(All IDs in the below example are made up. I've added them to illustrate the format for some of the parameters).
My tenant is at acme.co.uk, but I want the web app that I've got deployed at https://subdomain.acme2.co.uk to delegate authentication of users to Azure AD.
I registered my app as below using the new portal:
(The field names are those used on the azure portal).
App ID URL: https://acme.co.uk/11111111-2222-3333-4444-555555555555
Home page URL: https://subdomain.acme2.co.uk/api/auth/aad
Reply URLs: https://subdomain.acme2.co.uk/api/auth/aad/callback
and created a secret key that doesn't expire with the value: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa='
I've been following the passport-azure-ad github sample using v1 endpoint as a guide.
{
allowHttpForRedirectUrl: false,
clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555',
clientSecret: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa=',
identityMetadata: 'https://login.microsoftonline.com/acme.co.uk/.well-known/openid-configuration',
isB2C: false,
issuer: null,
loggingLevel: 'info',
passReqToCallback: false,
redirectUrl: 'https://subdomain.acme2.co.uk/api/auth/aad/callback',
responseMode: 'form_post',
responseType: 'code id_token',
skipUserProfile: true,
useCookieInsteadOfSession: false,
validateIssuer: true
}
When I got to 'https://subdomain.acme2.co.uk/api/auth/aad' in my browser I get redirected to MS to login, which I then do, but when the redirect back to 'https://subdomain.acme2.co.uk/api/auth/aad/callback' happens, I'm not authenticated.
Inspecting the headers from the callback POST request I see:
In _validateResponse: jwt audience is invalid. expected: https://acme.co.uk/11111111-2222-3333-4444-555555555555,spn:https://acme.co.uk/11111111-2222-3333-4444-555555555555
Any ideas what I've done wrong??? [:-|
(Aside: Debugging this is a pain, as I'm running in docker and the redirects don't seem to work properly, so I have to deploy to a real environment ATM).
Ok found it...
clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555'
was the culprit.
That should be the app Id NOT the app Id URI. Doh. Many thanks to #Alex Blex for the guidance. This was most helpful.
In my instance, I was using .env and getting the clientId from there.
I solved this issue by remove the quotes around clientID in my config and .env file.
Related
I am sending emails from my NodeJS application which is working fine without any issue (using NestJS framework). The issue I am having is that I need to store the refresh token (in the .env in my case) in order to authenticate which I think is not a good approach. Because, if the refresh token is renewed my app will break and I have to manually update the refresh token every time.
Is there any method to get the refresh token calling any API? any help is appreciated.
following is the code snippet I am using. I have used nestjs-modules/mailer but even with nodemailer the same issue comes.
transport: {
service: 'gmail',
secure: false,
auth: {
type: 'OAuth2',
user: process.env.GOOGLE_SENDER_EMAIL,
clientId: process.env.GOOGLE_CLIENT,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
refreshToken: process.env.REFRESH_TOKEN,
},
},
defaults: {
from: '"ABC" <abc#gmail.com>',
},
template: {
dir: join(__dirname, 'emails/templates'),
adapter: new HandlebarsAdapter(),
options: {
strict: true,
},
},
}),
Are you already implementing the Handling of the Refresh token from the NodeJS library? If so then you could consider using Domain Wide delegation and perform impersonation, this method however will require the usage of a service account in order to allow the DWD to work.
I'm trying to use the next-auth library to call Azure Active Directory via OAuth 2.0, but not sure how to go about doing this.
The providers format in my /api/[...nextauth].js is currently:
providers: [
{
id: 'azure',
name: 'Azure Active Directory',
type: 'oauth',
version: '2.0',
scope: 'read',
accessTokenUrl: 'https://login.microsoftonline.com/{directory_id}/oauth2/v2.0/token',
authorizationUrl: 'https://login.microsoftonline.com/{directory_id}/oauth2/v2.0/authorize',
clientId: process.env.OAUTH_APP_ID,
clientSecret: process.env.OAUTH_APP_PASSWORD,
},
This doesn't seem to be working (Error: "The reply URL specified in the request does not match the reply URLs configured for the application:"). How should I go about this?
I'm quite late with my answer, but for the sake of this question being answered:
Usually, this message means that you're missing the right redirect URI.
In Azure, open your app registration, go to Authentication and enter the redirect URI under "Single-page application".
In this case, it's going to be something like http://localhost/api/auth/callback/azure for your local development.
I want to authenticate users in Azure active directory with node js (I'm really new in azure and active directory), I read a lot of documentation, there exists two ways for doing it.
first: my web request authenticate through a form that Microsoft provides me, then user log-in and this redirect to a URL of mine <--- this way I don't need
second: (this is the way I need) I'm using Oauth2, with
var BearerStrategy = require('passport-azure-ad').BearerStrategy for authenticate, I have my client id, tenanId, client_Secret etc.
