Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.
Related
I am trying to develop a serverless backend for my xamarin app. and for that I chose azure functions.
Now I already know that Azure Mobile Apps provide an SDK for this purpose with which we can easily enable Authentication with multiple ways which are following
1. Azure Active Directiry
2. Facebook
3. Google
4. Microsoft
5. Twitter
Now I want to allow login with atleast 2 of these in my app, but I am not using azure mobile app as backend, instead I am using azure functions. So how can I achieve the same result with serverless?
Thanks in advance.
AFAIK, when using Easy Auth (Authentication/Authorization in App Service), the user would be directed to {your-app-service-url}/.auth/login/{provider} for logging with Server-managed authentication. Users who interact with your web application through the web browser would have a cookie and they can remain authenticated as the browser your web application. For other clients (e.g. mobile client), a JWT would be contained in the x-zumo-auth header, and the Mobile Apps client SDK would handle it for you.
According to your scenario, you are trying to use user-based authentication with your function. I did some test, you could refer to them:
Firstly, I created a HttpTrigger function wrote in C#, then set the Authorization level to Anonymous.
return req.CreateResponse(HttpStatusCode.OK, req.Headers,JsonMediaTypeFormatter.DefaultMediaType);
Note: I just return all headers with the special headers specified by App Service Authentication / Authentication. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN
X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON
For more details, you could refer to App Service Token Store.
Then I go to Platform features and configure the Microsoft Authentication Provider under Authentication / Authorization. For mobile client, just use the Mobile Apps client SDK for logging and invoke the function endpoint as follows:
In summary, you could use the Mobile Apps client SDK for authentication with your function app. And you could configure the Authentication Providers as you wish, then for your mobile client you could set the related provider name when calling LoginAsync for logging. For your function, you could check the X-MS-CLIENT-PRINCIPAL-IDP header and retrieve the current user info and token for the specific provider.
Since Azure Functions are built on top of App Services, like Mobile Apps, you can still use Azure Active Directory authentication or the API keys for the Http triggered functions.
I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.
Is it possible to set up a single "Native app" which can be used by users on different Azure accounts/directories so they can get data from their Office 365 Sharepoint Online?
We can get this working using a "Web app" because in the Azure portal where you set this up it has the "Multi-tenanted" option which can be set to Yes - the notes for this support this:
Designates whether users in external organizations are allowed to
grant your app access to data in their organization's directory. This
control affects only the ability to grant access. It does not affect
any access that has already been granted.
And some early testing suggests this does indeed work. However this implies using an Oauth secret which must be embedded in the app and the notes here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
State (in relation to the app secret):
....It should not be used in a native app, because client_secrets
cannot be reliably stored on devices. It is required for web apps and
web APIs, which have the ability to store the client_secret securely
on the server side.
For native apps, the docs here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
State:
Native client registrations are multi-tenant by default. You don’t
need to take any action to make a native client application
registration multi-tenant.
Which suggests they should work in the way we desire - however when we test this with OAuth flow from an account not in the same Azure AD where the native app was setup we get the following after authenticating:
AADSTS70001: Application with identifier 'XXXXXXXXXXXXXXXXXXXXXX' was not found in the directory YYYYYYYYYYYYYYYYYYYY
So it appears this does not work. At present the only way it seems to make this work is to create a Web app and embed the client ID and secret in the native application.
Has anybody had success with multi-tenant native apps or any ideas/feedback on what I am doing wrong or could try?
UPDATE I realised there were two things wrong here:
* You can actually click on the "Manifest" button in Azure and edit the raw JSON, updating the 'availableToOtherTenants' value to make it multi-tenant.
* I didn't have the scope=user_impersonation in the OAuth flow.
Now it seems we can create a native app which users in other orgs/tenants can authenticate with.
UPDATE 2 OK so it turns out our app now works for some users but at least one is getting:
AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. Resource value from request: https://XXX.YYYYYY.com. Resource app ID: ZZZZZZZZZZZ. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000, 00000003-0000-0ff1-ce00-000000000000.\r\nTrace ID: KKKKKKKKKKKKKKKKK\r\nCorrelation ID: CCCCCCCCCCCCCCCCCCC
I can't see why it would work for one user but not another if both are in different tenant/Azure ADs to where the app is created.
If you were developing an native app which access the multi-tenant web API which also developed by you, you can set the add the clientId of native app to the manifest of web app's manifest with knownClientApplications property. So that when other tenant's users access the multi-tenant web API, it will also register the native app to their tenant.
Refer the code sample below which demonstrates a Windows Store application calling a multi-tenant web API that is secured using Azure AD:
active-directory-dotnet-webapi-multitenant-windows-store
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.
I've got an existing mobile app that is integrated with Azure's mobile services. The mobile services are currently connected to Azure Active Directory with MFA enabled. I'm attempting to build a separate PHP-based web application that uses this existing mobile service and authentication.
Authentication
The only active directory of users is the cloud-based AAD. There is no local version and no office 365. After doing a lot of research, it appears PHP can integrate using SAML. However, there are either no PHP samples Azure Active Directory Code Samples or they're tied to Office 365 azure-sdk-for-php-samples.
How can I authenticate my users against AAD via the web-app?
Authorization
Once a user has been authenticated, how can I ensure that user has the same access levels as the user via the mobile service?
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login.
You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through the Mobile Service, you will get the exact same authorization rules as you have defined on that service.
The token will be client-bound, and you'll likely want to get it back to your server for making calls. The actual Mobile Services token is located in client.currentUser.authenticationToken, and you can set this as a cookie in the javascript code and then retrieve it on your PHP backend in a subsequent call.
Calls to the Mobile Service (via the REST API) from your PHP backend just need this token set in the X-ZUMO-AUTH header.
This approach should work for all providers, including AAD. MFA should not be a problem in this case.