I've successfully implemented MSAL JS for Azure AD B2C.
The next step is to let the user edit their profile. I've created a new policy for Edit Profile.
But how to redirect the user there? There are only login methods / acquire token methods.
I've tried to set the authority to a different policy. It then does redirect to the right page, but then it starts complaining about errors in scopes, and it messes up the token locally.
editProfile() {
this.userAgentApp.authority = this.policyEditProfile;
this.userAgentApp.loginRedirect();
}
The ASP.NET code examples explicitly have an option to set the editProfile Policy ID: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi#update-code-to-use-your-tenant-and-policies
Feels like this is missing from MSAL.JS and I have to manually craft the URL, is that correct?
Yes, this is correct. You will need to use a different authority which URL is composed of the tenant and the policy name, as shown here:
private static string Tenant = "yourTenant.onmicrosoft.com";
public static string PolicySignUpSignIn = "b2c_1_susi";
public static string PolicyEditProfile = "b2c_1_edit_profile";
private static string BaseAuthority = "https://login.microsoftonline.com/tfp/{tenant}/{policy}/oauth2/v2.0/authorize";
public static string Authority = BaseAuthority.Replace("{tenant}", Tenant).Replace("{policy}", PolicySignUpSignIn);
public static string AuthorityEditProfile = BaseAuthority.Replace("{tenant}", Tenant).Replace("{policy}", PolicyEditProfile);
BTW, that sample, although for .NET Desktop shows how to use the edit profile and password reset policies: active-directory-b2c-dotnet-desktop , see in particular the EditProfileButton_Click method, the factor of acquiring the token (interactively) will trigger the dialog to edit the profile:
AuthenticationResult authResult = await App.PublicClientApp.AcquireTokenAsync(App.ApiScopes, GetUserByPolicy(App.PublicClientApp.Users, App.PolicyEditProfile), UIBehavior.SelectAccount, string.Empty, null, App.AuthorityEditProfile);
Related
We have the following:-
SharePoint online tenant recently created
Windows server 2019
.NET console application which have some code that integrates with SharePoint online
The .NET console application runs on schedule basis using windows task scheduler.
now previously on old tenants i authenticate my code using this method by passing the ClientID and Client Secret:-
static void Main(string[] args)
{
string siteUrl = "https://***.sharepoint.com/sites/CustomerServiceKB/";
string clientId = "******";
string clientSecret = "*****";
using (ClientContext context = new OfficeDevPnP.Core.AuthenticationManager().GetAppOnlyAuthenticatedContext(siteUrl, clientId, clientSecret))
{
but on our newly created tenant we can not authenticate our code using the above method, because we have the DisableCustomAppAuthentication set to true.. now we do not want to modify this property.
So our question is; if we have the DisableCustomAppAuthentication set to true (ans we do not want to set it to false), then how we can authenticate our console application? which is hosted inside our windows server and which runs on schedule basis using tasks scheduler ?
So the DisableCustomAppAuthentication property was brought in (and was set to true by default) to support the deprecation of the Azure Access Control Service (ACS). The modern way to authenticate custom apps in Sharepoint tenants is to register them in the Azure AD.
Before moving on, consider the pros and cons of switching to the new authentication scheme. Mainly, the ACS enables users to granularly control site-level permissions for the application authentication, but Azure AD app registration makes the set of running applications transparent to the administrators. If you want to stay with ACS, just set the DisableCustomAppAuthentication to false.
Now, if you decided to move on with registering the application in the Azure ID, here are the steps to follow:
Log in to the Azure portal and navigate to the Azure Active Directory.
Register the application in the Azure AD portal. Here's a guide on how to do it. Obtain the application (client) ID on the application overview page.
Set all the necessary permissions, confirm them as a global administrator (or ask the administrator for confirmation).
Configure the authentication. Choose the authentication option: whether you want the application to authenticate itself in the Microsoft IAM via a cryptographic certificate or a client secret.
Obtain your Azure Active Directory tenant ID (not to be confused with the Sharepoint Online tenant ID). Here's how to do in in the Azure AD; there's also a hacky way.
Now use the client ID (from step 2), the authentication option (step 4), and the AAD tenant ID (step 5) to authenticate and run your application:
using Microsoft.Identity.Client;
[..]
private static async Task<string> GetToken()
{
string applicationId = "client-id";
string tenantId = "aad-tenant-id";
bool isUsingClientSecret = <true or false>;
IConfidentialClientApplication app;
if (isUsingClientSecret)
{
string secret = "secret";
app = ConfidentialClientApplicationBuilder.Create(applicationId)
.WithClientSecret(secret)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}")
.Build();
}
else
{
string certificateLocation = "certificate-file";
X509Certificate2 certificate = ReadCertificate(certificateLocation);
app = ConfidentialClientApplicationBuilder.Create(applicationId)
.WithCertificate(certificate)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}")
.Build();
}
var scopes = new[] { "https://***.sharepoint.com/.default" };
var authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
return authenticationResult.AccessToken;
}
static async Task MainAsync(string[] args)
{
string site = "https://***.sharepoint.com/sites/CustomerServiceKB";
string token = await GetToken();
using (ClientContext context = new ClientContext(site))
{
context.ExecutingWebRequest += (s, e) =>
{
e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + token;
};
Web web = context.Web;
context.Load(web);
context.ExecuteQuery();
}
}
static void Main(string[] args)
{
try
{
AsyncContext.Run(() => MainAsync(args));
}
catch (Exception ex)
{
Console.Error.WriteLine(ex);
throw;
}
}
I'm working on implementing integrating Azure AD login authentication to my web app. I have created an account in azure development portal and registered my app details.
