I've been trying to get a Xamarin Forms app to get a token from AAD.
I've tried countless different ways of doing it and they all have problems, some are bugs, some I just haven't been able to figure out.
This link is one of the simplest examples I've come across, yet it fails because it says there's no client secret.
http://www.cloudidentity.com/blog/2015/07/22/using-adal-3-x-with-xamarin-forms/
When I add the client secret, by modifying the AuthenticationContext like so
AuthenticationContext ac = new AuthenticationContext("https://login.microsoftonline.com/common");
ClientCredential cc = new ClientCredential("------4ba8-4136-ad1c-f36be878af8a", "-----sDdG4/WZCyYU=");
AuthenticationResult result = await ac.AcquireTokenAsync("https://graph.windows.net", cc);
I get a new error saying there is no application matching graph.windows.net in my directory.
Please make sure the type of the azure ad application your register is Native Client Application , that type application are meant to run on a device and aren't trusted to maintain a secret .
The code you provide is using client credential flow to acquire token , that flow uses app's credentials instead of impersonating a user .
Related
A native app created which is calling web api.Two apps has been created in the azure.Here is the code code for getting access token and it worked well,I am getting access token:
UserCredential uc = new UserPasswordCredential(userName, password);
result = authContext.AcquireTokenAsync(todoListResourceId,clientId,
uc).Result;
Now to access new token after the expiry of old one(1 hr) i am using the code:
AuthenticationContext authContext = new AuthenticationContext(authority);
UserAssertion userAssertion = new UserAssertion(oldToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
AuthenticationResult result = authContext.AcquireTokenAsync(todoListResourceId, clientId, userAssertion).ConfigureAwait(false).GetAwaiter().GetResult();
But I am getting Error as:"Invalid JWT token. AADSTS50027: Invalid JWT token. Token format not valid".
Checked JWT token :it is correct in format can able to decode using jwt.io.
Note: client Id am using for these two code snippet are the same appId.
I know this is the exact duplication of the question asked by devangi.I cannot able to comment on that question that's why I am asking it again.
Any one can able to help me out?
Or
It will be great if any one can able to help with other ways to get token with out using user password since i need to internally generate new token without user enter password again.
For the scenario when user has authenticated on a native application, and this native application needs to call a web API. Azure AD issues a JWT access token to call the web API. If the web API needs to call another downstream web API, it can use the on-behalf-of flow to delegate the user’s identity and authenticate to the second-tier web API .
Please refer to this document for more details about On-Behalf-Of flow . You can also refer to code sample .
For the scenario when when a daemon application(Your web api) needs to call a web API without user's identity , you should use client credential flow to use its own credentials instead of impersonating a user, to authenticate when calling another web service. Code sample here is for your reference .
Please click here for explanation about above two scenarios. Your code is using Resource Owner Password Credentials Grant ,this flow has multi restrictions such as don't support 2FA and is not recommended .
If i misunderstand your requirement , please feel free to let me know .
I am trying to generate a token for a user with below code.
string apiResourceId = "11224320-66b9-4132-8953-9aa485f07004";
string clientId = "bc9869a0-2393-4e42-8c52-845071640ea8";
Uri redirectUri = new Uri("https://localhost:44335/");
string authority = string.Format("https://login.windows.net/{0}",
"rudderless.onmicrosoft.com");
var authContext = new AuthenticationContext(authority);
AuthenticationResult authenticationResult;
authenticationResult = await authContext.AcquireTokenAsync(apiResourceId, clientId,
redirectUri, new PlatformParameters(PromptBehavior.Auto, null));
I have been getting an error in AcquireTokenAsync call -
AADSTS70002: The request body must contain the following parameter:
'client_secret or client_assertion'. Trace ID:
a198696d-8377-40eb-8351-527a25183500 Correlation ID:
24d4b47d-67bf-46c0-a6b7-a248c434512e Timestamp: 2017-09-20 23:09:38Z
Why do I need a client_secret or client_assertion if I want to generate a token when a user is authenticated against a AAD? The type of Client I am using is "Web app /API". However when I am trying to use a Native client I get the token generated but API call to apResourceID is generating unauthorized error.
Few Questions I am seeking help on related to the scinario -
Why I need to provide client_secret when I am using user auth flow?
Why AcquireToken succeed when I change the client Type to Native?
Why the token generated through native client gives an Unauthorize error?
Is there a way for admin to consent on behalf of every user in AAD?
Why I need to provide client_secret when I am using user auth flow?
Web Apps and APIs are considered Confidential Clients. See here for a definition of the different Client Types in the OAuth 2 Specification. These kinds of client always need to use their client secret to authenticate, no matter the flow they are following.
Confidential clients are typically issued (or establish) a set of
client credentials used for authenticating with the authorization
server (e.g., password, public/private key pair).
Why AcquireToken succeed when I change the client Type to Native?
