ADALjs and Azure AD auth for Wep API project - azure

I have a client app and Web API app hosted on different domains and want to utilize ADAL.js in my client app to login in my Web API app, but still getting Unauthorized error.
In web api web.config I've specified my AAD details:
<add key="ida:AudienceUri" value="http://clientappurl/" />
<add key="ida:FederationMetadataLocation" value="https://login.windows.net/...3596365/federationmetadata/2007-06/federationmetadata.xml" />
<add key="ida:ClientId" value=".....388ffcc3" />
<add key="ida:ClientSecret" value="....gBsD7o=" />
<add key="ida:Tenant" value="........onmicrosoft.com" />
<add key="ida:TenantId" value="........96365" />
<add key="ida:Auth" value="https://login.windows.net/" />
<add key="ida:GraphUrl" value="https://graph.windows.net" />
And updated Startup.Auth.cs with following:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "http://myclientapp",
Tenant = "developertenant.onmicrosoft.com",
AuthenticationType = "OAuth2Bearer",
});
On the client I've specified endpoints (my api url), tenant and clientId. ADALjs redirects user to microsoft login page and looks like after sucessfull login it writes some data to local storage. But API app still respondes with Unauthorized error.
Are there any tutorials on how properly configure wep api and client apps hosted on different domains to utilize AAD?
How can I read authorized user details like AAD user group from my Web API app?

Here is an example which shows how to read AAD group claims from a web app:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Once you have the tokens, you can then call a Web API, which is shown by this example:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
There's a good list of AAD examples here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

Related

Azure App Service Can't Access SharePoint

We have a simple Azure App Service app and part of that app accesses a SharePoint doc library to upload files. This has worked for years but recently stopped working. We generated a new clientid and secret thinking that was the problem - still no luck. We have been working with Microsoft for 3 weeks on the problem and they have been useless - they don't even know what a doc library is most the time and all they do is "take screenshots and will get back."
I can get a token and use it to pull resources in Postman just fine.
The following is the code in web.config:
`<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ClientId" value="spclientid" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:ClientSecret" value="spclientsecret" />
<add key="ida:Domain" value="ourdomain.com" />
<add key="ida:TenantId" value="tenantid" />
<add key="ida:PostLogoutRedirectUri"
value="https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession/" />
</appSettings>`
Errors:1
Error :2
Error: 3
At our rope's end with this one, any ideas?
Thanks in advance.
• You must use ‘AllowAppOnlyPolicy=true’ in your manifest file for the registered Azure AD sharepoint app to acquire token from the registered application in Azure AD on behalf of the service principal created through your ‘App Service’. Also, you can grant the required permissions for accessing the sharepoint online website through your ‘App service’ as shown below in the snapshot through the Azure AD app registration portal instead of the ‘App manifest’ file: -
Thus, when you are providing the correct permissions to the ‘Sharepoint’ portal through this ‘Service Principal’ in Azure AD for OAuth 2.0 as well as configuring the ‘Authentication’ token and protocols too correctly, the Azure App Service should be able to access the Sharepoint doc library to upload files.
• Finally, please once again check the correct value of the secret ID and its value that is being used to connect to the sharepoint website on behalf of the SP app in Azure AD. Also, do check the correct tenant ID, domain and AADInstance of the registered SP for your app service, the details of which you have mentioned in the ‘App settings.json’ file of the code.
For more details and clarification on this, kindly refer to the below links explaining the issues regarding the ‘Sharepoint’ token helper issues and CSOM platform issues regarding various browsers that are used to try to access the same: -
https://github.com/SharePoint/sp-dev-docs/issues/6955
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient

debugging or error log for UseWindowsAzureActiveDirectoryBearerAuthentication in a azure web site?

I have an asp.net azure web api site, say myapi.azuresites.net, and my custom domain is myapi.mycompany.net.
In my web api, I use owin middleware to validate incoming token
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = Constants.AzureActiveDirectoryTenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
// These values will be checked against what is received in the access token.
ValidAudiences = Constants.AzureActiveDirectoryValidAudiences
},
Provider = new OAuthBearerAuthenticationProviderEx()
});
I registered an app under azure AD and add some client secret in.
From postman, I can get an oauth2 token from Azure AD with the App id and the client secret.
I included this token in the header and sends to my azure web api.
My code uses owin middleware to validate the token
If I send the request to myapi.mycompany.net, the token validation works.
If I send the request to myapi.azuresites.net, the token validation fails.
I can't really figure out why the token validation fails when calling azure site directly. If I grab the azure site's web.config down to my local machine and it works there as well.
I suspected that my AD app didn't have the right redirect URLs, but verified that and can't see obvious issue.
So is there a way to log some information on why authentication fails? As it is a remote azure site, can I trap this failure as exception and throw some out?
Although not sure why my AD authentication works now, I did find a way to log owin failures for azure site.
Basically this will log owin information
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="d:\home\logfiles\Katana.trace.log"
traceOutputOptions="ProcessId, DateTime"/>
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose"/>
</switches>
</system.diagnostics>

