I am registering an app with Azure, so that I can automate deployments with Ansible. Ansible is not a Web App (but a simple command line tool), but on an app registration it asks to fill in a mandatory field Sign-on URL. The description it gives is The URL where user can sign in and use your app. But once again, there is no URL and no Web App.
I could not find another way to register an app and it seems that this is the recommended way from the Ansible side. Ansible docs on Azure are linking to App registration in Azure.
So for now, I have entered a random URL there, but if it is not needed, then why Microsoft are enforcing it on us?
The reason this is a required field during app registration is that during the vast majority of cases, the app in question is actually an app that people associate with a URL and can sign in to.
If you don't need the Sign-on URL, then you can put whatever value you'd like. I recommend a unique URL that is unlikely to collide with other people's apps or other apps in your organization.
You can also always do the app registration programmatically (since it look like scripting is your scenario anyway), using Azure AD PowerShell's New-AzureADApplication (followed by New-AzureADServicePrincipal).
Sign-On URL: For "Web app / API" applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
That's because you register an web app/API. The type of application register will add to the access panel and the users could login the app through access panel via the Sign-on URL you config it when you register the app.
As Gaurav Mantri suggested, if you were not developing web app you should register an native app instead of web app.
More info about Azure app register, you can refer the document below:
Integrating applications with Azure Active Directory
Register your client application with Azure AD
Related
I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.
Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?
For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.
Any idea how to do this?
This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.
I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.
We have an app that uses the Azure Spring Boot Active Directory starter "com.microsoft.azure:azure-active-directory-spring-boot-starter" and Spring Security to secure access to the app. This all works fine.
This was done by following these instructions:
https://learn.microsoft.com/en-us/azure/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
Now we want to call DevOps REST APIs on behalf of the logged in users as per these instructions:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
The thing that is confusing me is that each set of documentation specifies a completely different way of registering the app
The first says : "From the portal menu, click App registrations, and then click Register an application."
The second says "Go to https://app.vsaex.visualstudio.com/app/register to register your app."
If I register via the second manner it doesn't show up in the list of app registrations in the portal.
So for the moment, I've registered two apps, one in the portal, and one in the second manner.
In order to register a user with the app, I go here, specifying the callback URL that I defined for the second app (bear in mind the first and second apps are the same app).
https://app.vssps.visualstudio.com/oauth2/authorize
?client_id={app ID}
&response_type=Assertion
&state={state}
&scope={scope}
&redirect_uri={callback URL}
However, as I am already logged in to the app via Spring Security/AD (the first mecahnism) I get this error back from the app registration URL above, presumably because I'm logged from the first:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: idoffirstapplication
Questions:
How can I secure my app via AD which uses Oauth2 under the bonnet, and allow the app to call Devops APIs on their behalf of the logged in users ?
The main issue seems to be that Azure has two completely different sets of endpoints for logging in via Azure and calling Devops REST APIs. For example the REST API Oauth2 token endpoint is https://app.vssps.visualstudio.com/oauth2/token but the AD one is https://login.microsoftonline.com/${azure.activedirectory.tenant-id}/oauth2/token
Can I just have one application and add in the Oauth2 scopes I need (vso.release_execute) and add in an additional redirect_uri to handle the code returned from the call to https://app.vssps.visualstudio.com/oauth2/authorize, and then have call DevOps specific token URLs to get refresh and access tokens ?
The two links are different things. The first link is securing a Java web app using the Spring Boot Starter for Azure Active Directory. The second link is authorizing access to REST APIs of Azure DevOps Service with OAuth 2.0.
The users who can call the DevOps APIs in the application need to be able to access the DevOps organization. You can refer to the C# example in following link:
https://github.com/microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample
I have a purchased account of Microsoft Azure portal, but I cant add an Application from Enterprise Application directory specifically that Application who is having single sign-on mode: OpenID Connect-based Sign-on, it shows Add button as disabled., however, i can add any other application who is having any type of single sign-on modes like SAML-based Sign-on or Password-based Sign-on
URL
screencast1
screencast2
is there setting anywhere that I have disabled unknowingly?
PS : its not only about one app, i can't add any live app whose SSO is openId connect, in screencast i have given an app just to show disability of add button. so its not about infonix specific an app its General.
By default, Infolinx works with Azure AD. To get started, sign up for Infolinx using an account in your instance of Azure AD.
Suggest you to contact Infolinx, in case if you have any difficulties in sign up.
Is it possible to set up a single "Native app" which can be used by users on different Azure accounts/directories so they can get data from their Office 365 Sharepoint Online?
We can get this working using a "Web app" because in the Azure portal where you set this up it has the "Multi-tenanted" option which can be set to Yes - the notes for this support this:
Designates whether users in external organizations are allowed to
grant your app access to data in their organization's directory. This
control affects only the ability to grant access. It does not affect
any access that has already been granted.
And some early testing suggests this does indeed work. However this implies using an Oauth secret which must be embedded in the app and the notes here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
State (in relation to the app secret):
....It should not be used in a native app, because client_secrets
cannot be reliably stored on devices. It is required for web apps and
web APIs, which have the ability to store the client_secret securely
on the server side.
For native apps, the docs here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
State:
Native client registrations are multi-tenant by default. You don’t
need to take any action to make a native client application
registration multi-tenant.
Which suggests they should work in the way we desire - however when we test this with OAuth flow from an account not in the same Azure AD where the native app was setup we get the following after authenticating:
AADSTS70001: Application with identifier 'XXXXXXXXXXXXXXXXXXXXXX' was not found in the directory YYYYYYYYYYYYYYYYYYYY
So it appears this does not work. At present the only way it seems to make this work is to create a Web app and embed the client ID and secret in the native application.
Has anybody had success with multi-tenant native apps or any ideas/feedback on what I am doing wrong or could try?
UPDATE I realised there were two things wrong here:
* You can actually click on the "Manifest" button in Azure and edit the raw JSON, updating the 'availableToOtherTenants' value to make it multi-tenant.
* I didn't have the scope=user_impersonation in the OAuth flow.
Now it seems we can create a native app which users in other orgs/tenants can authenticate with.
UPDATE 2 OK so it turns out our app now works for some users but at least one is getting:
AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. Resource value from request: https://XXX.YYYYYY.com. Resource app ID: ZZZZZZZZZZZ. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000, 00000003-0000-0ff1-ce00-000000000000.\r\nTrace ID: KKKKKKKKKKKKKKKKK\r\nCorrelation ID: CCCCCCCCCCCCCCCCCCC
I can't see why it would work for one user but not another if both are in different tenant/Azure ADs to where the app is created.
If you were developing an native app which access the multi-tenant web API which also developed by you, you can set the add the clientId of native app to the manifest of web app's manifest with knownClientApplications property. So that when other tenant's users access the multi-tenant web API, it will also register the native app to their tenant.
Refer the code sample below which demonstrates a Windows Store application calling a multi-tenant web API that is secured using Azure AD:
active-directory-dotnet-webapi-multitenant-windows-store
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.