Here is my problem, I create a brand new AspNetCore WebApplication in VS2017 RC.
Since I want to use Azure AD B2C to authenticate, I add the required NuGet packages:
Microsoft.AspNetCore.Authentication.Cookies
Microsoft.AspNetCore.Authentication.OpenIdConnect
I then add all the code to configure authentication. In fact, I reproduced the app demoed in this Channel9 video: https://channel9.msdn.com/events/Ignite/Australia-2017/CLD336a
It works fine and I can authenticate as expected. Now I want to get an access_token in order to access my WebApi also secured using AAD-B2C. For this, I need to change the ResponseType to
ResponseType = OpenIdConnectResponseType.CodeIdToken
and handle the OnAuthorizationCodeReceived event. In order to do that, my understanding is that I have to add the Nuget Package Microsoft.IdentityModel.Clients.ActiveDirectory. But this library will not target the v2.0 endpoint that I need for AAD-B2C.
So I saw in another GitHub solution (https://github.com/dzimchuk/azure-ad-b2c-asp-net-core) that i could use the Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory package.
Unfortunately, this package is not compatible with NETCoreApp,Version=v1.0 and I get this error message when trying to add it to my project:
One or more packages are incompatible with .NETCoreApp,Version=v1.0 (win-x64).
Package Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory 4.0.209160138-alpha
is not compatible with netcoreapp1.0 (.NETCoreApp,Version=v1.0) / win-x86.
Package Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory 4.0.209160138-alpha
What am I missing?
Azure AD B2C does not currently support access tokens to a resource other than "self". To get an access token for self, you just need to put your client/app id as the scope. You can post on User Voice to recommend this feature and check in on other user recommended features (this has been requested before).
In terms of your library confusion, you definitely want to stick with MSAL. The ADAL experimental branch is not recommended and not actively being developed.
Related
I would like to be able to use the authentication token that I get when logging into my webapp through msal. If I use the toolkit I am forced to log in again (mgt-login). How can I bypass the second login? Thanks.
It sounds like you are already using msal.js in your application, correct?
This feature is not yet available, but we added the capability to configure an new MsalProvider with an existing UserAgentApplication object from msal.js.
This capability was added recently by a community member and is available in the latest preview:
https://github.com/microsoftgraph/microsoft-graph-toolkit/releases/tag/v2.0.0-preview.1
You can find details on this new feature in the mgt preview docs here:
https://github.com/microsoftgraph/microsoft-graph-docs/blob/mgt/next/concepts/toolkit/providers/msal.md#pass-an-existing-useragentapplication-in-the-useragentapplication-property
I am able to generate SecurityToken but I am unable to pass it when creating channel.
In .NET Framework 4.8 I could do,
var proxy = factory.CreateChannelWithIssuedToken(securityToken);
But I am unable to find alternative in .Net Core, I looked at decompiled source,
I tried this by creating a poco "FederatedClientCredentialsParameters" but this didn't work either.
var proxy = factory.CreateChannel();
IClientChannel clientChannel = (IClientChannel) proxy;
clientChannel.GetProperty<ChannelParameterCollection>().Add(new FederatedClientCredentialsParameters()
{
IssuedSecurityToken = token
});
I have tried looking into setting factory.endpointbehavior but can't find an avenue where I can insert security token. Most answers seems to be around client credential for username and password but not related WS Trust based security token.
I ended up creating my custom credential, custom credential token manager & custom token provider.
Then before creating proxy, I configured my custom credential code.
factory.Endpoint.EndpointBehaviors.Clear();
factory.Endpoint.EndpointBehaviors.Add(new CustomCredentials()
This allowed my custom credential code to return token at run time and it finally worked!
For detailed implementation see post by Joe at the bottom of following thread,
How can I pass a username/password in the header to a SOAP WCF Service
At present, core's support for wcf is very limited. In order to use WCF in core, core provides the following packages to support WCF:
The functions provided by these packages are also very limited. Many WCF functions cannot be used in core. You can pass security tokens in the .net framework, but core does not support you to do so.
My suggestion is to use the .net framework, you can also consider using custom binding and custom credentials. For more information about core's support for WCF, please refer to this link:
https://github.com/dotnet/wcf/tree/master/src
Feel free to let me know if the problem persists.
I'm developing an application with Xamarin.Forms, where the application should run on Windows and Android for the first version.
It should the Graph API to access OneDrive/OneNote.
I already managed to retrieve the name of the logged-in user under UWP (Universal Windows Platform).
