In a scenario like this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof
I want to authenticate to Azure AD in the back end on behalf of a client instead of a user. I couldn't find an appropriate example in the documentation that fits this case.
So what am I doing?
In the client:
var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(webServiceUri, new ClientCredential(nativeClientId, nativeClientSecret)).GetAwaiter().GetResult();
In the back end service:
var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(office365ResourceUri, new ClientAssertion(webClientId, result.AccessToken))
This throws the following exception:
AADSTS70002: Client assertion application identifier doesn't match 'client_id' parameter.
It only succeeds when I'm pointing the same service (refering to itself!) in the back end as from the client:
authContext.AcquireTokenAsync(webServiceUri, new ClientAssertion(nativeClientId, result.AccessToken))
But this doesn't make sense as the service has to go to an Office 365 API.
Anyone an idea?
The OAuth 2.0 On-Behalf-Of flow is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user.
In your scenario , you could use client credential flow to acquire token for the office 365 api in your service app , without any human interaction such as an interactive sign-on dialog .
Please click here for more details about Authentication Scenarios for Azure AD .
Related
I'm writing a commandline tool to manipulate assets in Azure Media Services using the v3 AMS API. It should authenticate using the logged on user. As the Windows AD and Azure AD are synchronised, it should not need to pop up a login dialog box.
This document:
https://learn.microsoft.com/en-us/azure/media-services/latest/access-api-howto?tabs=portal
states that it's possible to use either user or service principal authentication to connect to AMS.
In this document:
https://learn.microsoft.com/en-us/azure/media-services/latest/configure-connect-dotnet-howto
there's an example of how to do service principal authentication but I can't find anything about user authentication. The code in the sample looks something like this:
var clientCredential = new ClientCredential(config.AadClientId, config.AadSecret);
var credentials = await ApplicationTokenProvider.LoginSilentAsync(config.AadTenantId, clientCredential, ActiveDirectoryServiceSettings.Azure);
var amsClient = new AzureMediaServicesClient(config.ArmEndpoint, credentials)
Note that all constructors of AzureMediaServicesClient take a ServiceClientCredentials object, so how can I authenticate using UserCredentials?
Azure Media Services Explorer does user based authentication (and SP auth). https://aka.ms/amse
Code for the user based authentication :
https://github.com/Azure/Azure-Media-Services-Explorer/blob/master/AMSExplorer/Program.cs#L779-L843
I have a service that gets an access token from Azure AD. I have an API that I would like to accept that token as authorization.
My service code to call the API is
HttpClient client = new HttpClient()
{
BaseAddress = new Uri("https://localhost:44372/")
};
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, client.BaseAddress + "api/todolist");
request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);
HttpResponseMessage response = await client.SendAsync(request);
The response I get back is a 401 - Unauthorized.
I have a feeling that the issue is in the API ConfigureServices function; specifically (this was taken from an example, so I don't really know what it means yet):
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
I'm new to Azure and authentication in general so I don't know what options are available or appropriate. I also am not sure how to set up the applications in Azure to allow this. I have the application id of the service set up as an Authorized client application of the API; it is also listed int the knownClientApplications in the API manifest.
There are just so many knobs to turn, I have no idea where to go from here. If anyone can let me know some things to try, that would be outstanding.
Thanks
Here is a code sample on how to call a web API in an ASP.NET Core web app using Azure AD:
https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/calling-a-web-api-in-an-aspnet-core-web-application-using-azure-ad/
This sample contains a web API running on ASP.NET Core 2.0 protected by Azure AD. The web API is accessed by an ASP.NET Core 2.0 web application on behalf of the signed-in user. The ASP.NET Web application uses the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol. The bearer token is passed to the web API, which validates the token and authorizes the user using the JWT bearer authentication middleware.
I am trying to create a nodejs api, that connects to to Azure Active directory using the ADAL plugin (https://github.com/AzureAD/azure-activedirectory-library-for-nodejs).
All works ok for normal users, but if a user has MFA (Multi-Factor Authentification) enabled, it fails and throws and error message.
I found this related to ADAL-MFA: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/issues/151 but it's not clear for me from his answer if it's possible or not, and how to implement MFA.
The plugin has very poor documentation and it's not clear for me how I can retrieve the error message and vars from it. It's says that the error var is a object but it's a string.
