I've got an existing mobile app that is integrated with Azure's mobile services. The mobile services are currently connected to Azure Active Directory with MFA enabled. I'm attempting to build a separate PHP-based web application that uses this existing mobile service and authentication.
Authentication
The only active directory of users is the cloud-based AAD. There is no local version and no office 365. After doing a lot of research, it appears PHP can integrate using SAML. However, there are either no PHP samples Azure Active Directory Code Samples or they're tied to Office 365 azure-sdk-for-php-samples.
How can I authenticate my users against AAD via the web-app?
Authorization
Once a user has been authenticated, how can I ensure that user has the same access levels as the user via the mobile service?
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login.
You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through the Mobile Service, you will get the exact same authorization rules as you have defined on that service.
The token will be client-bound, and you'll likely want to get it back to your server for making calls. The actual Mobile Services token is located in client.currentUser.authenticationToken, and you can set this as a cookie in the javascript code and then retrieve it on your PHP backend in a subsequent call.
Calls to the Mobile Service (via the REST API) from your PHP backend just need this token set in the X-ZUMO-AUTH header.
This approach should work for all providers, including AAD. MFA should not be a problem in this case.
Related
I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.
My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,
I am trying to develop a serverless backend for my xamarin app. and for that I chose azure functions.
Now I already know that Azure Mobile Apps provide an SDK for this purpose with which we can easily enable Authentication with multiple ways which are following
1. Azure Active Directiry
2. Facebook
3. Google
4. Microsoft
5. Twitter
Now I want to allow login with atleast 2 of these in my app, but I am not using azure mobile app as backend, instead I am using azure functions. So how can I achieve the same result with serverless?
Thanks in advance.
AFAIK, when using Easy Auth (Authentication/Authorization in App Service), the user would be directed to {your-app-service-url}/.auth/login/{provider} for logging with Server-managed authentication. Users who interact with your web application through the web browser would have a cookie and they can remain authenticated as the browser your web application. For other clients (e.g. mobile client), a JWT would be contained in the x-zumo-auth header, and the Mobile Apps client SDK would handle it for you.
According to your scenario, you are trying to use user-based authentication with your function. I did some test, you could refer to them:
Firstly, I created a HttpTrigger function wrote in C#, then set the Authorization level to Anonymous.
return req.CreateResponse(HttpStatusCode.OK, req.Headers,JsonMediaTypeFormatter.DefaultMediaType);
Note: I just return all headers with the special headers specified by App Service Authentication / Authentication. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN
X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON
For more details, you could refer to App Service Token Store.
Then I go to Platform features and configure the Microsoft Authentication Provider under Authentication / Authorization. For mobile client, just use the Mobile Apps client SDK for logging and invoke the function endpoint as follows:
In summary, you could use the Mobile Apps client SDK for authentication with your function app. And you could configure the Authentication Providers as you wish, then for your mobile client you could set the related provider name when calling LoginAsync for logging. For your function, you could check the X-MS-CLIENT-PRINCIPAL-IDP header and retrieve the current user info and token for the specific provider.
Since Azure Functions are built on top of App Services, like Mobile Apps, you can still use Azure Active Directory authentication or the API keys for the Http triggered functions.
I'm using Xamarin Forms and Windows Azure for SQL Database. In the last version of windows azure they give you an application key to avoid unauthorized access to the web services but now they remove the application key and now they are using authentication through Facebook, google, etc.
The question is I want to protect my web services but I don't want to use facebook or google authorization because I'm using my own login and password.
I want my web services unprotect
I want to protect my tables but I receive and error while reading the data
According to your screenshot, I assumed that you are using Easy tables with access permission. As I known, when you add a new table under Easy tables, it would automatically create the related Node.js back-end, you could go to App Service Editor (Preview) in the Development Tools section of your mobile app as follows:
For Node.js back-end custom authentication, you need to set auth congiguration for your server side, and build your custom login endpoint to validate the client and generate the JWT token for your client. Here is a similar issue, you could refer to here.
Additionally, you could build the C# back-end by yourself and deploy to the mobile app. For custom authentication, you could refer to adrian hall's book about Mobile Apps Custom authentication. For data access, you need to build table controller for each of your SQL table, you could refer to Implementing Table Controllers.
Note:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
For client app, you could leverage Azure Mobile Client SDK for connecting with your azure mobile app backend. For more details, you could refer to this tutorial about working with managed client for Azure Mobile Apps.
Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.