my app URL -> https://my-sample-app/my.dashboard/
my redirect url is ->https://my-sample-app/my.dashboard/ws/aad/callback/
Note : ws that comes after my app url is the servlet adapter configured
my web app is a java app and i'm using ADAL java SDK
I have referred this article Authenticate to an Azure API App from Java and did the similar way
this is the code logic written under web path "aad/callback"
String appIdUri = System.getProperty("azure.app.id.uri", "https://login.microsoftonline.com/");
String authority = System.getProperty("azure.authority.url", "https://login.microsoftonline.com/my-sample-app.onmicrosoft.com");
String clientId = System.getProperty("azure.client.id", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
String clientSecret = System.getProperty("azure.client.secret", "xxxxxxxxxxxxxxxxxxxxxxxx");
AuthenticationContext context = null;
AuthenticationResult result = null;
ExecutorService service = null;
UserVO userVO = null;
try {
HttpsURLConnection conn = (HttpsURLConnection) new URL(appIdUri).openConnection();
service = Executors.newFixedThreadPool(1);
context = new AuthenticationContext(authority, false, service);
ClientCredential credential = new ClientCredential(clientId, clientSecret);
Future<AuthenticationResult> future = context.acquireToken(appIdUri, credential, null);
result = future.get();
HttpSession session = request.getSession();
LOGGER.info("session :{}",session);
String accessToken = null;
if (result == null) {
throw new ServiceUnavailableException("authentication result was null");
} else {
accessToken = result.getAccessToken();
}
String data = "{\"access_token\": \"" + accessToken + "\"}";
LOGGER.info("access_token :{}", data);
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.addRequestProperty("Content-Length", data.length() + "");
new DataOutputStream(conn.getOutputStream()).writeBytes(data);
String authTokenResp = IOUtils.toString(conn.getInputStream());
Gson gson = new Gson();
Map<String, Object> map = gson.fromJson(authTokenResp, Map.class);
String authenticationToken = (String) map.get("authenticationToken");
System.out.println("Authentication Token: "+authenticationToken);
I'm able to see the access token value in the log statement but the authTokenResp output value that i received from authTokenResp = IOUtils.toString(conn.getInputStream()); looks like some html page (probably the login page response of portal.office.com ) doesn't has key authenticationToken in it.
I think I have made mistake by mentioning wrong URL for the appIdUri.
please can i someone tell me what URL should be given for appIdUri ? where can i find this URL value in azure portal ?
This sample is just a client credential flow to get access token.
please can i someone tell me what URL should be given for appIdUri ?
where can i find this URL value in azure portal ?
The first parameter of acquireToken method is the value of a resource which you want to access.It is the App ID URI of the target web API (secured resource). To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the application's Settings page, then click Properties. It may also be an external resource like https://graph.microsoft.com. This is required in one of either the authorization or token requests.
Is my-sample-app.onmicrosoft.com your tenant name?
String authority = System.getProperty("azure.authority.url", "https://login.microsoftonline.com/{your_tenant_name}");
If you want to integrate Azure AD login authentication to your web app, you should refer to this sample.
We are planning to implement Windows 10 UWP Application. We would like to authenticate user while accessing API Services hosted in Cloud.
Previously, we used the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package for authenticating in windows store 8.1. How do we authenticate user in Windows UWP Applications? I think AAD code for Windows Store and Windows Phone is different, how can we leverage AAD library for Windows 10 UWP applications. I have heard of Token Broker Authentication Architecture. Will this work for Azure Active Directory in addition to Facebook, etc.?
Please let me know if there is a workaround for AAD library to work in both Phone and Store (i.e. Universal App).
If you have an Native App that wants to access an API on Azure and authenticate with oAuth you need to use "OAuth 2.0 Authorization Code Flow" as describe on https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols-oauth-code/.
This requires that you both your native app and api in the Azure Directory.
In https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-devquickstarts-windowsstore/ a sample is given of a UWP App that accesses the graph.microsoft.com API, but you can replace this by your own API.
Sander,
If this answers your question please tag is such so we can help others.
Let me explain the steps.
You can still use Active Directory Authentication Library
in the UWP Apps.