Native Client Applications are a subset of Public Clients. These are defined, in the specification as:
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the
resource owner, such as an installed native application or a web
browser-based application), and incapable of secure client
authentication via any other means.
Therefore, they do not have or need a client_secret to authenticate... but this also means they can only authenticate with user context, whereas a confidential client could authenticate without a user present (Client Credential Flow).
Why the token generated through native client gives an Unauthorize
error?
This is hard to answer without knowing more about the error and the call you are making that causes this error. You should provide more information about this scenario.
Is there a way for admin to consent on behalf of every user
in AAD?
Yes. In the new Azure Active Directory V2 Endpoint, we have an "Admin Consent Endpoint".
Using the older V1 endpoint, we have an &prompt=admin_consent query string which you can read about here.
Going by the code provided by Microsoft (I'm assuming), I am unable to query my Azure Active Directory. Every time I call the following, I get a response of {Authorization Required.}:
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
I'm new to Azure Active Directory and I'm new to the Graph and thought that the samples provided would function. They do not and I am hoping someone here can tell me either what is wrong with the code or how do I grant myself authorization to my own directory? I thought the AccessKey would be the authentication method, but apparently that's useless as it's not used in their examples.
Basically, to call the REST which protected by Azure AD which support OAuth2.0 to authorize the third-party application, we need to pass a bearer token.
And to go through the code sample, please ensure that you followed the steps list by the README.md.
Note: there is something not clear in the README.md about config the permission. The code sample is using the Azure AD Graph instead of Microsoft Graph, we need to choose the Windows Azure Active Directory instead of Microsoft Graph. And I have report this issue here.
You can see that there is a static filed named token in class AuthenticationHelper which will be set the value when the users sign-in using the code in Startup.Auth.cs like below:( not using cert)
// Create a Client Credential Using an Application Key
ClientCredential credential = new ClientCredential(clientId, appKey);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(
"http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
AuthenticationHelper.token = result.AccessToken;
And here is the detail progress to acquire the token via the OAuth 2.0 code grant flow:
More detail about this flow you can refer here.
I am writing a simple desktop application that needs to retrieve some basic properties about a user from Microsoft’ directory. Specifically:
I am writing a single tenant native LOB application.
The application runs on my desktop.
The application runs as my logged on domain account.
The organization' domain accounts are synced to AAD.
I am not trying to secure a native web app or a Web API or anything like that. I do not need users to sign in.
I have email addresses of folks in my organization from an external event management tool. I need to lookup the AAD account profile data (address book info - specifically job title) from AAD based on the email address. I will only be reading AAD data.
So far, I have done the following:-
It appears that the Azure AD Graph API is the right way to fetch the profile information. In particular, the information is available at the endpoint: https://graph.windows.net/{tenant}/users/{email}?api-version=1.6
When registering the native application in AAD, no key was provided. So I don't have a client secret.
Looked at the sample in GitHub here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. The instructions here seem to be wrong because no Keys section is available [see (2)].
Based on the sample above, I wrote a simple function. Code is below:
private static async Task PrintAADUserData(string email)
{
string clientId = "0a202b2c-6220-438d-9501-036d4e05037f";
Uri redirectUri = new Uri("http://localhost:4000");
string resource = "https://graph.windows.net/{tenant}";
string authority = "https://login.microsoftonline.com/{tenant}/oauth2/authorize";
AuthenticationContext authContext = new AuthenticationContext(authority);
AuthenticationResult authResult = await authContext.AcquireTokenAsync(resource, clientId, redirectUri, new PlatformParameters(PromptBehavior.Auto));
string api = String.Format("https://graph.windows.net/{tenant}/users/{0}?api-version=1.6", email);
LOG.DebugFormat("Using API URL {0}", api);
// Create an HTTP client and add the token to the Authorization header
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authResult.AccessTokenType, authResult.AccessToken);
HttpResponseMessage response = await httpClient.GetAsync(api);
string data = await response.Content.ReadAsStringAsync();
LOG.Debug(data);
}
Questions
The application when run was able to bring up the authentication page. Why do I need that? The application already runs as my domain account. Is an additional authentication necessary? If I were to run this application in Azure as a worker process, then I would not want to use my domain credentials.
The primary problem seems to be the resource URL which is wrong. What resource do I need to specify to access the Azure AD Graph API?
Thanks,
Vijai.
EDITS
Based on the comments from #Saca, the code and application has been edited.
