Azure AD metadata and userinfo does not support CORS - azure

I was working on a JS app which talks to Azure AD app using OIDC. Here is the flow of authentication and validation -
Redirect user to common login end point
Get access token, id_token etc. on callback url
Validate response with jwt keys retrieved from discovered url - https://login.microsoftonline.com/common/discovery/keys
Get user info from discovered userinfo url - https://login.microsoftonline.com/common/openid/userinfo
Store the information in local / session storage, depending upon settings.
The problem with Azure AD is, we can not complete step 3 and 4. Both the urls do not support CORS. We are not able to validate the tokens we get and can't retrieve the user information.
Is there any better way to get userinfo in Microsoft's implementation of OpenID for Azure AD?

You are correct, Azure AD does not support CORS for either the metadata URL or the keys URL.
The general guidance is to not validate the id_token since you should only be using those claims for display purposes and not to drive any core functionality.
For core functionality (aka API calls) you should use access_tokens which should be validated by your back end which does not need CORS enabled endpoints.
You'll see these principals in action in the Azure AD SPA sample where authContext.getCachedUser() in adal.js is used to obtain the read the user and its claims without any validation.
If you want more validated user info, the guidance is to call the Graph to obtain user info via the Microsoft Graph's /me endpoint. You can see this pattern in the Azure AD Xamarin Sample.
You can vote for the request in the Azure AD feedback forum: Add CORS support for discovery and json web key set endpoints.

I ran into the same problems a while ago and the solution to these problems was to double hop the JWKS and UserInfo calls via an API.
I also used the certified and widely respected OIDC Client library, which has features for SPA silent token renewal and id token validation.
Personally I like to keep my apps coded in an Open Standards manner as much as possible, rather than being locked into one vendor.
PS. If you think this type of solution would work for you, here is a GitHib Sample and some documentation.

Related

Azure DevOps API Authentication

I would like to use the Azure DevOps API to create a PAT for my user. But I'm unable to authenticate yet. In this document from Microsoft, they state that authentication is possible with a PAT, but it is not true. I'm getting a HTTP 203 with a Sign In page in response.
PS: I'm using Postman to test the API requests.
I think the security section of this REST API is misleading.
In fact, this REST API cannot be authenticated with PAT, as mentioned in another document:
To use the API, you must authenticate with an Azure AD token.
Unlike other Azure DevOps Services APIs, users must provide an Azure AD access token to use this API instead of a PAT token. Azure AD tokens are a safer authentication mechanism than using PATs. Given this API’s ability to create and revoke PATs, we want to ensure that such powerful functionality is given to allowed users only.
This document also explains how to use this REST API in detail, which you can refer to.
Yes it does work, you're just not setting it up right.
Look at the Basic Authentication of this document. You need to base 64 encode the username password like this: username:PAT. Spearate the two with the colon.

Role based authorization with Azure ADB2C having mobile app(Xamarin Forms IOS app) as a client

We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.

Best way to create user login in mobile app with azure

I'm creating a Xamarin.forms mobile app with Azure. I have enabled Authentication/Authorization in Azure to protect the APIs in Backend.
What I need is that to ask user to login with Facebook or Google and get some information of the user such as name, email and... and then save this data in a table as user information. I like to ask user just once for login and get the data and I don't need to keep the token provided by Facebook for example and refresh it always (which I red refreshing is not supported by Facebook), but also need to keep the user logged in and has access securely to Backend APIs. I am new in this and completely confused of using Azure AD, facebook and...
What is the best way to do that? I have followed this tutorial and now am able to login with Facebook.
Maybe what you are looking for is Azure AD B2C (Business to Customer), which will provide facilities to allow your customers to create an account for your app, but also login with Facebook (see here) or Google (see here).
Since Azure AD B2C implements OAuth2, integrating it in a Xamarin.Forms app by means of Xamarin.Auth should be possible (see here). Once you have acquired the OAuth2 token, you can include the token in the headers of your HTTP requests in the Authorization header with the Bearer type (see here)
Authorization: Bearer <token>
On the server side you can then validate the token. I have not used Xamarin.Auth with Json Web Tokens (JWT), but maybe you'll be able to retrieve a JWT with Xamarin.Auth, which you'll be able to validate on yourself. Otherwise, if Xamarin.Auth is restricted to access tokens, you might have to contact the authentication server to verify the token. If the token is verified successfully, you can grant the user access, otherwise, answer them with a 401.

Single Sign on - Multiple application azure AD B2C

I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.

Azure Api Service and Individual accounts

I've originally used Web API 2 with Individual Accounts so that users can create a new account by supplying a username/email and password which is stored in my DB.
I'm now looking to put this API into Azure API service and have looked at the documentation about authentication but this mostly talks about external authentication. Can we use Individual Accounts with Azure API or will I need to handle this myself within the actual API?
Also, with the third party authentication all the examples use a redirected website (FaceBook, Google) to get the user to log in. I want to call this from a mobile app so does it support extenal authentication using API calls or will I have to do that myself?
Thanks
The is no problem in using the security you originally used. The documentation you are looking at describes how to do claim based authentication, authentication with azure ad and internally secure your application with service principals. When using a mobile device, you can go with claims authentication. However you should first figure out what you really want to do.

Resources