AllowImplicitFlow" in manifest and redirect to the yourdomainname.azurewebsites.com, the rest of configuration similarly to the native client in example below.
Useful resources:
API:
https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow
(I recommend testing with native client first to check if its set up correctly,
configuration of API will remain the same for separate web client)
Web client:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-implicit-grant-flow
This is solution which suits me at the moment, it might be possible to tailor it better.
I have an ASP.NET Core WebApi which uses Azure AD Bearer Tokens (passed by the Frontend, acquired using adal.js).
Currently, we are using the Azure AD Graph API and everything works fine.
As recommended by Microsoft, we would like to migrate from Azure AD Graph API to Microsoft Graph.
I changed the audience from https://graph.windows.net to https://graph.microsoft.com both in the API and Frontend. I can successfully acquire a token, which looks almost the same as the old one when decrypted in jwt.io, but when I pass it to the API I get:
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
Did I miss something? As far as I know, it should be possible to sign in using the Microsoft Graph, right?
If I understood correctly, you have configured your API audience as the MS Graph API audience.
You should not do this.
Firstly MS Graph API access tokens are bit special and you should not try to validate them,
secondly because your API is not MS Graph API.
Your front-end should acquire an access token for your API.
This requires you to configure your API audience as either its client id or Application ID URI (or both).
Azure AD allows the front-end to acquire the token using either of those.
The API can then exchange that for an MS Graph API token using the On-Behalf-Of flow.
We are building a Xamarin Native mobile apps and using Azure AD B2C for authenticating users using their social logins.
We decided use MSAL native library (Xamarin) for authenticating using B2C. And our mobile app required to manage(full access) the signed-in user profile. Since this feature isn't available in MSAL we have decided to go with ADAL for the time being. Followed the instruction provided in the link below and the sample works. But I started experimenting by deleting the API access provided in the application (created in b2c tenant) and the ran the application with "Get-user" parameter. And the application is still able to get the users from AD. Not sure how secure is this thing?
Then deleted the application key from the B2c tenant application and ran the console application sample. And received an error AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: cef09957-06bf-462e-a0c3-4ed6bae11e00
Correlation ID: afab126d-8694-479a-8a21-c12eb7cb176c
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any Idea why this is happening. I would like to implement this on a xamarin.ios app and any guidance much appreciated.
The answer to this is very similar to the answer to your other question: Exception access Azure AD B2C using ADAL library for user management, which can be summarized as:
Azure AD B2C does not yet support delegated permissions to the Azure AD or Microsoft Graph. The correct way to work around this limitation at this time is to have your native client application call a web API (using MSAL) which would in turn call the Graph API (using ADAL). This web API is an API you build which has authorization logic to scope the user management operations.
Once user management in Azure AD B2C is supported via the Microsoft Graph, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.
UPDATE: the Azure AD v2.0 endpoint and Microsoft Graph API now support client credentials flow, so you can also use MSAL for your Microsoft Graph API calls. However if you need to call the Azure AD Graph, then you will still need to use ADAL.
I have ASP.Net Web API and I want to authenticate my API using Twitter Digits Auth and later will pass that Digits token to Azure Active Directory Auth Service.
I got an idea about Twitter Digits Auth but I'm confused how can I pass Digits token ahead to Azure Active Directory Auth Service.
Please see this diagram which I'm thinking to implement.
Does Azure Active Directory Auth Service mean Azure App Service Authentication and Authorization. If I understand correctly, this scenario will not work.
The Azure App Service Authentication and Authorization supports two kinds of authentication flow, client-flow and server-flow. The scenario you mentioned is client-flow which acquire the token from identity data provider first and then exchange the access token with Azure AD using that token. However in this scenario, we need to using the token issued from the identity data provider(Azure Active Directory, facebook, google, microsoftaccount, or twitter.) directly.
If I understand correctly, the Digits token is issued from Digits which the Twitter supports. This token is not supported for the Azure App Service Authentication and Authorization. You need to check whether the Twitter support to exchange this token for the token issued from Twitter.
More detail about the client-flow you can refer this document.