I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.
I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.
Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?
The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.
Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!
You can set the resource ID as a parameter to the Auth URL.
Auth URL: https://_______________?resource=https://_________
I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....
I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...
This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.
Adapted from this post
set up a dedicated 'postman-test' app registration in AD tenant,
with permission to access your target API. Ensure it has the postman callback url previously mentioned.
fill in Postman's OAuth helper form with following details:
Token Name – Any name to save the token.
Auth Url – https://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
Access Token Url – https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID – Client Id from configure tab of “postman-test” app.
Client Secret – Client secret copied from configure tab of “postman-test” app.
Grant Type – Authorization Code
Note:
tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.
testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping
Related
I've been trying to expose an API through azure API Management and I can't figure out what I'm doing wrong. Here's the situation:
My API is going to be called from an external application
They don't have an Azure Account in the same tenant
I want to enable external calls for my API by just using a subscription key (hence, why I'm using API Management), but also want to keep my actual API secured with Azure AD.
I have an API which is secured with Azure AD using OAuth2 and published into a Windows AppService
I have an App registration for that API, which i use to authenticate (it works from postman, for example)
app registration
I have Managed Identities turned on and permissions set.
I have added the API in API management
I added the authentication-managed-identity inbound rule, used the API Id Uri of the app registration as the resource value for it.
Api Management Config
When testing an endpoint from the APIM interface, I can successfully get a bearer token, but I get a 500 exception from the API which says: Neither scope or roles claim was found in the bearer token
bearer response
Here is the decoded bearer token, it doesn't have a scp attribute
bearer decoded
I'm not sure where I can specify a scope. If I use the full scope uri (api://guid/access.api.management) it will fail when trying to get a bearer token (The resource principal named api://guid/access.api.management was not found in the tenant).
I've even tried adding the Owner role to the APIM Identity for the AppService.
Maybe I'm not using this correctly, I'm pretty new at using Azure cloud and API Management so any suggestions are welcome.
Thanks.
You have expose an api protected by Azure, and currently you have an api application. Next, you need to create another application that represents the client, and then add the client application to the api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token:
I managed to get it working using the client credentials flow and storing the client secret in key vault.
I am retrieving an Azure AD access token using MSAL.js at the client and passing it as Authorization header to web api hosted in WCF API Management. But I get an error along with all the proper response as well my username and email
Cannot validate access token. IDX10501: Signature validation failed.
Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
The API is a WCF service configured with a custom policy binding for OAuth with the metadataEndpoint or even the v2 version https://login.microsoftonline.com/{tenantid}/.well-known/openid-configuration .
I guess the Azure AD Access token that I have is not meant for validating authentication again.
My guess I might be either missing permissions on the App registration but I couldn't find an API permission for exact authentication/authorization.
I believe with new Azure AD , we cannot authenticate the earlier manner by just passing a token and need to use MSAL standard libraries.
Could someone shed some more light on this.
I used an ID Token and then it worked. You get 2 tokens when authenticated so the ID token seems to work.
Ok, done I could finally setup my AD B2C with my web API and with Postman. To do so I followed instructions here.
Now, in Postman when I click "Get New Access Token" in Authorization tab the system redirect me to the HTML sign in/up page from Microsoft and I need to enter my credential. I don't want that. I want to use a predefined login, password because I want to simulate the sign in/up using API only. something where I use the body or header to send my credentials and get the token.
I think I should play with the Grant Type property. Is it correct?
---- EDIT 1 ----
I found this tutorial and I did this
But it is not working and I don't know what to put in Client Secret. Here is my Postman log
Also I wanted to show this in case this can be relevant:
Firstly, you must create a resource owner password credentials (ROPC) flow, which enables credentials to be POSTed from Postman to Azure AD B2C's token endpoint.
Also, you must register Postman as a native client application, so that it can use this ROPC flow.
Then, in Postman, you can enter the following settings:
Grant Type: Password Credentials
Access Token URL: https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/{your-ropc-policy-name}/oauth2/v2.0/token
Client ID: Set to the client identifier for the Postman application
Client Secret: Set to an empty string
Scope: openid {your-postman-client-id} {any-api-published-scopes}
Client Authentication: Send client credentials in body
Knack has an option to set up custom Single Sign On options. There are a few items I am unclear on as to where to find on Azure AD B2C. According to their help article, I must provide the following information for OAuth 2.0:
Authorization URL: the URL that your user is redirected to obtain permissions when they click the SSO button.
Access Token URL: used to obtain a token to verify future requests to the authentication provider to act on your user’s behalf.
Profile URL (OAuth only) - the URL where information about a user’s account can be retrieved. The Profile URL will be sent a GET request authenticated by the user’s token, and will be expected to return a JSON object.
For Authorization URL, I have tried to supply the 'Sign-up or Sign-in' Policy endpoint as that takes you to the login page. I think this is right however I am unsure.
For Access Token URL, I have tried either the Authorization Endpoint or Token Endpoint, but I'm not sure if those are right.
"authorization_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_zyxelcustomerssusi"
"token_endpoint": "https://login.microsoftonline.com/zyxelcustomers.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_zyxelcustomerssusi"
For Profile URL, I actually have no idea where I would find this on Azure AD B2C.
Single Sign On is new to me and I have gone through Azure AD documentation to try to help myself, but ultimately I am stuck.
Thanks in advance for your help and please let me know what other information I can provide.
Edit 9/26/2017:
This B2C documentation describes the purpose of Authorization URL and Access Token URL.
In short, Authorization URL is the endpoint to send the user to enter their credentials. If credentials are valid, an authorization code will be returned via URL to the designated Reply URL. The client app will then use the returned authorization code to request for an access token from the Access Token URL. If successful, the client can now attach the access token as a Bearer token in the Authorization header to authorize future API calls before the token expires.
Unfortunately, as of this time of writing, AADB2C does not support calling the Azure AD Graph or Microsoft Graph API for user profile information.
You should not need to provide a Profile URL since Azure AD B2C uses Open ID Connect, and not OAuth (similar protocols, but not identical). The Profile URL field is optional, so try configuring it without filling out the field.
I am trying to understand how Azure Active Directory Graph API works for adding users to the directory. According to this:
http://msdn.microsoft.com/en-us/library/azure/dn130117.aspx
I need to acces the graph API URL and pass in something called a "bearer token" in the "Authorization" header so that it will allow me to add the user specified in the request's body. However, I have no idea where I can get one of these tokens. All my research points to the user having to be already authenticated to get a token, which kind of beats the point, since I want to add the user so he can authenticate.
I have configured my app in the Azure Management Portal, and thought the bearer token was the "Client ID" that I get when I go to my added applications in the Directory. But when I pass this number to the Graph API, I get "Access Token Missing or malformed". I am testing this using the Fiddler Web Debugger app.
These 2 posts describe very thoroughly the steps to get the required token in 2 different scenarios:
Authorization Code Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
Client Credentials Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If you want to use the Client Id and Client Key to authenticate your client to Azure Active Directory, then you should read the 2nd article. The first one is to authenticate an already existing user.
If you want to programmatically get the OAuth2 token, then you could use the AAD authentication libraries: http://msdn.microsoft.com/en-us/library/azure/dn151135.aspx