I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.
All /.auth routes exist on the service, and I can log in. After successful login I can call /.auth/me to get the access_token. The response looks like:
[
{
"access_token": "AQABAAAAAA...Gni4EiQgAA",
"expires_on": "2017-02-28T19:17:08.0000000Z",
"id_token": JWT TOKEN
...
}
]
I then use the access_token in an authorization bearer header to request data from the service.
"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"
My service returns the following error
IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.
The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.
According to this discussion the access_token is intended to be used as a Bearer token. I have also read here that the access_token is supposed to be base64 encoded but this does not appear to be the case.
Additionally, if I use the id_token as a Bearer token, then authentication works as expected (the id_token is in JWT format).
Edit
When I manually implement the Oauth flow as described here, I receive a proper JWT access_token.
GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri
Followed by
POST
https://login.microsoftonline.com/common/oauth2/token
grant_type=authorization_code
client_id=client_id
code=CODE FROM ABOVE
redirect_uri=redirect_uri
resource=resource
client_secret=client_secret
RESPONSE
{
"access_token": JWT TOKEN,
"token_type": "Bearer",
...
}
How to get Azure easy auth JWT access_token
According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type is id_token. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:
Note: If you do not specify the resource for additionalLoginParams, you would retrieve a access_token that is not in JSON Web Token (JWT) format.
I then use the access_token in an authorization bearer header to request data from the service.
For accessing your service, you could leverage AppServiceAuthSession cookie or you could use Authorization:Bearer "{your-id-token}".
For more details, you could refer to this similar tutorial.
Related
I got SAML setup on my AD and I have the private and certificate PEMs along with the certificate and metadata and I want to know if it's possible to bypass the login from API? I'm developing a Node.JS API which I want to make requests to the server behind the SAML login but I need to bypass it with what I got.
Maybe a way to generate a token from Azure's API (to use as bearer authorization) would work like how you do it with OAuth?
I'm not asking for any other solution (like whitelisting etc.), I just need it to be token / API based
To bypass azure ad , you may chose for the On behalf flow.
For single-page apps (SPAs), here we pass an access token to a middle-tier confidential client to perform OBO flows instead.
This will only work, if the respective permissions (scope grants) are
already granted when you try to get an access token using the
on-behalf of flow.
Here API A authenticates to the Microsoft identity platform token
issuance endpoint and requests a token to access API B.
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
client_id=xxx
&client_secret=saxx1s
&scope=https://graph.microsoft.com/user.read+offline_access
&requested_token_use=on_behalf_of
Here we need to expose api and here I am giving user.read
And exposed api
The response has access token , refresh token
{
"token_type": "Bearer",
"scope": "https://graph.microsoft.com/user.read",
"expires_in": 3269,
"ext_expires_in": 0,
"access_token": "xx",
"refresh_token": "xxxx"
}
Please check Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft Entra | Microsoft Learn
Reference : how-to-use-azure-ad-access-token-to-bypass-microsoft-online-login
I am using ROPC Flow with user details and client details to get Access token and refresh token. But I am only getting Access Token and this expires in 1 hour.
My frontend app has sign-in window where we provide AD user creds, this makes a post request and got FE with successful auth.
I have 2 questions:
Getting CORS issue while making user sign-in request using http://localhost:3000 with access-control-allow-origin header error.
I would like to get refresh token for Continues App login OR do I set the lifetime of the access token to a day.
REQUEST:
// Line breaks and spaces are for legibility only. This is a public client, so no secret is required.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.com
&password=SuperS3cret
&grant_type=password
RESPONSE:
{
"token_type": "Bearer",
"scope": "api://94849942785375897059789375379/FIles.Read",
"expires_in": 3598,
"ext_expires_in": 3598,
"access_token": 8YU4bMhafsfhaeoahehviyy8786w89ufo2ofj29h8gMWnB633NLWn7JQ"
}
You need to add offline_access and openid to the scope parameter when requesting the token, try to add them, you will get the id token and refresh token.
Update:
Your application will need a back-end that will fetch the data and return it to the front-end. So try to call the token endpoint from the back-end .
Here's the configuration for the Azure AD B2C, create two applications: web and api. added two scopes read and write to the api scope. configure web application to web application. tested with the built-in user flows e.g. sign up sign in. run the flow for the web app, get the access token, scopes are in the token.
now create a custom policy to use multitenants to authenticate the users with Azure AD. created a custom signup/in policy. run the policy, got the access token by specifying the api scopes in the access token, however the return token does not contain the scope claims. my question is how to configure the custom policy to have the api scopes in the access token?
When you run the custom policy, it will only return an ID token rather than access token.
So your scope claims won't be included in the ID token.
You should refer to Request an access token in Azure Active Directory B2C.
