I need to configure OpenID Connect using a Spring Security filter to authorize the consumption of my Rest API Web. I found a Google Login Example, but in my case I need it for Office365. I created my app in Azure and I have configured the corresponding properties. When I try to access my REST API it redirects me to the office login and when I enter the correct credentials this exception is thrown:
I don't know the cause for this particular exception, but generally there is a good tutorial at Microsoft Azure developer pages that explains how to use Spring Boot, Spring Security for authentication at Microsoft Azure Active Directory:
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
With this implemented you can login at your web application with a Microsoft account.
In section "Add an application registration for your Spring Boot app" at step 2 you can choose whether you (or your app) want to support accounts single tenant, multi tenant or even personal Microsoft accounts (Skype, Xbox, ...).
There are only three two differences (in 08/2020) between tutorial and my working test-application:
you've got to set both properties "oauth2AllowImplicitFlow" AND "oauth2AllowIdTokenImplicitFlow" to "true".
the property in application.properties seems to be "azure.activedirectory.active-directory-groups" instead of "azure.activedirectory.user-group.allowed-groups"
Related
I have a legacy B2C application that runs just fine. I decided to upgrade to the new 'experience' since the message said they're discontinuing the old legacy blade as of Nov-21. So I followed the instructions on this page:
AAD B2C specifics
When I start up the application, I get this message:
Switching back to the legacy application results in a working login screen.
• Since your Azure AD B2C application is a ‘PublicClientApplication’, it has the property of ‘UseCorporateNetwork’ which is a Boolean that enables the application to benefit from Integrated Windows Authentication and SSO as these are cross platform capabilities. Thus, set this property to ‘true’ in ‘package.appxmanifest’ by enabling the capabilities, viz., Enterprise Authentication, Private Networks(Client & Server) and Shared User certificate.
Also, as IWA is not enabled by default as applications requesting the above type of authentication require a higher level of verification to be accepted for social identities using MSAL .NET.
Kindly check the ‘RedirectURI’ of your new Azure AD B2C experience as it may get overridden by that in ‘UserDetailsClient\App.cs’. Hence, replace the ‘RedirectURI’ in your Azure AD B2C application by the one that is overridden in ‘UserDetailsClient\App.cs’ along with the msal://auth. Maybe, this should resolve your issue. For more details, kindly refer to the below Github link below: -
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/28
To anyone running into a similar problem, I discovered two very interesting reasons for this problem:
In the legacy, you could share applications between your web API and your client. In the new workflow, you need one 'application' for your Web API, and a distinct 'application' for your clients.
This code seemed important to getting the new flow to work:
this.PublicClientApplication = PublicClientApplicationBuilder
.Create(this.ClientId)
.WithIosKeychainSecurityGroup(this.KeychainGroup)
.WithRedirectUri(this.RedirectUri)
.WithB2CAuthority($"https://{this.AuthorityHostName}/tfp/{this.Tenant}/{this.AuthorityPolicy}")
.Build();
The 'WithRedirectUri' got me past the original error posted above.
I have created an application within the Enterprise applications tab and I don't have an option to Setup Single Sign-On. How can I add the SAML Sigle Sign-On option to my custom application? thanks.
expected getting started options:
actual getting started options:
Also the Single sign-on tab under the Manage options shows me the message like this:
The message in the 3rd screenshot has told you about the reason.
Your SampleWebApp was created using the App registration experience. This kind of enterprise application doesn't support to configure SSO.
Only those created directly in Enterprise application experience can be configured SSO.
See the Prerequisites here.
In this document, you can learn how to add an app to your Azure AD tenant.
You can find this content:
Users in Azure Active Directory Azure
App Services for WebSite and Services
I am creating a Web Site that a Manager would authenticate with using an Azure Active Directory account. That website would offer up sales data on the staff they manage.
The service that returns the sales data for staff member A will be being called on behalf of the manager.
My question is what is the correct way to flow the "identity" of the logged in manager through the calls to the various services.
Do I simply protect the services with a System Level authentication at the level of the website and pass the manager's user identifier as a parameter in the request?
OR
Do I try and flow the oauth identity onward to the services so that they are called in the security context of the manager? If using this approach how would I do that?