How to: Password Protect Azure App service

I have website that is Hosted in a Azure App Service. are there any options in azure so that I can put a password on the website. Ideally without changing the websites code.
Just a basic password or user name and password, doesn't need to be google or facebook login or AD login.
It is a .net based website and I have seen a few options to do this, but it means I have to change the code of the website in someway or another.
Surely with all that sophisticated cloud technology, I can go in to the portal and set a password at a server level? - Or is the only way to make some kind of change to the application?
It is possible to enable Basic Authentication for Azure Web Apps with some settings in the applicationHost.xdt. You can load some modules in this file on the start of your Web App.
Steps:
Navigate to your WebApp in the Azure Portal
In the left menu, search for the header Development Tools an select Advanced Tools (Kudu)
Use the Debug Console > CMD tool, to navigate to the WebApp directory: \home\site
Create a file named: applicationHost.xdt
Paste the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Locator="Match(path)">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="RESPONSE_WWW_AUTHENTICATE" xdt:Locator="Match(name)" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
<rules xdt:Transform="InsertIfMissing">
<rule name="BasicAuthentication" stopProcessing="true" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)">
<match url=".*" />
<conditions>
<add input="{HTTP_AUTHORIZATION}" pattern="^Basic dXNlcjpwYXNzd29yZA==" ignoreCase="false" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized" statusDescription="Unauthorized" />
<serverVariables>
<set name="RESPONSE_WWW_AUTHENTICATE" value="Basic realm=Project" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Change the Basic Auth to your liking (default in example is: user:password)
Make sure the web.config rewrite rules don't contain <clear /> as this wil remove the effects from the applicationHost.xdt file
Save the file and Stop and Start your WebApp (a simple Restart will not suffice)
Notes:
Not sure if this works on Linux based WebApps..
You can add this step to you're deployment pipelines by using FTP
Update: I've noticed issues with applicationHost.xdt while using it on secondary Web App slots. Only the primary slot seems to work.
PS: Cross-post from my answer here.
You can use Authentication and authorization in Azure App Service.
Authentication/Authorization was previously known as Easy Auth.
Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app.
Source: Authentication and authorization in Azure App Service and Azure Functions.
EDIT:
The above is a solution to have a password protected App Service without changing any code whatsoever. At this point there is no alternative, as you can see in the open feedback issue Allow HTTP Basic authentication on basic apps
Hi everyone, we understand the demand for this feature, but we do not plan to support authentication at this level. We suggest using EasyAuth for this scenario.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
EDIT 2:
This method forces the user to use google or facebook, etc...
This is not true. You can also create a user in your Azure Active Directory and use that one with Easy Auth. The username would be something like username#<YOUR-TENANT>.onmicrosoft.com

Azure Authenticated Web Api Error only with POST calls

would you help me?
i've created a web api on azure and chose not to allow anonymous requests but to use azure active directory to authenticate the requests. the app beneath has "sign-in and read user profile" permissions set.
if the controller behind the web api accepts GET requests it works, while it gives me the error : "You do not have permission to view this directory or page."
before i call the web api i open a iframe on the page (sharepoint page) to implicitly get the token from the web api, which calls the basic GET action below:
[ActionName("Connect")]
[HttpGet]
public IHttpActionResult Connect()
{
return base.Content(HttpStatusCode.OK, "OK", new JsonMediaTypeFormatter(), "text/plain");
}
later on i call via jquery another action (POST)...
public IHttpActionResult PostPromote([FromBody] string request)
but at this point i receive the 403 (Forbidden) message.
the CORS for my webapi is set in the web.config file:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="https://mytenant.sharepoint.com" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true"/>
</customHeaders>
</httpProtocol>
if i switch the method to GET it works, as well as (of course) if i permit anonymous requests.
thank you a lot, that's making me crazy.

Azure Active directory Sharepoint & Graph API

I am in a bit of confusion how to get a bearer token that will work for a sharepoint sites as well as the graph api.
We are using MFA (Multi factor authentication) so we get a text message when the user tries to login. This all works and we get a token back but the resource I am pointing to is https://srmukdev.sharepoint.com/, how can we use this token to access the https://graph.microsoft.com/ api.
At the moment it doesn't work. I can make separate login requests, but we dont want to do this as it's required to access both parts with the same token? is there a method that can translate one token to another? something that works at least?
You can see the current difference is the ResourceUrl
The sharepoint api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://srmukdev.sharepoint.com/" />
The graph api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://graph.microsoft.com/" />
Many thanks
Let's start by saying that you cannot get a token which will work for both the Microsoft Graph API and the SharePoint API directly. Tokens are created with specific audiences, and as a part of token validation by the Web API, they will check that the audience of the token matches their unique identifier.
I think one possible solution here is to realize that the Microsoft Graph token already gives you access to the SharePoint API. See the documentation here. You should be able to get a token for just the Microsoft Graph, and then use the Microsoft Graph specific endpoints to get data from your SharePoint. This is one of the problems the Microsoft Graph is trying to solve. A single endpoint and token to access all of your Microsoft data.
Another solution is to use the authorization code you receive to request two tokens to the two different endpoints. Depending on what libraries you are using, and the specific flow you are following, this may be harder than not to accomplish, but in general, the authorization code grant flow is used to sign in a user. After the user is redirected to the Microsoft Login Page, and then successfully signs in, your service receives an authorization code, which it then exchanges for an access token using the Token Endpoint. This authorization code can be used to get an access token for any resource the client has been configured to call, so you can call the token endpoint twice, with two different resource values, and get back two access tokens. I do this in one of my Python/Flask samples.
Finally, assuming you got back an access token and refresh token for a particular resource, you could then use the refresh token to get a token for a different resource the app has been authorized for.
The refresh token issued by Azure AD can be used to access multiple
resources. For example, if you have a client application that has
permission to call two web APIs, the refresh token can be used to get
an access token to the other web API as well.
See here for a look at how to do this.

Resources