After you have Added a web API application to your Azure Active Directory B2C tenant, use authorization code flow to get the access token.
GET https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&response_type=code
The response with the authorization code should be similar to this example:
https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
After successfully receiving the authorization code, you can use it to request an access token:
POST <tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=<policy-name> HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<application-ID>
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
&redirect_uri=https://jwt.ms
&client_secret=2hMG2-_:y12n10vwH...
The response:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...",
"token_type": "Bearer",
"not_before": 1549647431,
"expires_in": 3600,
"expires_on": 1549651031,
"resource": "f2a76e08-93f2-4350-833c-965c02483b11",
"profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiJjNjRhNGY3ZC0zMDkxLTRjNzMtYTcyMi1hM2YwNjk0Z..."
}
See details here.
I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message "Authorization denied for this request" while using the generated token in another API request.
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id:As per id generation by azure.
Body# (Form-data)
grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo
Since the above returned token is not accepted, I had passed username and password as well in body of the request but ended up with same results. Also azure did not consider my credentials even they are wrong.
Could you please assist what else I need to send in the response to get valid token id?
The Valid format for client_credentials authentication flow is like below:
Azure Portal Credentials For App Id and Tenant Id:
Application Secret from Portal:
Token Endpoint Or URL:
https://login.microsoftonline.com/YourTenantName.onmicrosoft.com/oauth2/token
Request Param:
grant_type:client_credentials
client_id:b603c7be_Your_App_ID_e6921e61f925
client_secret:Vxf1Sl_Your_App_Secret_2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
PostMan Sample:
Token On Response:
Expose Your Own API:
When You want to authorize your own API you have add it here. So that your token will contain this permission and this API can be accessed. Refer this docs
For more clarity you could refer official docs
You should try adding "X-ZUMO-AUTH" header to your request when using the generated token.
GET https://<appname>.azurewebsites.net/api/products/1
X-ZUMO-AUTH: <authenticationToken_value>
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to
I am making OAuth 2.0 auth code authentication flow with multi-tenant application.
Here is my authorize url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=my_id&prompt=consent&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauthorize&response_type=code&scope=openid+offline_access&state=17
It goes fine and I receive auth_code. Then I make request with this auth_code to token_url and receive a lot of information, like:
token_type
scope
id_token
access_token
refresh_token
expires_at
ext_expires_in
Seems fine to me, but when I make request on API with access_token like:
https://management.azure.com/subscriptions/my_sub_id/locations?api-version=2016-06-01
with headers:
Content-Type:
- application/json
Authorization:
- Bearer EwBQA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAV1IHgHb4dOWblzfd/YsSuFicAMDYbua17QivnAT9/pIaeKAg3uKsK5VGqWLzjMOUQrCpd7R1RAM6RkzI0u8e4rpO7DISG7qLso5H5+U1jb+38/j1urcwlXMMxhy83ZXmdpkLXpZV+vcOV...
It responds with 401 error
body:
encoding: UTF-8
string: '{"error":{"code":"InvalidAuthenticationToken","message":"The access token is invalid."}}'
To be honest I think something wrong with my access_token. It seems not like JWT for me. Documentation says it looks like:
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCEV1Q..."
But my access_token looks like:
"access_token": "EwBYA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAZDe7JE/MPLoAi+Fr+1Xxq5eBe5N9l8Q+c4QjkY5PGEzRnBpPe7+v6h+PLdh1cceBQx+/JsB2QCrYSCt7x/zGsQAhwoY/"
Is it fine?
Here is my permissions for application:
Permissions
The main issue you have here is that you have only asked for an access token for the scopes openid offline_access. The resulting access token will be for Microsoft Graph (https://graph.microsoft.com), not for the Azure REST API (https://management.azure.com).
To indicate you would like a token for a given API, the scope parameter in your authorization request should include the delegated permission you would like the app to have for the API. In the case of Azure REST API, there's only one delegated permission: user_impersonation. The identifier URI for the Azure REST API is https://management.azure.com, so the scope value you want to use is:
openid offline_access https://management.azure.com/user_impersonation
Two more important notes:
As you've discovered, you will not always be issued an access token as a JWT which you can decode peek at. The format of the access token is an agreement between the service which issued the token (Azure AD or Microsoft Accounts, in this case), and the service for which the token was issued (Microsoft Graph, in this example).
You should not always include prompt=consent. prompt=consent should only be used if you have already tried signing in the user without the user needs to be re-prompted for consent for a new permission.
If you simply include the required scopes in the scopes parameter, the Microsoft Identity platform will take care of figuring out if it needs to prompt for consent or not. If you always include prompt=consent, you will find that many organizations will be blocked from accessing your app, because they've disabled the ability for users to grant consent themselves (and this parameter specifically states that you require the user to be prompted again).