As a first step I need get an Acces_token which I get send request to this URL via postman:
https://login.microsoftonline.com/My_alias_tenan/oauth2/token
I send these params on my body:
{grant_type: client_credentials, client_id: 1f7bbc3e-19ed-4ae5-b16d..., client_secret: 98ijhi7tuf..., resource: https://management.azure.com/, .... }
I just follow this blog: https://blog.jongallant.com/2017/11/azure-rest-apis-postman/
I received a token like this:
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1570045543",
"not_before": "1570041643",
"resource": "https://management.azure.com/",
"access_token": "eyJ0eXAiOiJKV
which I enter in the header for my next request which is pointing to my localhost: because is here where I have my options to send the authenticate, and are this:
identityMetadata: 'https://login.microsoftonline.com/alias_tenan/v2.0/.well-known/openid-configuration',
clientID: process.env.AD_CLIENT_ID,
audience : 'https://management.azure.com/',
validateIssuer: false,
passReqToCallback: true,
isB2C: false,
allowMultiAudiencesInToken: false,
issuer:null,
loggingLevel: 'info',
loggingNoPII: false,
responseMode: query
I have my code like this:
return passport.authenticate('oauth-bearer', function(req, token, done) {
console.log(token)
res.status(200).json({'name': 'name'});
}
)(req, res, next)
but always received this message:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-U0R9GTV","pid":1168,"level":30,"msg":"authentication failed due to: error: invalid_token","time":"2019-10-02T22:54:04.782Z","v":0}
Has anyone done this successfully? thanks in advance
and I hope anyone can help me.
Make use of any npm packages, I use https://www.npmjs.com/package/react-aad-msal for single signon.
Another package that would be useful is https://www.npmjs.com/package/#kdpw/msal-b2c-react
Any package relies on MSAL.
I'm trying to implement Implicit flow using Angular 6/MSAL. The client is trying to get an ID token from Azure AD. Our AD Client is configured to provide tokens only for certain users and groups. So, when an unauthorized user (still a user inside the organization) tries to login, Azure Ad directly reroutes them to the Login Page, which is not very intuitive. I would like to redirect them to a custom page, indicating that the user is not in any of the roles required by the application.
But MSAL has no option for something like "failedRedirectUri". Can someone please tell me if this is even possible with MSAL, if so how do i go about configuring it?
I've tried to set the "redirectUri" from localStorage, and try to modify it before the redirect happens. but that doesn't help.
MsalModule.forRoot({
clientID: '*****-************************',
authority: "https://login.microsoftonline.com/*************************/",
validateAuthority: true,
redirectUri: window.location.origin,
cacheLocation: 'localStorage',
postLogoutRedirectUri: window.location.origin + "/loggedout",
navigateToLoginRequestUrl: false,
popUp: false,
unprotectedResources: ["https://www.microsoft.com/en-us/"],
protectedResourceMap: protectedResourceMap,
logger: loggerCallback,
correlationId: "1000",
level: LogLevel.Info,
piiLoggingEnabled: true
})
On login failure for implicit flow, the user should not be redirect to the "redirectUrl" page. Instead the user should be taken to an error page where the error description is displayed.
I want to allow my users to access my WebApp using their Office 365 account in the same way that I already did with Twitter, Facebook and google.
I have already created a WebApp in Azure AD.
I'am using nodejs, passportjs and passport-azure-oauth2 strategy.
In Azure AD, the Web application is Multitenant and the SIGN-ON URL IS "https://nudniq.com"
APP ID URI: "https:\nudniq.com"
Reply URL: "https:\nudniq.comauth\microsoft\callback"
User Assignment required to access app: NO
Note: I'am using back shlashes instead of slashes in the URL's posted here because stackoverflow only allows me to write no more than two links.
The only permision that I ask for is:
Read all users' basic profiles
I'am creating my strategy with this values:
clientID: '<client_id>',
clientSecret: '<client_secret_key>',
callbackURL: 'https://nudniq.com/auth/microsoft/callback'
But I receive the following error:
TokenError: AADSTS50001: Resource identifier is not provided.
Trace ID: 95f88f5a-95b9-4d3a-86fe-19ae0bbfcc76
Correlation ID: b056150c-debd-469d-963b-ea362ca93884
Timestamp: 2016-06-29 01:38:39Z
at AzureOAuth2.OAuth2Strategy.parseErrorResponse (/home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:298:12)
at AzureOAuth2.OAuth2Strategy._createOAuthError (/home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:345:16)
at /home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:171:43
at /home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:177:18
at passBackControl (/home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:123:9)
at IncomingMessage.<anonymous> (/home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:143:7)
at IncomingMessage.emit (events.js:129:20)
at _stream_readable.js:908:16
at process._tickDomainCallback (node.js:381:11)
Please help me, I dont know what am I doing wrong.
If you are use AzureOAuthStrategy strategy, when you occur this issue, it means you have miss configured the resource parameter.
According the code sample in the repository at GitHub:
this.passport.use("provider", new AzureOAuth2Strategy({
clientID: config.clientID,
clientSecret: config.clientSecret,
callbackURL: config.callbackUri,
resource: config.resource,
tenant: config.tenant,
prompt: 'login',
state: false
}
we need to configure this resource parameter.
As you are Office 365 to authenticate your users, please try to set resource to https://graph.microsoft.com.
Additionally, please regenerate your AAD application's Secret key, and keep it save in your application, do not expose them to public.
Any update, please feel free to let me know.