I have ASP.Net Web API and I want to authenticate my API using Twitter Digits Auth and later will pass that Digits token to Azure Active Directory Auth Service.
I got an idea about Twitter Digits Auth but I'm confused how can I pass Digits token ahead to Azure Active Directory Auth Service.
Please see this diagram which I'm thinking to implement.
Does Azure Active Directory Auth Service mean Azure App Service Authentication and Authorization. If I understand correctly, this scenario will not work.
The Azure App Service Authentication and Authorization supports two kinds of authentication flow, client-flow and server-flow. The scenario you mentioned is client-flow which acquire the token from identity data provider first and then exchange the access token with Azure AD using that token. However in this scenario, we need to using the token issued from the identity data provider(Azure Active Directory, facebook, google, microsoftaccount, or twitter.) directly.
If I understand correctly, the Digits token is issued from Digits which the Twitter supports. This token is not supported for the Azure App Service Authentication and Authorization. You need to check whether the Twitter support to exchange this token for the token issued from Twitter.
More detail about the client-flow you can refer this document.
Related
I am using Azure SSO Login to get authenticated to our own application.
Everything works fine except the fact that I would like to have JSON Web Token (JWT) which I could use in order to make some API calls to Microsoft Azure after login.
Azure SSO does not return JWT after login, is there any way to obtain it?
Mirko
Scenarios that you may refer to get idea in addition with #juunas suggestion:
This Microsoft docs tutorial of JavaScript single-page
application (SPA) signs in users and calls Microsoft Graph by using
the authorization code flow with PKCE. The SPA uses the Microsoft
Authentication Library (MSAL) for JavaScript v2.0.
This scenario uses js frontend and php backend with azure ad which might give an idea
Its Flow :
A user accesses front end
If the user is not authenticated, he will be redirected to Azure Active Directory (AAD) to login
AAD will redirect (on success) with an authorization token
We’ll inject this authorization token into the calls made to the backend (to prove your identity)
The backend API will validate the authorization token and verify it against the issuer (AAD)
Protect an API by using OAuth 2.0 with Azure Active Directory> This case registers two apps for azure AD - backend app and front end app ,uses validate-jwt policy to validate the OAuth token
I have two projects in a solution. One is .net core 3.0 based Web API. Next is Angular 9 SPA. I've been asked to setup Azure AD based authentication. So I enabled that in API.
But I am seriously confused where it actually requires to enable? Client App or API? or Both?
Since your client needs to call the API, it needs to authenticate to it.
And since the API requires AAD tokens, your client will need to acquire one.
So you need to implement Azure AD authentication in your client application and in the API.
The client's job is to authenticate the user with Azure AD and acquire an access token for the API.
It then adds that token as a header on each request:
Authorization: Bearer token-goes-here
The API then validates that token on each request.
I'm trying to get an Id_token over Azure Mobile App but I'm receiving an mobileServiceAuthenticationToken.
The mobileServiceAuthenticationToken is received by my iOS-App with the following implementation: Integrate Azure AD into an iOS app
I need the Id_token (with algorithm RS256) because my backend-service (java spring-boot) needs to validate this token, which is not possible with the mobileServiceAuthenticationToken. mobileServiceAuthenticationToken is based on algorithm HS256 (which needs a client secret) and does not allow requesting the Azure AD for getting user informations over the Microsoft Graph Api.
Here is a link to microsoft reference for further informations: Azure AD token reference
The id_token is not able to call the Microsoft Graph REST. To call Microsoft Graph REST, we need to acquire the corresponding access_token for it which's aud claim is https://graph.microsoft.com.
There are two kinds of flows for mobile authentication, client-flow and server-flow. Both of them should work in your scenario, however the progress is a little different.
Client flow:
For this flow, you can get the id_token and access_token for Microsoft Graph from Azure Active Directory first using ADAL SDK. Then you can exchange the id_token with EasyAuth for the authentication token and login your mobile app.
Server flow:You can config the mobile app to acquire the access_token for Microsoft Graph. Then you can implement an proxy in the mobile back-end. After that you can only need to call the mobile back-end both your owner service and Microsoft Graph.
Here are some helpful articles about this topic:
How to: Authenticate users with the Active Directory Authentication Library
App Service Auth and the Azure AD Graph API
Here's my current situation:
Xamarin iOS mobile app (using MobileServiceClient to login)
Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication
I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.
I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
From this post:
IdentityServer 4 as Identity Provider for Azure App Service
Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?
Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.
Client:
Found a working library for OAuth2 and OpenID that worked for integrating with Okta:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples
with a Xamarin wrapper:
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId
Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.
After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:
Okta (identity provider)
set up a native application with an Implicit (Hybrid) grant on it
Mobile Client
use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS
Server / Web Api
converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore
One thing to note that tripped me up along the way:
in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature
read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.