Need help setting up Azure AD B2C SSO with Knack - azure

Knack has an option to set up custom Single Sign On options. There are a few items I am unclear on as to where to find on Azure AD B2C. According to their help article, I must provide the following information for OAuth 2.0:
Authorization URL: the URL that your user is redirected to obtain permissions when they click the SSO button.
Access Token URL: used to obtain a token to verify future requests to the authentication provider to act on your user’s behalf.
Profile URL (OAuth only) - the URL where information about a user’s account can be retrieved. The Profile URL will be sent a GET request authenticated by the user’s token, and will be expected to return a JSON object.
For Authorization URL, I have tried to supply the 'Sign-up or Sign-in' Policy endpoint as that takes you to the login page. I think this is right however I am unsure.
For Access Token URL, I have tried either the Authorization Endpoint or Token Endpoint, but I'm not sure if those are right.
"authorization_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_zyxelcustomerssusi"
"token_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_zyxelcustomerssusi"
For Profile URL, I actually have no idea where I would find this on Azure AD B2C.
Single Sign On is new to me and I have gone through Azure AD documentation to try to help myself, but ultimately I am stuck.
Thanks in advance for your help and please let me know what other information I can provide.
Edit 9/26/2017:
This B2C documentation describes the purpose of Authorization URL and Access Token URL.
In short, Authorization URL is the endpoint to send the user to enter their credentials. If credentials are valid, an authorization code will be returned via URL to the designated Reply URL. The client app will then use the returned authorization code to request for an access token from the Access Token URL. If successful, the client can now attach the access token as a Bearer token in the Authorization header to authorize future API calls before the token expires.
Unfortunately, as of this time of writing, AADB2C does not support calling the Azure AD Graph or Microsoft Graph API for user profile information.

You should not need to provide a Profile URL since Azure AD B2C uses Open ID Connect, and not OAuth (similar protocols, but not identical). The Profile URL field is optional, so try configuring it without filling out the field.

Related

Azure AD B2C error 'id_token_hint parameter not specified' when EnforceIdTokenHintOnLogout="true" in signin_signup custom policy

I need to ensure that the post_logout_redirect_uri can only direct users to a whitelisted URI, so based on the answer in Azure AD B2C vulnerable to Open Redirect? I added
SingleSignOn Scope="Tenant" EnforceIdTokenHintOnLogout="false"
to the ReplyingParty's UserJourneyBehaviors section in our signin_signup custom policy. However, when go to login I get an error
AADB2C90272: the id_token_hint parameter has not been specified in the request. Please provide token and try again.
When I read Microsoft's documentation it states
pass a previously issued ID token to the logout endpoint as a hint about the end user's current authenticated session with the client
However, the user hasn't logged in yet, so they don't have an ID token issued yet to pass and they aren't allowed to login after receiving this error.
I tried enabling the "ID tokens (used for implicit and hybrid flows)" option in the Application's Authentication tab but that was to no avail since the first redirect to Azure AD B2C adds a post_logout_redirect_uri parameter.
I also tried setting PostLogoutRedirectUri to an empty string, null, and a JWT token from a prior login in OpenIdConnectAuthenticationOptions since it seemed to be where post_logout_redirect_uri was being generated in the redirect to signin_signup also to no avail.
Is the id_token_hint supposed to be the JWTToken returned from Azure AD B2C or is it another ID Token? And does anyone have any C# code showing how the pass it in?

