Is it possible to request a security token on java or C# from AD FS using implicit grant flow ? It looks like that is only possible in JS (in a browser). Thank you in advance for your answers.
ADFS 3.0 only supports authorization code grant.
ADFS vNext (Server 2016) will support this.
Azure AD also supports this currently.
Related
Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
Can someone help to login to an application having Microsoft OAuth authentication using JMeter? I'm having trouble to identify the unique token that is being used in the login call. Is there a way to identify?
Which exactly OAuth?
As of now the following OAuth 2.0 and OpenID Connect protocols are implemented/supported:
OpenID Connect
OAuth 2.0 implicit grant flow
OAuth 2.0 auth code grant
OAuth 2.0 on-behalf-of flow
OAuth 2.0 client credentials grant
The instructions will differ depending on your application authentication flow and covering all of them with examples in a single answer.
The universal way would be using i.e. MSAL library from the JSR223 Test Elements using Groovy language in order to get the access token.
I've been asked to integrate a new web app with our B2C implementation and the requirement is to support the Grant Flow with PKCE.
Does B2C/IEF support this? Any pointers as to steps required?
I'm hopeful as I've found this reference in the AD docs, which references code_challenge and code_challenge_method parameters in the request to the /authorize endpoint.
Thanks
Mark
According to this developer announcement and this documentation issue, it is supported, although it isn't enabled for the implicit flow AFAIK.
it sounds like you are trying to create a web based application that can only use Auth code with PKCE per the new OAuth guidelines. Please refer to the following post in regards to the new OAuth rules and Microsoft's Auth process : https://developer.microsoft.com/en-us/identity/blogs/our-thoughts-on-implicit-grant-with-microsoft-identity/
Microsoft's suggestion is to utilize the Microsoft Libraries to do authentication, that is using either ADAL/MSAL.
As it's a B2C Application you will want to use MSAL. For more information on using MSAL please refer to : https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-b2c-overview
We have a vendor membership management solution to manage our members, Netforum Pro. They provide a Web API via Rest or Soap for external applications to authenticate.
We would like to use Moodle as Learning Management System for our members. However, Moodle has an authentication plugin for SAML.
Can we use OneLogin as a middle agent in this situation?
Thanks
Linh N.
OneLogin acts as Identity Provider and has toolkits that will help you authenticate requests when used by application providers. In your case it looks like Moodle has already the functionality that you would implement with the OL toolkit and that NetForum is the Identity Provider. So using OneLogin won't help much.
You should look into http://documentation.abila.com/netforum-enterprise/2017.1/Content/Admin/Security/SAML.htm
I wrote a little server in node.js and deployed it to Azure WebApp. I want to add service-to-service authentication using Azure AD OAuth (like this flow). I alredy did this in another WebApi sevice using Katana.
So, I found the official library for this, and it work great. The only problem is that the library use the ursa module, which is a native module. And, like explained here it is not easy to deploy a WebApp with native modules.
So, my question is - what is the best approach? How I could accomplish authentication using Azure AD OAuth?
Thanks,
Omer
Take a look at the Authentication / Authorization feature of Azure Web Apps. It allows you to do OAuth 2.0 service-to-service auth flows using Azure AD, no code changes necessary (also, it works with any stack, not just node.js).
More high-level info here: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
The post is a bit dated and doesn't mention the recently added support for APIs, but if your client can acquire an OAuth token from Azure AD, you can send it to your node.js server as a bearer token in the Authorization header of your HTTP request and have the authorization just work.
Two things to be aware of if you go down this route:
Authentication / Authorization currently blocks ALL unauthenticated access to your node.js API. You won't be able to say that some APIs are protected and some are not.
The JWT token that you send to your node.js API must use the client_id GUID value as the value for the "aud" claim. Using the app URI (as shown in some Azure AD samples) will not work.
Give it a try and see if it works for you.