Here is my code from the endpoint which works for normal users:
var adal = require('adal-node');
var AuthenticationContext = adal.AuthenticationContext;
var authorityUrl = parameters.authorityHostUrl + '/' + parameters.tenant;
var resource = '00000003-0000-0000-c000-000000000000';
var context = new AuthenticationContext(authorityUrl, true, new adal.MemoryCache);
context.acquireTokenWithUsernamePassword(resource, parameters.username, parameters.password, parameters.clientId, function(err, token) {
if(err){
mysql_connection.end();
return callback(null, {
status: false,
error: err.stack,
log: logging.message,
test: 1
});
}
)};
So basically I need to use user credentials (e-mail and password) to connect to AAD api, but server to server (my nodeJS api to AAD api). And it needs to work with MFA.
(web app -> nodeJS API -> AAD API)
acquireTokenWithUsernamePassword worked perfectly for this, but it does not work with MFA, or I don't know to make the correct adjustments to make it work.
You are using Resource Owner Password Credentials Grant flow (ROPC), and hit one of the exact scenarios why I tell people not to use it. (except maybe for test automation)
You can't use ROPC with users that have MFA. Neither can you use it with users who are federated from on-prem AD or Microsoft personal accounts. Or with users whose password has expired and needs to be reset.
You need to switch your API to acquire the token using either On-behalf-of grant flow (exchanges the access token your API got for a new token, continuing the delegation) or client credentials flow (acquire token with app credentials alone, no user context).
On-behalf-of flow
I am using the following bits against my Azure AD to authenticate with ASP.NET Core.
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore
I have the basic login/auth working after creating an Azure AD app. User can login/logout.
My question is given this, what's the best way when a user Auth's to log to a DB? I thought about making the redirect URL to an endpoint, saving, then just redirecting back to "Home" but is that ideal?
Also, is it possible to retrieve a bearer token via this approach? Or does this require another type of call or extending "scope"? So that for example I could retrieve the authenticated users Manager.
https://graph.microsoft.com/v1.0/me/manager
My question is given this, what's the best way when a user Auth's to log to a DB? I thought about making the redirect URL to an endpoint, saving, then just redirecting back to "Home" but is that ideal?
This way only able to log those who already sign-in your app successfully. It is not able to log those users who are attempt to sign-in your app but enter the wrong password.
Azure AD already provide lots of report to gain visibility into the integrity and security of your organization’s directory.( refer here)
And if you are using the Azure AD Premium, you can review the sign-in activities via the Azure new portal below:
And if you want to store the sign-in activity in your web app, you can write the custom code after the token is verified. Here is the code for your reference:
// Configure the OWIN pipeline to use OpenID Connect auth.
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
ClientId = Configuration["AzureAD:ClientId"],
Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]),
ResponseType = OpenIdConnectResponseType.IdToken,
PostLogoutRedirectUri = Configuration["AzureAd:PostLogoutRedirectUri"],
Events = new OpenIdConnectEvents
{
OnRemoteFailure = OnAuthenticationFailed,
OnTokenValidated = context => {
//write the custom code to store users login-in
return Task.FromResult(0); }
},
});
Also, is it possible to retrieve a bearer token via this approach?
Yes. We can get the token after receive the authorization code. You can refer the code sample here to acquire the token from asp.net core app.
I have a web application that is secured by Azure AD. I would like to be able to allow some people to access this application. I have created an account in my directory for these users and I would like to log them in without doing a redirect to Azure AD.
Is there any way to get an Azure auth cookie and allow them to access my application without redirecting them to a login? I know the username / password and would like to be able to do the sign in behind the scenes.
You should be able to use the Resource Owner Credentials flow. Assuming you're using ADAL, you can leverage this sample app to retrieve a token.
Once you have the authentication result, you can use it to build an identity and pass that to the cookie authentication manager (assuming you're using the OWIN cookie authentication middleware).
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.GivenName, result.UserInfo.GivenName));
var id = new ClaimsIdentity(claims,
DefaultAuthenticationTypes.ApplicationCookie);
var ctx = Request.GetOwinContext();
var authenticationManager = ctx.Authentication;
authenticationManager.SignIn(id);
Source: http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/