Resource Owner Password Credentials token results in 401 on Azure Function App

I would like to use the Resource Owner Password Credential Flow of Azure AD for my function app. The function app is up and running. Once I configure Azure AD authentication for the app, my requests get rejected with a 401 Unauthorized but with no further details on the error.
I should also emphasize that I can obtain new tokens from the authentication endpoint for my tenant. It's just that these tokens get rejected when I try to call the function from curl. When I login with the browser and the same credentials, I can access the function.
Clarification: Obtaining tokens via the API works but these tokens are then rejected by the function app's AAD authentification. Going through the browser, I obtain tokens that can log me into the function app.
What I did:
Create a function app
Basic GET request, works with either no authorization or with authorization through the browser.
Create an app registration in Azure AD
Implicit grant: Access + ID Token
Supported account types: Single Tenant
Allow public client flow: Yes
In the manifest: "oauth2AllowImplicitFlow": true,
Scopes: Custom user_impersonation scope for my API
API: Here I added my function app with the user_impersonation scope
Configure the function app to authenticate user through AAD
Management mode: Advanced
Client ID: The client ID of the app registration above
Allowed Token Audiences: The URL of my function
Steps to reproduce:
Obtain a new access_token:
Issue a POST request to https://login.microsoftonline.com//oauth2/v2.0/token and the following parameters:
clientId: The client ID of the app registration in Azure AD
scope: user.read openid profile offline_access https://<my-function>.azurewebsites.net/user_impersonation
username: The e-mail address of the user
password: The password of the user
grant_type: password
This returns the access_token. I'm not going to post it here, but I can share details on request.
Call the protected API
Issue a GET request to https://<my-function>.azurewebsites.net/api/test with the following header parameter:
Authorization: Bearer <access_token>
Any help is greatly appreciated of course. It is important to note that users should not be able to login interactively anyway. I'm well aware of the pitfalls and shortcomings of the ROPC flow but this is the only way to solve this particular use case with Azure AD.
Here are some resouces I consulted before. I might have overlooked a critical point of course:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=app-reg-ga (Not using AAD B2C but is probably similar enough. However the steps mentioned here work.)
I seem to have fixed it. The solution was a lot of trial an error, maybe there is an easier way.
Azure AD App Registration
Only select the access token, we don't need an ID token anyway.
Set "accessTokenAcceptedVersion": 2 in the manifest
Use the suggested api://... Application ID
Function App
Set both the Client ID and the Allowed Token Audience to the Application ID from the AAD App Registration, but without the leading api:// scheme.
Obtaining the token
Specify the scope as api://.../user_impersonation
After going through all of the steps above, I can successfully authenticate before being able to access my function app. The next challenge will be to read the authenticated user name from the request. But that might be the topic of another thread on SO.

Could not complete OAuth 2.0 Login

Hi I have created application in azure AD. I am trying to get token from Postman.
I am getting below error. Could not complete OAuth 2.0 Login.
Below is my request.
My auth url is
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
In the above url, In place of organizations do i need to put my company name? Also do i need to add resource to the url? Can someone help me to try to find out error? any help would be appreciated. Thanks
In the above url, In place of organizations do i need to put my
company name?
It depends on your requirements, if you just want your tenant(company) user to login(Single tenant), use tenant name/id here, if you want both your tenant and other tenants to login, you can use common/organizations here(Multitenant).
Also do i need to add resource to the url?
No, you need a scope value instead of resource. This is what you want the user to consent to.
Could not complete OAuth 2.0 Login in postman
1.Register an application in Azure portal
2.The parameters in postman.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
I am using Authorization Code flow to get the access token, you can also use Client Credentials flow. Refer to my answer here.

How check token received from Azure Active Directory?

Let's say that a user logs in using the Microsoft login page and Azure requests application url with token. But how to validate it? Anybody can request application url with fake token. Does Azure API contain url for such a check?
But how to validate it?
To validate an id_token or an access_token, your app should validate both the token's signature and the claims. To validate access tokens, your app should also validate the issuer, the audience, and the signing tokens. These need to be validated against the values in the OpenID discovery document. For example, the tenant-independent version of the document is located at https://login.microsoftonline.com/common/.well-known/openid-configuration.
The Azure AD middleware has built-in capabilities for validating access tokens, and you can browse through the samples to find one in the language of your choice. For more information on how to explicitly validate a JWT token, see the manual JWT validation sample.
For more details, you could refer to Validating tokens.

azure active directory & postman

I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.
I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.
Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?
The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.
Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!
You can set the resource ID as a parameter to the Auth URL.
Auth URL: https://_______________?resource=https://_________
I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....
I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...
This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.
Adapted from this post
set up a dedicated 'postman-test' app registration in AD tenant,
with permission to access your target API. Ensure it has the postman callback url previously mentioned.
fill in Postman's OAuth helper form with following details:
Token Name – Any name to save the token.
Auth Url – https://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
Access Token Url – https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID – Client Id from configure tab of “postman-test” app.
Client Secret – Client secret copied from configure tab of “postman-test” app.
Grant Type – Authorization Code
Note:
tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.
testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping

Resources