To do it you have to add NuGet package (I pasted the link above). Once you do it there are few steps to implement authentication in your app:
1) Store information needed for the authentication (for instance in the App.xaml.cs constructor):
var localSettings = ApplicationData.Current.LocalSettings;
localSettings.Values["ida:AADInstance"] = "https://login.windows.net/{0}";
localSettings.Values["ida:Tenant"] = "<<Name of your tenant here>>";
localSettings.Values["ida:ClientId"] = "<<Client ID Here>>";
localSettings.Values["ida:RedirectUri"] = "<<Redirect URI here>>";
localSettings.Values["ApiBaseAddress"] = "<<ID of Api Resource here>>";
localSettings.Values["ServiceAddress"] = "<<Address of your Api here>>";
Now write the code for authentication (this is helper class):
class ADContextHelper
{
ApplicationDataContainer _localSettings;
AuthenticationContext _authContext;
string _aadInstance;
string _tenant;
string _clientId;
Uri _redirectUri;
string _authority;
string _apiResourceId;
string _apiBaseAddress;
public ADContext()
{
_localSettings = ApplicationData.Current.LocalSettings;
configureSettings();
_authContext = new AuthenticationContext(_authority);
}
private void configureSettings()
{
_aadInstance = _localSettings.Values["ida:AADInstance"].ToString();
_tenant = _localSettings.Values["ida:Tenant"].ToString();
_clientId = _localSettings.Values["ida:ClientId"].ToString();
_redirectUri = new Uri(_localSettings.Values["ida:RedirectUri"].ToString());
_authority = String.Format(_aadInstance, _tenant);
_apiResourceId = _localSettings.Values["ApiResourceId"].ToString();
_apiBaseAddress = _localSettings.Values["ApiBaseAddress"].ToString();
}
public async Task<string> Authenticate()
{
AuthenticationResult authResult = await _authContext.AcquireTokenAsync(_apiResourceId, _clientId, _redirectUri);
//Here you retrieve the token:
var token = authResult.AccessToken;
return token;
}
}
At the end I also include code for logout - maybe you will want to include it:
public async Task<bool> Logout()
{
string requestUrl = "https://login.microsoftonline.com/" + _tenant + "/oauth2/logout?post_logout_redirect_uri=" + _redirectUri;
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
var response = await client.SendAsync(request);
}
I hope this will help you.
Using the ADAL library for getting a token for WAAD i would like to know how I can get more control over the login flow.
var ac = new AuthenticationContext("https://login.windows.net/" + ActiveDirectoryTenantId);
AuthenticationInfo = ac.AcquireToken(
resource: "https://management.core.windows.net/",
clientId: "1950a258-227b-4e31-a9cf-717495945fc2",
redirectUri: new Uri("urn:ietf:wg:oauth:2.0:oob"));
The user is prompted to login. For me it's via Live Id, for my customer's computer it's via an organizational account, and there is no way to switch between them. It seems to be controlled by how/what current sessions the computer might have running already logged into azure.
Can I do anything in the AcquireToken call to control this?
It would be best if I could trigger the normal flow when people log into Azure where they get to select if its a live id or a organizational login.
I have tried this:
ac.AcquireToken("https://management.core.windows.net/",
"1950a258-227b-4e31-a9cf-717495945fc2",
new Uri("urn:ietf:wg:oauth:2.0:oob"), PromptBehavior.Always,"wtrealm=urn:federation:MicrosoftOnline");
with no luck.
I found some magic tricks that seems to give some more control.
// ID for site to pass to enable EBD (email-based differentiation)
// This gets passed in the call to get the azure branding on the
// login window. Also adding popup flag to handle overly large login windows.
internal const string EnableEbdMagicCookie = "site_id=501358&display=popup";
private void ClearCookies()
{
NativeMethods.InternetSetOption(IntPtr.Zero, NativeMethods.INTERNET_OPTION_END_BROWSER_SESSION, IntPtr.Zero, 0);
}
private static class NativeMethods
{
internal const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
[DllImport("wininet.dll", SetLastError = true)]
internal static extern bool InternetSetOption(IntPtr hInternet, int dwOption, IntPtr lpBuffer,
int lpdwBufferLength);
}
we have successfully implemented the active directory authentication using the process given at the url http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx . Here we are able to authenticate the user on the https://login.microsoftonline.com/ and return back to web site but we are not able to get access token after successful authentication. following code through which we are able to access the user name, surname etc after successful authentication but not the access token.
can you provide me the code through which we can get the access token after authentication.
public class HomeController : Controller
{
public ActionResult Index()
{
ClaimsPrincipal cp = ClaimsPrincipal.Current;
string fullname =
string.Format("{0} {1}", cp.FindFirst(ClaimTypes.GivenName).Value,
cp.FindFirst(ClaimTypes.Surname).Value);
ViewBag.Message = string.Format("Dear {0}, welcome to the Expense Note App",
fullname);
return View();
}
}
You can use this code to access the security token that was used:
ClaimsPrincipal cp = ClaimsPrincipal.Current;
ClaimsIdentity ci = cp.Identity as ClaimsIdentity;
BootstrapContext bc = ci.BootstrapContext as BootstrapContext;
SecurityToken securityToken = bc.SecurityToken;
You also need to set the saveBootstrapContext attribute in your config file:
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
...
</system.identityModel>