App Service with Google authentication - list users - azure

My website is deployed to Azure as a App Service. It has Google authentication set up using Azure's Google Authentication provider.
Is it possible to list users (at least name and email address) accessing my site via Google account?

You can get information about the users who log into your web app as they log in. However, App Service does not automatically store this information in a way where you can query all users. It's up to you to store the user information in a way in which you can query it later. If you're trying to figure out how to get the information for each user, see below.
One option is to use the x-ms-client-principal-name request header to get a display name for the logged in user. If you want more information, you can get the set of "claims" for the logged in user. There are a few ways to do this:
If you're using ASP.NET (full framework), you can use the ClaimsPrincipal.Current static property to get information about the current user. In particular, the Claims property will contain several different properties.
No matter what language/framework you're using, you can make an HTTP request to the /.auth/me endpoint of your web app to get information that is automatically captured by App Service about the logged in user. This is generally going to be the same information as #1. This HTTP call will need to be authenticated using the same mechanism that was used to access the site.
Google has a set of APIs you can call to get detailed information about a user. To access these APIs, you need an access token, which you can obtain from the x-ms-token-google-access-token HTTP request header.
In all cases, you need to make sure that you've enable the correct scopes when you configured your Google authentication in the portal. This ultimately controls what information is available to your application. When users log in for the first time, they will be asked to consent to granting your app access to this information. Once consented, you'll get access to the latest information every time they log in.

Related

Able to have interactive login for calls to API Management service?

We have a backend service that can return a json result (Elasticsearch result) or an interactive browser web page (Kibana) based on the route. This service is gated behind an API Management service. Our developers need to be able to access the web page (Kibana). We are currently using a client certificate and we have it set to require this in our API definition. When browsing to the path in the browser, the user is prompted for the cert and the connection is made.
I would like to get rid of having to manage the certificate and instead use AAD to allow only users in a specific group to be able to access. I understand how to do this when making an API call. Is it possible to also have an experience similar to the cert where if the user is not logged in, they are prompted to log in, and then if they are in the correct group, access would be allowed?
Thanks
I imagine you want to enforce authentication at APIM level and not in Kibana. For that you'll have to handle two flows:
Initial flow, when non authenticated user requests URL, you should of check for persistent auth, possible in Cookie header and if not found - redirect user to login.microsoft.com.
Returning flow, when Azure AD redirects user back to APIM with a token, you'll need to validate that token and add it to Set-Cookie header, better encrypted.
And finally when any call is made also check and validate the cookie to see if it has expired.

Scoped application request for Microsoft Graph, in NodeJS

Ive been researching the MS Graph API lately, and I'm running into a problem. My use case is that I want to read a certain mailbox's mail, and send mail for that mailbox. The mailbox is a non user related box, and is used as a service account for emails.
Ive found 2 possible flows for getting into that mailbox. The user authenticated flow, and the application (and admin consented) flow. For the application, I want to read the emails in the background in a NodeJS app, without user interaction.
When I look into the user consented flow, I find that to make it work the user HAS to log in atleast once, by hand, and consent to some stuff I want to do. I found this page, on how this works, and made it work in my NodeJS app. The problem is, when using this flow, I have to login BY HAND atleast once after starting my NodeJS app. Afterwards I can use the refresh token to refresh the access token, but I dont want to do the login by hand.
The second option, and most suitable option for my NodeJS app, is the application flow. I found this tutorial on how to do that, and I made it all work. I fetch a token, and that token grants me access to the box via the Graph API.
But using the application flow, I found that I have to have the roles (i.e.): "User.ReadAll, Mail.Read, Mail.Send". This gives my application rights to read and send mail FOR ALL users in the account.. Which is WAY too much overkill for my situation.
Now my question; Is there a way for me to use MS Graph, with the application authentication flow, but without having access to all users' mailboxes, only to my specific account I want to read?
Thanks in advance,
Caspar
While linking the documentation reference, I saw that I read over the most important footnote:
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.
So it is possible using the application access policies.

