I have created an Azure AD native client application and have given delegated permissions to Azure Service Management API. Now, I'm able to invoke the service management API using my id from a Windows Phone 8.1 app using ADAL library. However, another user can't invoke operations on their subscription even though I add them as co-administrator in my directory. I get the token for the user but when I try to make an API call, I get 'Invalid token:A security token exception occurred for the JWT token'. Is there a way to allow another user to access details about his subscriptions using ADAL authentication from an AD app hosted in someone else's AD? I have searched for any related information for quite some time and I'd gladly take any help.
Here is what I interpret what you are doing.
You have a native app and it is connected to your tenant and it works fine for accessing service management APIs in your tenant/subscription.
You gave the app to a friend and they are trying to use it to access service management APIs in their tenant/subscription.
The suggestion above in the comment is on the right track, but you need to look at the steps for making your native application multi-tenant. This way, the AD service will know to look for the tenant for the authenticated user. Changing the url to use 'common' instead of the tenant id is one of the steps required. Here are a couple of posts to help with that transition.
http://www.cloudidentity.com/blog/2013/04/09/walkthrough-3-developing-multi-tenant-web-applications-with-windows-azure-ad/
This is a native client example of multi-tenant for a windows store app. I could not find one in the repo for a phone app. Hopefully, this gets you on the right track.
https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore
Related
I am designing my first dev tool with the Azure SDK (JavaScript), and I am having a difficult time understanding how to authenticate users in production so the dev tool can access the user's Azure account. The tool is going to retrieve metrics from all of the user's Azure Functions in their tenant to display React component graphs based on those metrics over time. The app will be run locally with an npm run command.
My entry point for using Azure Identity in my app was this blog post (https://devblogs.microsoft.com/azure-sdk/authentication-and-the-azure-sdk/). I like the way the DefaultAzureCredential is working in development, using the tenant for whichever developer is running it by using the AzureCliCredential. I want a similar functionality for production, but for the browser instead of Azure Cli. In other words, if a user is already logged in to Azure Portal, it will get a credential for their tenant. How do I go about this?
One of the things I tried was opting into the Interactive Browser of the DefaultAzureCredential as described in that blog post. But even though, I could see the browser method in the src (https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/defaultAzureCredential.browser.ts), I couldn't figure how to opt into this when using the actual SDK. I couldn't find that method in the npm package in Azure Identity, and the documentation (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/defaultazurecredentialoptions?view=azure-node-latest) didn't help me either. If this is the correct option for my use case, I would like to understand how to opt into it and use it.
Another thing I tried was implementing the InteractiveBrowserCredential. As long as I pass in a redirectUri with a port not already being used by my app, it did open another tab to tell me to login to the Azure Portal if I am not already logged in. This is exactly the user experience I would want in my app. However, after logging in the credential didn't actually do anything. The credential returned actually has a client Id equal to the application Id (04b07795-8ddb-461a-bbee-02f9e1bf7b46) of Azure CLI (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) for some reason. This led me to look into the Interactive Browser Credential and find out that it is using the Authorization Code Flow (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/interactivebrowsercredential?view=azure-node-latest). This flow doesn't seem right for my use case, since I have to register my app. I am not trying to grant users access to my app, but access to their own Azure account. Is InteractiveBrowserCredential what I should be using?
Next, I looked into all of the different authentication flows. None of them seem quite right for my use case though. The closest one I found was the client credentials flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) since I am authenticating the user to their own Azure account and not my app. However, even this one doesn't seem quite right because when I looked up how to implement that flow with Azure Identity (https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/using-azure-identity.md#clientsecretcredential-and-clientcertificatecredential) I found out that I have to pass in the tenant Id. But the app won't know the user's tenant Id of the user before they log in. Which flow is right for this use case?
It seems like there is a gap in my understanding. How can I use the Azure SDK to implement an authentication flow that authenticates the user to their own Azure tenant (not authenticates them to my app) through the browser?
Thank you ShwetaMathur for answering this question in Q & A. Posting the same here to help Stack Overflow community members.
To access your application by Azure AD users, your application should also need to register in Azure AD.
Once your application is register, you can acquire the access token based on different OAuth flows which is needed to call various resources(Users in your case) or protected API based on your scenario.
Azure Identity TokenCredential provide various flows to obtain an access token based on different scenarios.
InteractiveBrowserCredential is one way to launches the system default browser to interactively authenticate a user and obtain an access token.
Using access token, you can retrieve user’s info or access any other resource in Azure tenant. The InteractiveBrowserCredential uses Authorization Code Flow to authenticate users for browser based applications and to access resources further.
Client credential flow is OAuth flow commonly used for server-to-server interactions that usually run in the background, without immediate interaction with a user and help to acquire the token and call protected web APIs.
Complete reference
I have a .net core api and a angular node js application that I have deployed to azure add as app services. I have registered both. I was able to successfully setup both with authentication permissions with permissions only to users within my azure domain. When anyone attempts to access either the api or the application they must login and authenticate through microsoft.
What I need now is for my app, to be able to call endpoints on my api. I want my app to have full permission so that I don't have to specify permissions on specific endpoints. I also want this to all be handled through azure, not through specific token requests in my angular code when calling the api. How can I accomplish this?
I have searched a lot of the documentation, but cannot find out how to accopmlish this. I also walked through the option of setting up explicit permissions, but I can't get that to not work either.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
The suggestions in the comments already cover the information you need.
I summarize it simply as below so that this post is easier to find, which can help more people.
To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app and the other is for API app.
In the API app, you need to exposed API. By doing step 7 and step 8, you can expose the scope.
Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.
You can use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.
Newbie alert
I have successfully configured ADAL authentication using python code.
I have used the following code:
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/website_sample.py
So I am now able to log in to the app configured in my azure account and retrieve the access token, refresh token Etc.
Next
I have an application that has user role based permitted actions.
Upon successful login in Azure, the App must check the user role and open the pages based on the user's role.
I used React JS and Python to build my app.
Now i am clueless as to how to integrate my user roles with the app.
Can anyone of you suggest any reading materials or solutions to this?
Thank you.
I have read about ADAL authentication but did not find process to post authentication.
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/website_sample.py
I want any architecture plan or sample code in python/ JS where the token from ADAL authentication is retrieved and used to login to the application..
You can implement RBAC using Azure AD's Application Roles & Role Claims feature or using Azure AD Groups and Group Claims. You can add roles using the manifest in Azure AD and also in the app itself.
This is by far the best sample and guide for adding RBAC and using ADAL. I was able to get a working sample going quickly from this.
https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
I have a React Native app, calling an Azure Api App authenticated with Azure Active Directory, where the associated app in App Registrations is of type Native.
I have tried using a Web app / API application type (multi tenant). I switched away from that though, because I thought I wouldn't have to provide a client_secret. That didn't work, but I prefer that way, since I can control which tenants have access to my api.
I currently get a code by displaying https://login.microsoftonline.com/common/oauth2/authorize... in a webview where the user signs in and consents. I then try and get an access_token from aad - haven't successfully gotten an access_token without storing the client_secret in the app.
Every user of the app is registered in an Azure Active Directory tenant on another account - the app is not public, so I manage users.
All the authentication flows I have looked at don't seem like they fit my criteria though. I'm obviously not the first with this problem in Azure so I need need someone to tell me where I'm going wrong. Thanks :)
I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.