My website has AAD authentication enabled and it works fine when we try to access the home page.
But if I am accessing html pages directly, it is not prompting for authentication. Am I missing any setting to enable authentication for all the pages?
Usually you have to set up your pages to request the user to be authenticated before it loads.
Here is me solving this problem with Python Flask:
Refresh Tokens for Azure AD V2 Applications in Flask
Now, in order to invoke this code at the right time, I need to create
a view decorator, and Flask has a sample for almost exactly what we
want to do here: a login required decorator.
Basically, we add this decorator to any view where we expect the user
to be signed in. If the user has no token, we will redirect them to
the login page. If they have an expired token and a refresh token, we
will use the refresh token to get a new access token. Otherwise, if
the token is present and valid, we simply let the view load.
This same concept is available out of the box using .Net: active-directory-dotnet-graphapi-web
You can find in the README of this sample the following:
If you want the user to be required to sign-in before they can see any
page of the app, then in the HomeController, decorate the
HomeController class with the [Authorize] attribute. If you leave this
out, the user will be able to see the home page of the app without
having to sign-in first, and can click the sign-in link on that page
to get signed in.
Related
I'm working on a SPA that is utilizing ADAL JS. After calling adalService.logOut(), the user is properly redirected to the microsoft oauth logout URL and logout happens just fine. However, the user is logged out of all Microsoft 365 sites and all other sites utilizing ADAL.
Is there a way to only the log the user out of this one site?
Unfortunately, the way the ADAL JS library works is just as you described. When the logout function is called it clears the entire cache. Per the Wiki :
https://github.com/AzureAD/azure-activedirectory-library-for-js/wiki/Login-methods#logout
Logout
When the logout method is called, the library clears the
application cache in the browser storage and sends a logout request to
the Azure AD instance's logout endpoint.
authContext.logOut(); The default behavior is to redirect the user to
window.location.href after logout. If a postLogoutRedirectUri value is
set at the config time, the user will be redirected to that URI.
The only other way to logout manually. That would be, look through the cache yourself, and delete the information you're interested in deleting there. This would in a way "logout" the user, since you have removed access to the token.
Per the wiki's config Auth Context https://github.com/AzureAD/azure-activedirectory-library-for-js/wiki/Config-authentication-context:
cacheLocation - ADAL caches tokens in the browser storage which
defaults to 'sessionStorage'. You can set this to either
'localStorage' or 'sessionStorage'.
window.config = {
clientId: 'g075edef-0efa-453b-997b-de1337c29185',
cacheLocation: 'localStorage' // Default is sessionStorage
}; Tokens are accessible from JavaScript since ADAL.JS is using HTML5 browser storage. It is recommended to prompt users to login
again for important operations in your app. You should also protect
your site for XSS. Please check the article here:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
You can read further details about the other configurable options
here.
And for more information on accessing local storage, you can read up on it here : https://blog.logrocket.com/the-complete-guide-to-using-localstorage-in-javascript-apps-ba44edb53a36
And the MDN Web doc for storage can be found here : https://developer.mozilla.org/en-US/docs/Web/API/Storage
I'm new to using Azure Active Directory authentication with a Web API. Right now the login page on my Single Page Application simple directs the user to the Microsoft login page where they enter their credentials and then are redirected back to my SPA. Upon the redirect the access token is now part of the URL. Is it possible to get that token via JSON rather than part of the URL? Is that a security risk making the token visible to user like that? If there is no other way to get the token what's the best way of processing that? Should I read the URL and pull the token from there and then redirect the user again to the actual website?
You have to be mindful in implicit flow the token will still be maintained at the client site (local storage normally). So even if you are hiding the token from URL , you still will be storing at client side and that's one of things you have to manage in SPA. You will have to send token with every HTTP request to your web api to get that authenticated on that end.
In implicit flow tokens are shortlives and you can't issue refresh token for longer period of access. For this kind of flow you need to use official library (ADAL.js)
https://github.com/AzureAD/azure-activedirectory-library-for-js
More resources
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
You can use ADAL.js library to acquire the token. There is a pre defined function which you have to call after the Ad authentication or at the beginning check if you are logged in, you can use isauthenticated function to check if you have already logged in, and use getaccesstoken function to acquire the token after authentication.
I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.
How to redirect users to login page when users try to access without login using direct URL.
I have completed a token based authentication, after user login I got token, so I will maintain same token for further request. But I tried direct url without login, page is loading. I want to allow access only after user login.
Please refer this link https://github.com/strongloop/loopback-example-access-control. I have downloaded this application and I tried the direct url without login (that is http://localhost:3000/projects), page is loading. Here I want to redirect login page. Please suggest any sample application.
I am not using AngularSDK
We have custom application which currently has a custom login page.
It integrates with Azure AD using the Oauth2 password grant type.
This works currently.
Once logged into the application, in one particular section of the website we need to embed a secure salesforce page via a iframe.
This salesforce page is setup to use oauth for the same Azure AD account - outside of the app, if we goto the salesforce page it will redirect to the azure login page (not our custom one) and we can then login and see the salesforce section (any subsequent accesses will not need the login prompt as the browser has recognised you have logged in previously)
However if we embed the secure salesforce page via a iframe, we get a
Refused to display http://xxx in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
We assume because this type of thing is not allowed with the Oauth2 spec, see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-23#section-10.13
Is it correct that the only way to have a secure salesforce page embedded on our site is to make our website a SAML provider so we can get around this specific oauth limitation?
If SAML is the way to go, how would this be implemented with this setup (struggling to find info on how to set it up like how we want) - can we keep our own login page (with some SAML specific changes) or would be forced to use the Azure login page?
The X-Frame-Options HTTP header has nothing to do with OAuth. It is a security feature that tells the browser to not load a page inside an iframe. This field is usually used to protect against clickbait attacks.
If the server responds with this header, there is usually no way to display the page in an iframe.