Code
string clientId = ConfigurationManager.AppSettings["AADClientId"];
string clientSecret = ConfigurationManager.AppSettings["AADClientSecret"];
string appIdUri = ConfigurationManager.AppSettings["AADAppIdURI"];
string authEndpoint = ConfigurationManager.AppSettings["AADGraphAuthority"];
string graphEndpoint = ConfigurationManager.AppSettings["AADGraphEndpoint"];
AuthenticationContext authContext = new AuthenticationContext(authEndpoint, false);
AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.windows.net", new ClientCredential(clientId, clientSecret));
ExistingTokenWrapper wrapper = new ExistingTokenWrapper(authResult.AccessToken);
ActiveDirectoryClient client = new ActiveDirectoryClient(new Uri(graphEndpoint), async () => await wrapper.GetToken());
IUser user = client.Users.Where(_ => _.UserPrincipalName.Equals(email.ToLowerInvariant())).Take(1).ExecuteSingleAsync().Result;
App
Error
Unhandled Exception: System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> Microsoft.Data.OData.ODataErrorException: Insufficient privileges to complete the operation. ---> System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
It appears that despite giving the right permissions, the correct resource and being able to acquire a token, there is still something missing.
The key thing to consider here is if your application will be a headless client run from a secure server or desktop client run by users on their machines.
If the former, then your application is considered a confidential client and can be trusted with secrets, i.e. the keys. If this is your scenario, which is the scenario covered by the sample, then you need to use clientId and clientSecret.
The most likely reason you are not seeing a Keys section in the your application's Configure page is that, instead of selecting Web Application and/or Web API as per step #7 in the sample, you selected Native Client Application when first creating the application. This "type" can't be changed, so you'll need to create a new application.
If your scenario is the latter, then your application is considered a public client and can't be trusted with secrets, in which case, your only options is to prompt the user for credentials. Otherwise, even if your app has it's own authorization layer, it can easily be decompiled and the secret extracted and used.
Your resource URL is correct by the way.
Turns out the real issue was not with the code. I am not an AAD administrator. It appears that any application needing to perform authentication against AAD in our tenant needs to have permissions enabled by the AAD administrators. Once they enabled permissions for my application (and took ownership of the AAD registration as well), this started working.
Hope help some one that are using GraphClient:
var userPriNam = "johndoe#cloudalloc.com";
var userLookupTask = activeDirectoryClient.Users.Where(
user => user.UserPrincipalName.Equals(userPriNam, StringComparison.CurrentCultureIgnoreCase)).ExecuteSingleAsync();
User userJohnDoe = (User)await userLookupTask;
from https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-5-graph-api/
Why won't my Azure AD application allow an oauth client_credentials grant?
I want to use the Azure Graph API, but first I need an oauth token. To get the token, I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory aka ADAL version 1.0.3 (from NuGet).
I'm using the overload of AuthenticationContext.AcquireToken that takes a ClientCredential object. (I can't use the overload that prompts the user to login because I'm writing a service, not an app.)
I configured my Azure AD web application as described in various tutorials/samples (e.g. ADAL - Server to Server Authentication).
My code looks like:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);
The AcquireToken line throws an exception:
sts_token_request_failed: Token request to security token service failed. Check InnerException for more details
The inner exception is a WebException, and the response received looks like an oauth error:
{ "error":"invalid_client",
"error_description":"ACS50012: Authentication failed."
"error_codes":[50012],
"timestamp":"2014-03-17 12:26:19Z",
"trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
"correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }
Bypassing ADAL and using curl with the oauth endpoint also gives the same error.
My code works if I use the details of the Azure application that I found here:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);
So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.
This turned out to be an error in Windows Azure, there was nothing wrong with my code or config.
After Microsoft fixed the problem in Azure, I had to create a new application and it started working.
Forum answer from Microsoft:
Hi,
We are seeing some errors with applications created in a several day time range, ending yesterday. We are continuing to fix up these applications but I don't have a good eta when this will be done. I'm apologize for the impact here.
Can you try creating a new application and retying the operation with the new client id?
thanks
Have a look at this link: https://azure.microsoft.com/en-gb/documentation/articles/resource-manager-net-sdk/
The latest version of Active Directory Authentication Library does not support AcquireToken method, instead you have to use AcquireTokenAsync method.
var result = await authenticationContext.AcquireTokenAsync(resource: "https://{domain}.onmicrosoft.com/{site-if applicable}", clientCredential: credential);
I was having the same issue but only running the code directly from Azure (inside an Azure Website).
I solved upgrading 'Microsoft.IdentityModel.Clients.ActiveDirectory' package to '2.6.1-alpha'
The azure version of the translator has changed things once more- the Oauth token request uses a new url and only needs your secret key, instead of all the other baggage. This page discusses it (but using PHP code): http://www.bradymoritz.com/php-code-for-bingmicrosoftazure-translator/
The key items are:
Post an empty request to https://api.cognitive.microsoft.com/sts/v1.0/issueToken
Pass it your secret key using the header "Ocp-Apim-Subscription-Key: "
Or, just use the querystring parameter: "Subscription-Key="
Then get the body of the return as the actual token- it's the whole body, not in json format.
This is a lot simpler than the method used before, but it'd definitely a pain that things have yet again changed.