I'm developing a web application which will require users to login before they can use the app. I've looked into using the Azure Active Directory as the resource which I will authenticate against, however I'm having trouble understanding how to set things up.
I've logged into the Azure Portal and have created my Active Directory. I've also added my custom Web App to the Applications area, and provided the App Login URL and APP ID URI. Now I have been given my Client ID and Federation Metadata Document Url, but I have no idea where to go from here.
Could someone provide an example of how I take the username and password which they enter in my login form and submit that to Azure, receiving back a result which would indicate success or failure? Or is that not how it works?
Any help is greatly appreciated. I don't need any other information from the Active Directory other than confirmation that YES, the username and password matches and let them in.
The web application is coded in ColdFusion as per the client's request, and it is hosted on their server.
Thank you!!!
UPDATE
Using the directions found here https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have been able to successfully request an authorization code by logging in using an Active Directory account. After I log in, the system redirects me back to my web application, and has a long url code variable, along with a url session_state variable. My question now is, what do I do with this information from my web app?
Using the directions found here
https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have
been able to successfully request an authorization code by logging in
using an Active Directory account. After I log in, the system
redirects me back to my web application, and has a long url code
variable, along with a url session_state variable. My question now is,
what do I do with this information from my web app?
If you look at the picture in the link you mentioned, there are 6 steps.
What you have done so far is performed step 1 and 2. Now you would need to perform step 3 and 4 i.e. get an access token using the auth code you have received.
Please see the section titled Use the Authorization Code to Request an Access Token in the same link regarding how to do it.
As part of Step 4, you will get an access token back. It is essentially a JWT token. Not sure how you would do that in Cold Fusion, but you can simply decrypt/parse (for the lack of better words :)) this token to get information about the user.
Given that you only want to find out if the user is authenticated successfully, I believe if you have received the code you're good. You don't have to do anything more.
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi.
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials
How do I achieve this, and is there something wrong with this flow? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account. What other methods could achieve a better user experience? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around? Can I hint for azure to prompt the user even if they are logged in already?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed.
Ultimately the user must select their account every time, instead of just when the account is wrong. I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.
I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.
My website is deployed to Azure as a App Service. It has Google authentication set up using Azure's Google Authentication provider.
Is it possible to list users (at least name and email address) accessing my site via Google account?
You can get information about the users who log into your web app as they log in. However, App Service does not automatically store this information in a way where you can query all users. It's up to you to store the user information in a way in which you can query it later. If you're trying to figure out how to get the information for each user, see below.
One option is to use the x-ms-client-principal-name request header to get a display name for the logged in user. If you want more information, you can get the set of "claims" for the logged in user. There are a few ways to do this:
If you're using ASP.NET (full framework), you can use the ClaimsPrincipal.Current static property to get information about the current user. In particular, the Claims property will contain several different properties.
No matter what language/framework you're using, you can make an HTTP request to the /.auth/me endpoint of your web app to get information that is automatically captured by App Service about the logged in user. This is generally going to be the same information as #1. This HTTP call will need to be authenticated using the same mechanism that was used to access the site.
Google has a set of APIs you can call to get detailed information about a user. To access these APIs, you need an access token, which you can obtain from the x-ms-token-google-access-token HTTP request header.
In all cases, you need to make sure that you've enable the correct scopes when you configured your Google authentication in the portal. This ultimately controls what information is available to your application. When users log in for the first time, they will be asked to consent to granting your app access to this information. Once consented, you'll get access to the latest information every time they log in.
so far I've not been able to get this working with the bot framework. I spent all day but only managed to get .net api example (https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) working with AD B2C. I'm not sure where it grabs the bearer token that I want to pass to BotUserData...
I've tried following https://azure.microsoft.com/en-us/blog/bot-framework-made-better-with-azure/
but in reality the solution does not build successfully and I've resorted to just taking code from there and into my bot framework sample template....however, when it asks me to login through MS and I do, I am not able to proceed and it doesn't seem like that blog is using the AD B2C policies.
so how do you integrate AD B2C with Bot Framework? Is it possible to call /Account/SignIn URL from bot framework to authenticate the user? Afterwards, how would you capture the token and pass it to BotUserData?
You might want to take a look to the Facebook Auth sample to get an idea of a potential flow for the Auth scenario. For Azure AD, you need to do a similar flow.
Let's say your user send a "Login" message to your bot. The bot should respond with an auth URL and ask the user to login to the service using that URL. You can use the GetAuthorizationRequestURL method of ADAL for that.
Then you will have a Web API which will basically expose an endpoint that will be the reply URL of Azure AD. Once the users completes the login, a message will be posted to your Web API where you will be able to get the authorization code and perform the calls to get the Access Token. After that, you can just do the same they are doing in the Facebook Sample Web API which involves resuming the conversation with the Bot, sending a message with the access token (so it can be persisted in the PerUserInConversationData bag (check this line of code).
After that you have the access token available to perform any call that requires an access token.
Update
There are two new samples that you might want to take a look since they are implementing the workflow being discussed.
GraphBot from the BotBuilder repo.
AuthBot from Mat Velloso
Hope this helps.
Follow this tutorial for Bot side code development, i focus on configuration at B2C and Azure level here:
OAuth Connection
Client id
This is taken from the Application ID field in your B2C app's properties. It's the equivalent of a Microsoft app ID taken from any other AAD app registration.
Client secret
This is generated using the steps in this tutorial.
Select Keys and then click Generate key.
Select Save to view the key. Make note of the App key value. You use the value as the application secret in your application's code.
Use AAD V2 configuration in oAuth settings in bot channel registration - new oauth connection settings.
Fill the above details by following the steps and values we got from them.
Authorization/Token/Refresh URL
I followed on this one with
https://login.microsoftonline.com/tfp///oauth2/v2.0/authorize
for the Authorization URL and
https://login.microsoftonline.com/tfp///oauth2/v2.0/token
for the Token and Refresh URL's.
For I used the URL format (kyleorg.onmicrosoft.com) rather than the GUID format, but using the GUID also seems to work.
is the name of a user flow, like B2C_1_userflow. I created one with this tutorial.
Scopes
Using the scopes openid offline_access I am able to sign in successfully, but to my astonishment the token returned is empty.
Then I found this document which suggests using the client ID itself as a scope.
When I reuse the value from the Client id field in my Scopes field, a token is returned successfully and my bot is able to use the connection.
You can combine this with other scopes as needed, but for the sake of experimentation I highly recommend getting the simplest implementation to work first.
Let me know if these instructions work, and if they don't then we'll see if the difference lies in how we've set up our B2C apps.
As a bonus, I should mention that after you get a token you can paste it into https://jwt.ms/ to decode it and see if it recognized your B2C user correctly. Always refresh the page when pasting a new token to make sure it doesn't keep showing you the information from the last token.
Referred this document.