So I tried to deploy the same app to Android, where the calls are quite similar with the following extensions:
UIParent is necessary
AuthenticationAgentContinuationHelper.SetAuthenticationAgentContinuationEventArgs(requestCode, resultCode, data); call is necessary
The UIParent part already works, but the AuthenticationAgentContinuationHelper cannot be built into the app.
Here Visual Studio says:
Duplicate Java type found!
Mappings between managed types and Java types must be unique.
First Type:
'Microsoft.Identity.Client.Platforms.Android.SystemWebview.AuthenticationActivity, Microsoft.Identity.Client, Version=2.6.2.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae';
Second Type:
'Microsoft.Identity.Core.UI.SystemWebview.AuthenticationActivity, Microsoft.IdentityModel.Clients.ActiveDirectory, Version=4.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
The Xamarin application is started as new app using the ".NET Standard" code sharing strategy with blank template from Visual Studio. As I read this has superseded the "PCL" way, which cannot be selected in VS2017.
Do you have an idea how this could be resolved?
This error started because the MSAL repo was sharing code with ADAL while the team worked to bring feature parity to MSAL and a common cache. Then, MSAL was moved back to its original repo, but the Android and iOS namespaces were not updated, so there was a conflict if using both ADAL and MSAL in the same project.
This has been fixed in MSAL 2.7 for the iOS ViewController classes and ADAL 4.5 for the Android AuthenticationActivity classes.
Are you sure you need both Microsoft.Identity.Client (MSAL) and Microsoft.IdentityModel.Clients.ActiveDirectory (ADAL) packages?
MSAL is used to authenticate against the AAD v2 endpoint, whereas ADAL is used to authenticate against the AAD v1 endpoint, so in theory you'd need either one or the other.
Maybe there are cases where you'd need both, but I was getting the same error and as I was using MSAL to authenticate I uninstalled the Microsoft.IdentityModel.Clients.ActiveDirectory nuget package and all was well.
I read these two articles 1.here and 2.here to find out what is best way to perform authentication against an Azure Mobile App when the API on the server is using Claims based custom authorization and the Xamarin client calling it is using the MobileServiceClient framework. I am unable to finalize which of the two examples in those links is the better way to go.
In the first link there doesn't seem to be any dependency on platform specific code like it has in the second link, which means I don't need to write any code in the Driod or IOS or Windows projects and can get away with doing everything in a class library itself.(Am I right here?)
Also, the first link seems to not require any provider like the second link does because I am invoking a direct service call to a Url. The second link on the other hand only seems to support Facebook, Twitter, MicrosoftAccount, Google and WindowsAzureActiveDirectory. The mandatory MobileServiceAuthenticationProvider parameter doesn't seem to provide for Custom Authentication against a sql server based User table. I am not sure about this part and cant find documentation that says otherwise.
If LoginAsync doesn't provide for Custom Authentication then its clear that I will need to follow the InvokeApiAsync route. If it does provide it then the question is: should I write platform specific(Droid/IOS/windows) code in each target project like in the second link or should I handle all the service calls in a class library as can be done in the example shown in the first link? In other words should I go with LoginAsync or InvokeApiAsync? Which of the two is the recommended way?
The first article shows off custom authentication, as you intimated. The second article shows off App Service Authentication, which has a known list. If you need to do a custom username/password, then go with the former. If you need to go with social auth or enterprise auth, then go with the latter.
My general recommendation is don't require the user to create yet another username unless you have to - which means social authentication for consumer apps and enterprise authentication via AAD for enterprise apps.
My other recommendation is to always use the client SDK for doing the authentication part. This allows you to follow the very latest practices from the provider (facebook, twitter, etc.) in respect to security, refresh tokens and other authentication requirements. Once you have the provider token, it's easy to swap it for an Azure Mobile token by using LoginAsync() with a token. See the Azure Documentation for information on this.
In all cases, you are going to need platform specific code - that means using the DependencyService (as in the second example) to execute your login code. I generally create a singleton class that wraps the MobileServiceClient in the PCL. Then create an ILoginProvider interface which has LoginAsync/LogoutAsync code in it to handle the platform dependency code. My singleton class then calls the DependencyService to get the code. You can find an example in my GitHub Repository that covers iOS, Android and UWP.
I need to connect servicestack to ADFS, as well as the usual social id providers. I know there are apps that could do this for me, authbridge, thinktecture, etc, but would really like to have everything within one app.
Is anybody working on adding a WIF authentication provider to servicestack?
ServiceStack hasn't added any specific support for WIF, but it looks like it maybe provided by a 3rd Party (Auth10) in their ServiceStack Auth NuGet package:
https://nuget.org/packages/Auth10.ServiceStack