In my opinion, if the your business doesn't have a high security requirement, the first option is great. But if you want higher security, you can use second option.
For second option, you need to register an application in your azure ad for your app service. Follow steps on this page. And register another application in AD to represent client app by following these steps. Then go to your client app and grant permissions to allow the client-app to call the backend-app. After that, the manager need to get access token before request the api in your app server to return sales data.
This Azure sample shows exactly what we want to acheive with an ASpNet Core Web Site calling own AspNet Core Service secured with our Active Directooy organisation
I am having some issues getting it to work but this sampple is what I was hoping for from asking this qeuestion. FWIW here is the seperate question covering the specific issue I am having implementing the sample, Why Http 401 when calling AspNet Core API secured with AAD. Our WebApp, Web API and AD Org
I'm new to the Microsoft Graph API and Azure. I'd like to seek advises to which Microsoft Graph API version I should go with and whether I should be using the "Web API on-behalf-of flow" for my scenario.
I'm building a web services which can store access tokens of multiple Office 365 users from different organisations. This web services can then create web hooks via the Microsoft Graph API to get notifications about calendar appointment changes in these users' accounts, in order to sync these changes to the corresponding appointments stored on our own server.
So it's a mass Office 365 calendar syncing web service in a nut shell.
I have gone through a lot of their GitHub sample projects and managed to create web hooks with the v1 graph subscription API and was able to interact with the calendar of my dev account, all in a sample APS.NET MVC project.
But I'm very confused about the following parts:
Because this web service does not directly provide a UI, so the login UI would be presented by a separate desktop (WPF) client, and I believe when this is done on the client side, I can forward the authenticated access token to my web service to create the web hooks? This sounds like the "Web API on-behalf-of flow" scenario Microsoft described here: https://learn.microsoft.com/en-au/azure/active-directory/develop/active-directory-v2-limitations.
Because this web service needs to create web hooks to multiple Office 365 accounts from different organisations. I'm not sure if this counts as the a multi-tenant scenario. If this is the case, it looks like I can only use the v1 API because the v2 API only allows the web service to receive tokens from an application that has the same application ID (also described in the page linked above).
Microsoft Graph and Azure AD developers could you please shed some light on this part for me? Microsoft isn't doing the best job when it comes to documenting these parts.
Because this web service does not directly provide a UI, so the login UI would be presented by a separate desktop (WPF) client, and I believe when this is done on the client side, I can forward the authenticated access token to my web service to create the web hooks? This sounds like the "Web API on-behalf-of flow" scenario Microsoft described here: https://learn.microsoft.com/en-au/azure/active-directory/develop/active-directory-v2-limitations.
Yes, the scenario is on-behalf-of flow and this flow is not supported for the v2.0 endpoint at present.
Because this web service needs to create web hooks to multiple Office 365 accounts from different organisations. I'm not sure if this counts as the a multi-tenant scenario. If this is the case, it looks like I can only use the v1 API because the v2 API only allows the web service to receive tokens from an application that has the same application ID (also described in the page linked above).
You can only use Azure AD V1 endpoint, because the V2.0 endpoint doesn't support on-behalf-of flow. And here are some steps for using V1 endpoint for your reference:
register 2 apps, one for the WPF(native app) and one for your web service(web app)
enable the multi-tenant for the app for web service
grant the relative Microsoft Graph permission to the web app
set the knownClientApplications for the web app using the clientId of the native app
grant the relative Microsoft Graph permission and web app to the native app
After that, when the users login-in in WPF first time in different tenant, the users can conesent the two apps at same time. And then the service principals of two apps will be register to users' tenant. After that the web service can use the on-behalf-of flow to get the access_token for Microsoft Graph based on the token from native app.
More detail about multi-tenant developing, please refer below:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
And the code sample below also be helpful:
Calling a downstream web API from a web API using Azure AD
I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
An azure active directory account with a couple users
ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
Create users/passwords for each company using the WCF service in
Azure Active Directory.
Allow only companies with a valid username and password pair to obtain an access token
Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
Added the WCF service as an integrated app in azure active directory
Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
Added a relying party application that uses the newly created testAAD identity provider
Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details.
I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
WIF 4.5
VS2012 Pro
C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update:
Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2
I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?
The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.