I am trying out the sample code on GitHub called active-directory-b2c-dotnet-webapp-and-webapi and when I run it against the AD B2C directory in the sample it works fine but I'm having an issue trying it out against my own AD B2C directory. I get the following error:
The application with ID 'xxx' cannot get an ID token either because the openid scope was not requested or the application is not authorized for it
Isn't the openid scope included automatically? I setup a Web App and a Web API app as per the instructions provided. When I look at the scopes that the Web App has access to, the openid scope is not listed there. Is this something I need to add manually?
When we change the API permission for an app, the openid permission gets overwritten. We can re-enable it if this happens. The option will be available at API Permissions blade under https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
Open the API Permissions at the above link, Add a Permission, Select Microsoft Graph --> Select Openid and save. There you are! :)
In addition to the openID step outlined above, also do the below:
Go to the API access under the Application in B2C for the app in question and add a permission against this same app saying "access this app on behalf of the signed in user".
No other steps needed.
I found the issue was with app registrations > API Permissions. When adding permissions in the Request API permissions screen, make sure you select "Delegated permissions: Your application needs to access the API as the signed-in user."
If you selected the other option, then recreate your configuration and try again.
openid scope is not included automatically. It should be present by default in the sample, but if it was removed, then the request will fail.
Related
I am attempting to implement Interactive Browser Credential with Azure Identity (JS) in my app so that users can authenticate to their own Azure accounts for my dev tool. I got advice that app registration in Azure AD would be required on a Reddit thread (https://www.reddit.com/r/AZURE/comments/smcl15/azure_identity_sdk_js_how_to_authenticate_to/). I have now done so.
I have registered localhost:8083 and localhost:8085 as redirect URIs and selected the option to allow Account in any organizational directory. However, I am still getting the error "You can't sign in here with a personal account. Use your work or school account instead." Every answer(Access with personal account to multi-tenant application AAD) I have read on the topic says that I need to set "signInAudience": "AzureADandPersonalMicrosoftAccount" in the manifest. However, that is how my manifest already is and has been since the beginning. How do I fix the error?
This error may occur in one of the below two scenarios.
1. Resource being different from client application
Please ensure the request resource is added to the applications required API permissions and the resource API has been consented to .Resource for which you want an access token, you can pass either the Resource URI of a Web APP, or the client Id of the target Web API. It's important to note that the token contains the resource as requested (audience).
If you have a permission something like user_impersonation, try by giving scope as https://management.azure.com/user_impersonation
Please check if you need to add api version as query string as per Azure REST API reference documentation | Microsoft Docs.
Make sure you see the app in the app registrations >all applications blade while Searching for the appId present in the error provided.
2: Resource and client is the same app registration
In app registrations ,after exposing the api and adding permissions and scope, Ensure the app has been consented to permission.
For example:
I have registered one web api (TestAPI) in Azure AD B2C by setting Include web app/api and Allow implicit flow to 'YES', provided APP ID URI and added two new scopes for read and write.(By default user_impersonation scope got added)
Then in my existing Web Application while clicking for API ACCESS, I am not able to find out TEST API which I recently registered, in the Select API dropdown.
Please guide. Did I miss any steps in between.
Thanks in Advance!
To make the answer visible to others, I'm summarizing the answer shared in comment:
Change Directory to any other directory from top right corner
Comeback again to B2C
Check now API is visible or not
I'm trying to set up Azure AD B2C for my web app.
I've already created a tenant. I then created an app. According to articles I'm following, I should then be able to click "API Access" and add scopes. In my case, there's nothing under API drop down:
I already see "Access the user's profile" with the following selected:
Under "Published Scopes", again, I see nothing:
What am I missing here?
UPDATE:
After adding the App ID URI, I was able to move forward a bit but still not sure about published scopes. This is what I currently have:
And under API Access, this is what I have:
Basically, the behavior I'm getting on my frontend app which is built on ReactJs is that I hit the Azure AD B2C login. After entering my credentials, I get redirected to my app. I see id_token in the URL but the MSAL library I'm using doesn't capture the token -- I have a break point in my React code to see if I'm capturing the token. I get sent back to the login screen on Azure, then back to my app. On the third one, I actually see the token being captured but I end up with the following errors:
I'm using this library which is a wrapper for the MSAL.js library: https://github.com/jamesrandall/react-azure-adb2c
I'm pretty certain there are config errors. Just not sure what they are.
API access is used to assign access from a web app to an API app.
Published scopes is used to register the access scopes for the API app.
Before the access scopes can be registered for the API app, an App ID URI must be set as the resource identifier for the API app, as described by the Azure Active Directory B2C: Register your application article.
I have an application registration in Azure AD which has some Graph API delegated permissions set for it.
The application is simply a page in SharePoint that is making the Graph calls, authenticating with the ADAL.js library.
I now want to make an additional Graph call on the page to a new Graph API endpoint so I need to assign the application an additional permission. I set this permission in Azure AD and save. However, the user accessing the SharePoint page is never asked to reconsent to the new permissions, therefore the new Graph call fails with a 401 Unauthorised message.
I have tried this with a number of different endpoints and permissions, and I am sure I am setting the correct permissions in the application.
How can I have the consent dialog appear for users automatically when the application permissions change?
Admin consent is not an option.
I remember having a discussion about this with a member of Azure AD team some time back and this is what he had suggested at that time (though I never tried it so it may not work).
Essentially what he suggested is that when you get Unauthorized (401) error, you redirect the user to Azure AD login again i.e. follow OAuth authorization flow again but include prompt=consent in the sign in URI. This will present the user a consent page with latest permissions. Once the user consents to the latest permission, you can redirect the user back to your application. You may find this link helpful for understanding different values for propmpt parameter: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code.
Again, I have not tried this personally so it may not work. If it doesn't, please let me know and I will remove my answer.
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.