i used https://github.com/Wintellect/node-azure-oauth sample code to authenticate with OAuth2 Against Azure Active Directory and it is working fine O365 user(any domain).
then add https://github.com/fhellwig/azure-graphapi code to call azure graph api to get user group data using the access token.
but it only show my active directory data(application registered directory) not the signed in users data.
i changed multi tenant & application permission configuration options. but didnt success and i use my tenant(ex : abcedf#onmicrosoft.com) to call graph api.
how do i pull signed in users details
If you have an identifier for your user, then you can make the following REST call:
GET graph.windows.net/myorganization/users/#User_Identifier_Here#/memberOf?api-version=1.5
User identifiers can be the user's objectId or the user's user principal name. For an example, if you had the user principal name of the user, the query would be:
GET graph.windows.net/myorganization/users/user#contoso.com/memberOf?api-version=1.5
This is included in the list of queries here:
https://msdn.microsoft.com/en-us/library/azure/jj126255.aspx
Tenant id should belong to end users tenant not the publishers tenant with bearer authorization header
https://graph.windows.net/<tenant id>/table?api-version=1.5
Related
I have developed web application (Python/Django) for my client and he wants me to add SSO via Azure Active Directory that he setup. Also I need to fetch user profile information (email, upn) and update it when it changes in AD.
I managed to get SSO working using MSAL with auth code flow and able to send requests to Graph API on behalf of user to get profile information (/me).
To get profile updates I created subscription (webhook) to /users resource using app identity (client credentials grant flow).
The problem is that I can't understand how to correlate users I get from subscriptions with users I get from auth code flow via MSAL. Notifications from subscriptions give me ids i can find on azure portal (GUID), but profile information requests on behalf of user dont give me same ids. There are ids, but these ids are differenet (something like c66b9ba73bcba166)
As juunas mentioned, the object id is typically oid or sub.
Example using jwt.ms to examine the ID token:
Also, if your app needs to distinguish between app-only access tokens and access tokens for users, you can use use the idtyp optional claim.
As Azure AD authentication document have defined way to get token using /common end point as below.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
I am able to get access_token (using /common endpoint), but now I am looking for API or way to get tenant/account wise token to access subscription of respective tenant
I see Microsoft is doing it for Azure Rest API Testing. You can hit "Try It" button and after login you will have all the Azure AD account to which you belongs and token tenant wise (You can review /accesstoken endpoint in browser console)
https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list#code-try-0
How I can achieve same as below screenshot.
Note: I do not have user tenant list, by which I can get tenant wise
access_token
There's a REST API to get the list of tenants (Azure ADs) a user is part of. You can find details about this API here: https://learn.microsoft.com/en-us/rest/api/resources/tenants/list.
You can get tenant wise subscription list from passing particular tenant id when getting access token.
var accessToken =
await tokenAcquisition.GetAccessTokenForUserAsync(new[] { $"{ArmApiOperationService.ArmResource}user_impersonation" }, tenantid);
But ms doc using another method '.TokenAuthCookies' cookie header when requesting from 'https://token.learn.microsoft.com/accesstokens'. We have generate tokencookie when we sign with open id. Did you find a way for that already?
I have a multiple applications that use the same custom policy to authenticate user. In TrustFrameworkExtensions I defined two claims provider, one for local account and one for user of my company AD tenant (social account) , I have also a claims provider for retrieve custom attributes and for check if the user is enabled for the caller application, this claims provider is configured in user jorney like a orchestration step before the JWT token is created.
The API Application return claims with custom attributes if the user is enabled and return a response with HttpStatusCode.Conflict and error message if not.
How can show the error message in the login form before it back to the calling application?
PS: I have a custom UI login form
UPDATE
I found a right technical profile "SelfAsserted-LocalAccountSignin" and now works ! But I have 2 more questions.
1. In my api application, in input claims, extension property are missing , I think it's because the user not logged yet, is it possible obtain all claims ? If this isn't possibile I must read data in my api with Graph
by signinName.
2. My login form allows authentication as a local user and as a user of my company AD tenant (social account).
The ValidationTechnicalProfiles in "SelfAsserted-LocalAccountSignin"
works with local user only, I tried to configure a ValidationTechnicalProfiles for "SM-SocialLogin" TechnicalProfile but doesn't work
What I am trying to do is to automate the process of adding a new user to an Azure Active Directory of a tenant (the tenant is supplied as a parameter).
For this, I understood that I must use Azure AD B2B collaboration. The official sample for automating this process is provided by Microsoft at this link:
https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web
So, using the Invitation API (which is available here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/invitation_post), I programatically send an invitation mail to an email that I want to register.
The problem is that the user which will be registered with that email, will be registered within the tenant in which the application was configured.
For example I am using the tenant name X, to configure my application in the Azure Active Directory Portal. What I see is that I can only invite emails to register within my tenant named X.
What if I want to register an email within another tenant, tenant which I know beforehand?
Can the invitation Api specify in which tenant I want to register an email, without having the application registered in that tenant?
Because if I can't, I would have to register the application in all the tenants, and then apply logic in the code to link the Client ID and Client Secret to the correct tenant.
If I have understood your question correctly, you need a multi-tenant app.
When you get an access token for Microsoft Graph API, it will always target a specific tenant.
In order to get an access token which targets another tenant, you must:
Make your app multi-tenant: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
An admin from the other tenant must perform a sign up, which asks them for consent to the permissions your app requires
This usually means a redirect to the login page with prompt=admin_consent in the query
After they consent, a service principal will be created in their tenant, and they are redirected back to your app as usual
Now you can get an access token targeting their tenant and use it to call Graph API
I have developed a Web API, hosted in Azure, with OAuth 2.0 Authorization grant thru Azure AD. I have the token system working, I am able to request an authorization code, and use that to request access/refresh token, and then request data from the API in general.
The next thing I am struggling with is how do I allow user A to access Database A data and user B to access Database B data. We have different databases and each user has their own private data. Both user A and B are using the same native "client" desktop application. So here is my thought process:
We could make user A its own "application" in Azure AD, and user B its own "application" in Azure AD. They would have different access tokens then. But how do I know in my Web API that user A is calling my API, or user B is calling my API if Azure AD is the one doing the authorization? is there a way to extract which particular user is calling the API from which token is used or something, so I can pull data for only that user? All I have currently is the [Authorize] at the top of the ApiController for the different REST calls and then setting up the application in Azure AD, but that is just general authorization access to the API, not specific permission/authenticated access to private user data.
I assume that you are using OWIN/Katana with JWT support for authorization. If so, then you should find that if you get the ClaimsPrincipal.Current property there will be a ClaimsPrincipal object that represents the user that was authenticated. It will contain a set of claims that are returned from AzureAD. You can use those claims to retrieve an identifier for the user and map that to their associated database.
Take a look at the sample here:
https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet
In particular this file:
https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet/blob/master/TodoListService/Controllers/TodoListController.cs
line 80:
// A user's To Do list is keyed off of the NameIdentifier claim, which contains an immutable, unique identifier for the user.
Claim subject = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);
After this code the subject.Value property will contain an identifier for the authenticated user.
This link contains some documentation on the set of claims that Azure AD will return:
http://msdn.microsoft.com/en-us/library/azure/dn151790.aspx
Search for "Azure AD issues a fixed set of claims for the authenticated users."