Azure AD login - how to allow user to change Azure account if cached account is wrong for my application

Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi.
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials
How do I achieve this, and is there something wrong with this flow? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account. What other methods could achieve a better user experience? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around? Can I hint for azure to prompt the user even if they are logged in already?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed.
Ultimately the user must select their account every time, instead of just when the account is wrong. I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.

How can I specify a security rule for firestore based on device Platform?

I have a database in firestore which is connected to a Android App, iOS App and a Website. Now for all these we need to sign in to access data.
My question is How can we specify a rule
for Android and iOS app, so that users should sign in to access data.
And another rule for Website, so that users who access website can decide whether to sign in or not but they can still access data.
Can anyone help me out?
There is nothing built in to Firebase Authentication or Cloud Firestore security rules to indicate what platform a request is coming from. To be honest, it sounds quite insecure: if a user doesn't have to sign in on your web app, what keeps all users from using that web app?
But if you really want to implement this functionality, the easiest way to do this, is to use anonymous authentication in the web app. With anonymous authentication, the user gets signed in without having to enter any credentials:
firebase.auth().signInAnonymously()
Now in your security rules, you can simply check for any authenticated user:
allow read, write: if request.auth.uid != null
This allows any authenticated user access to the data: from the web app this will be anonymous users, while from the native apps it'll be whatever sign in method you implemented there.
Once you add other sign-in methods to the web app, you can upgrade the user's anonymous account by linking the providers to a single user account.
Fair warning though that nothing stops users from creating their own app and running it against your project configuration. So they can create an Android/iOS app that also uses anonymous authentication. If you want to prevent that, things get quite a bit more complex...
Here's one way to do it:
In the web app, sign the user in with anonymous authentication. This means that the user doesn't need to enter credentials
In the web app, send a request to a Cloud Function you create.
In the Cloud Function, verify that the request is coming from your web app. I have no guidance here, since it's unrelated to Firebase.
If the request is coming from the web client, add a custom claim to the user account identifying the user as a web user.
admin.auth().setCustomUserClaims(uid, { isWebUser: true })
Once the client refreshes its token (this may take up to an hour, unless you force it to refresh), the custom claim will be present in all requests it makes. So you can from that moment on, check the claim in your Firestore security rules:
allow read, write: if request.auth.token.isWebUser == true;

Authenticate against Azure AD - ColdFusion Web Application

I'm developing a web application which will require users to login before they can use the app. I've looked into using the Azure Active Directory as the resource which I will authenticate against, however I'm having trouble understanding how to set things up.
I've logged into the Azure Portal and have created my Active Directory. I've also added my custom Web App to the Applications area, and provided the App Login URL and APP ID URI. Now I have been given my Client ID and Federation Metadata Document Url, but I have no idea where to go from here.
Could someone provide an example of how I take the username and password which they enter in my login form and submit that to Azure, receiving back a result which would indicate success or failure? Or is that not how it works?
Any help is greatly appreciated. I don't need any other information from the Active Directory other than confirmation that YES, the username and password matches and let them in.
The web application is coded in ColdFusion as per the client's request, and it is hosted on their server.
Thank you!!!
UPDATE
Using the directions found here https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have been able to successfully request an authorization code by logging in using an Active Directory account. After I log in, the system redirects me back to my web application, and has a long url code variable, along with a url session_state variable. My question now is, what do I do with this information from my web app?
Using the directions found here
https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have
been able to successfully request an authorization code by logging in
using an Active Directory account. After I log in, the system
redirects me back to my web application, and has a long url code
variable, along with a url session_state variable. My question now is,
what do I do with this information from my web app?
If you look at the picture in the link you mentioned, there are 6 steps.
What you have done so far is performed step 1 and 2. Now you would need to perform step 3 and 4 i.e. get an access token using the auth code you have received.
Please see the section titled Use the Authorization Code to Request an Access Token in the same link regarding how to do it.
As part of Step 4, you will get an access token back. It is essentially a JWT token. Not sure how you would do that in Cold Fusion, but you can simply decrypt/parse (for the lack of better words :)) this token to get information about the user.
Given that you only want to find out if the user is authenticated successfully, I believe if you have received the code you're good. You don't have to do anything more.

Resources