I'm using the Azure Application Proxy with pre-authentication enabled for Azure Active Directory. Everything is working as expected, getting prompted to login and then being redirected to the site (SPA) via the proxy connector.
Is there a way to receive the access token in the single page application, so that it can be used to interact with the Graph API to validate membership rights?
Related
To our client website, we have implemented user authentication (using OIDC) and related user flows using Azure ADB2C. External users are successfully authenticating and accessing from our website (SPA). Also, we have implemented b2c ROPC flow for headless authentication users.
But here is a scenario, where we have a few clients who wants to access our website from the external client app. The external client application side they were using “OKTA with SSO” and tried to access our website login page, but they are failing to get the b2c token to access our website.
To achieve this, do we need to make any changes in the current b2c integrated website(my client)? Any references or integration process for our external client application should follow (external client have OKTA tenant and for SSO)?
Is there any references to assit this usecase, where the external clients apps to access other client website resources Securely?
One way to do this is to set up B2C so that Okta is an external IDP.
The flow is then:
External user (who normally authenticates with Okta) accesses your B2C application
The login page shows an Okta button
External user clicks the button and then authenticates with their Okta credentials (If they are set up with Okta SSO, this may happen silently)
External user can then access your B2C application
I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.
Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?
For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.
Any idea how to do this?
This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.
I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.
I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.
I am trying to access a azure hosted service using the windows client. It is required to register the windows client with Azure AD and the get the application id for requesting the authentication token/sign-in.
For web apps this is not needed. The browser itself will automatically re-direct to the login page for authentication and the token is getting cached in the cookie.
Is it possible for the windows client to sign-in to the azure ad similar to web apps without needing to register itself?
We want to use the AAP to communicate from an Azure App to an on premise application. We want to the App to authenticate and call the Proxy Api and not delegate the user. Right now, we are able to get an token for the Resource of the Proxy Api and call the api from the application, but we get an error page (imho from the proxy api) saying "This corporate app can't be accessed right now.", with StatusCode: InternalServerError.
Calling the proxy url from an browser and Azure Authentication enabled on the proxy, and with an Azure Account logged in that browser, it works.
Calling the proxy url from an browser with Passthrough on the proxy, anonymously, it works.
Calling the proxy url from an browser with Azure Authentication on the proxy, anonymously, it return access denied.
Calling the proxy url from an Web Api hosted on Azure with a token requested on the Proxy resources and with Azure Authentication on the proxy, it fails with InternalServerError.
Is the AAP only working for use with Users and not Applications? I suspect this because in the documentation has this quote:
The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector.
It is intended to give users access to your on-premises applications, not applications.
The user is authenticated through Azure AD and given access to the on-premises application. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy