I have a .Net Mobile Services back end (i.e. not the JavaScript one) which out of the box supports authentication with the common Identity Providers (facebook, twitter, etc) through the windows azure portal. However I would like users to be able to create their own username/password accounts as they can do with the ASP.NET Web Api implementation of ASP.NET Identity (using AccountController).
The question is if this is possible and if so what is the best way of achieving it?
My first thought was to just copy the appropriate classes (AccountController, Startup.Auth, ApplicationOAuthProvider, etc) from a template ASP.NET MVC Web Api project and add a reference to Microsoft.AspNet.Identity.EntityFramework and System.Web.MVC but I don't know what impact this would have. If it worked would I have just taken control of the Authentication logic with the portal "Identity" no longer having any effect?
The other option is to simply start with a Web Api project and add the Mobile Services functionality to that instead (Although I couldn't see how to create a Web Api project without MVC but that is a different question).
Thanks for any help.
UPDATE 11 April 2014
In the end we decided to manage our own username and passwords and generate a JWT token so that the client could use the standard IMobileServiceClient. To do this we used two resources. The first was from the joy of code:
http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
and the second was from content master:
http://www.contentmaster.com/azure/creating-a-jwt-token-to-access-windows-azure-mobile-services/
Although we made some small changes to the code as per this Mobile Services team blog post:
[Don't have enough reputation points to add a third link so just google "changes-in-the-azure-mobile-services-jwt-token"]
So here is the code if useful. (it might be better to write an implementation using JwtSecurityTokenHandler but this works for us)
public static string GetSecurityToken(TimeSpan periodBeforeExpires, string aud, string userId, string masterKey)
{
var now = DateTime.UtcNow;
var utc0 = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
var payload = new
{
exp = (int)now.Add(periodBeforeExpires).Subtract(utc0).TotalSeconds,
iss = "urn:microsoft:windows-azure:zumo",
ver = 2,
aud = "urn:microsoft:windows-azure:zumo",
uid = userId
};
var keyBytes = Encoding.UTF8.GetBytes(masterKey + "JWTSig");
var segments = new List<string>();
//kid changed to a string
var header = new { alg = "HS256", typ = "JWT", kid = "0" };
byte[] headerBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(header, Formatting.None));
byte[] payloadBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload, Formatting.None));
segments.Add(Base64UrlEncode(headerBytes));
segments.Add(Base64UrlEncode(payloadBytes));
var stringToSign = string.Join(".", segments.ToArray());
var bytesToSign = Encoding.UTF8.GetBytes(stringToSign);
SHA256Managed hash = new SHA256Managed();
byte[] signingBytes = hash.ComputeHash(keyBytes);
var sha = new HMACSHA256(signingBytes);
byte[] signature = sha.ComputeHash(bytesToSign);
segments.Add(Base64UrlEncode(signature));
return string.Join(".", segments.ToArray());
}
// from JWT spec
private static string Base64UrlEncode(byte[] input)
{
var output = Convert.ToBase64String(input);
output = output.Split('=')[0]; // Remove any trailing '='s
output = output.Replace('+', '-'); // 62nd char of encoding
output = output.Replace('/', '_'); // 63rd char of encoding
return output;
}
This is possible but not quite as simple as we would like (we have a bug on improving it). In general it boils down to that you can inject things into the OWIN pipeline including auth providers.
If you are familiar with the OWIN pipeline and ASP.NET Identity Framework then here's roughly what you do:
1) Crate your own OWIN App Builder which sets up the OWIN pipeline for the .NET backend.
2) Register your App Builder with the Dependency Injection engine which will get called as part of the initialization.
Here is a gist of what it looks like (using the latest NuGets from nuget.org):
https://gist.github.com/HenrikFrystykNielsen/9835526
It won't automatically get hooked into the "login" controller we have a work item to enable this but I think it should work if you are careful.
Btw, you can find some good information from Filip W's blog: http://www.strathweb.com/2014/02/running-owin-pipeline-new-net-azure-mobile-services/
Hope this helps!
Henrik
Related
Using the preview package for Microsoft.Azure.Management.Monitor, I am trying to get metrics from Azure into a .NET Core application, but I am uncertain about what to input as "resourceUri".
var serviceCreds = await ApplicationTokenProvider.LoginSilentAsync(tenantId, clientId, secret);
var monitorClient = new MonitorManagementClient(serviceCreds);
monitorClient.SubscriptionId = subscriptionId;
var resourceUri = "";
var metrics = await monitorClient.Metrics.ListAsync(resourceUri: resourceUri, cancellationToken: CancellationToken.None);
What should I insert in the resourceUri variable, and where do I get this uri from in Azure? A lot of things are great about Azure, but not documentation 🤨
Good question.
The resourceUri is in this format(this example is for web app, and you should replace with your real subscriptionsId, resourceGroupsName etc.):
/subscriptions/4d7e91d4-e930-4bb5-a93d-163aa358e0dc/resourceGroups/Default-Web-westus/providers/microsoft.web/serverFarms/DefaultServerFarm
You can find this information in the source code, here.
And for different resources, the format has a little difference, I add another resourceUri for blob storage:
/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx/blobServices/default/providers/Microsoft.Insights/metrics/ContainerCount
If you still have issues, please feel free to let me know.
We are planning to implement Windows 10 UWP Application. We would like to authenticate user while accessing API Services hosted in Cloud.
Previously, we used the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package for authenticating in windows store 8.1. How do we authenticate user in Windows UWP Applications? I think AAD code for Windows Store and Windows Phone is different, how can we leverage AAD library for Windows 10 UWP applications. I have heard of Token Broker Authentication Architecture. Will this work for Azure Active Directory in addition to Facebook, etc.?
Please let me know if there is a workaround for AAD library to work in both Phone and Store (i.e. Universal App).
If you have an Native App that wants to access an API on Azure and authenticate with oAuth you need to use "OAuth 2.0 Authorization Code Flow" as describe on https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols-oauth-code/.
This requires that you both your native app and api in the Azure Directory.
In https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-devquickstarts-windowsstore/ a sample is given of a UWP App that accesses the graph.microsoft.com API, but you can replace this by your own API.
Sander,
If this answers your question please tag is such so we can help others.
Let me explain the steps.
You can still use Active Directory Authentication Library
in the UWP Apps.
To do it you have to add NuGet package (I pasted the link above). Once you do it there are few steps to implement authentication in your app:
1) Store information needed for the authentication (for instance in the App.xaml.cs constructor):
var localSettings = ApplicationData.Current.LocalSettings;
localSettings.Values["ida:AADInstance"] = "https://login.windows.net/{0}";
localSettings.Values["ida:Tenant"] = "<<Name of your tenant here>>";
localSettings.Values["ida:ClientId"] = "<<Client ID Here>>";
localSettings.Values["ida:RedirectUri"] = "<<Redirect URI here>>";
localSettings.Values["ApiBaseAddress"] = "<<ID of Api Resource here>>";
localSettings.Values["ServiceAddress"] = "<<Address of your Api here>>";
Now write the code for authentication (this is helper class):
class ADContextHelper
{
ApplicationDataContainer _localSettings;
AuthenticationContext _authContext;
string _aadInstance;
string _tenant;
string _clientId;
Uri _redirectUri;
string _authority;
string _apiResourceId;
string _apiBaseAddress;
public ADContext()
{
_localSettings = ApplicationData.Current.LocalSettings;
configureSettings();
_authContext = new AuthenticationContext(_authority);
}
private void configureSettings()
{
_aadInstance = _localSettings.Values["ida:AADInstance"].ToString();
_tenant = _localSettings.Values["ida:Tenant"].ToString();
_clientId = _localSettings.Values["ida:ClientId"].ToString();
_redirectUri = new Uri(_localSettings.Values["ida:RedirectUri"].ToString());
_authority = String.Format(_aadInstance, _tenant);
_apiResourceId = _localSettings.Values["ApiResourceId"].ToString();
_apiBaseAddress = _localSettings.Values["ApiBaseAddress"].ToString();
}
public async Task<string> Authenticate()
{
AuthenticationResult authResult = await _authContext.AcquireTokenAsync(_apiResourceId, _clientId, _redirectUri);
//Here you retrieve the token:
var token = authResult.AccessToken;
return token;
}
}
At the end I also include code for logout - maybe you will want to include it:
public async Task<bool> Logout()
{
string requestUrl = "https://login.microsoftonline.com/" + _tenant + "/oauth2/logout?post_logout_redirect_uri=" + _redirectUri;
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
var response = await client.SendAsync(request);
}
I hope this will help you.
I am trying to set up a C# console app that can send notifications/reminders to users via Skype for Business online from a generic AD account. I was excited to see the other day that according to this page, UCWA is now supported in Skype for Business online: https://msdn.microsoft.com/en-us/library/office/mt650889.aspx.
I've been trying to follow this tutorial to get this set up: https://msdn.microsoft.com/en-us/library/office/mt590891(v=office.16).aspx. So far I haven't really had much luck... I have my application set up in Azure AD but I get stuck at the "Requesting an access token using implicit grant flow" step of that article (not 100% certain I'm taking the correct actions before that either)... so far I have this:
string clientId = "xxxxxxxx"
string resourceUri = "https://webdir.online.lync.com";
string authorityUri = "https://login.windows.net/common/oauth2/authorize";
AuthenticationContext authContext = new AuthenticationContext(authorityUri);
UserCredential cred = new UserCredential("username", "password");
string token = authContext.AcquireToken(resourceUri, clientId, cred).AccessToken;
var poolReq = CreateRequest("https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root", "GET",token);
var poolResp = GetResponse(poolReq);
dynamic tmp = JsonConvert.DeserializeObject(poolResp);
string resourcePool = tmp._links.user.href;
Console.WriteLine(resourcePool);
var accessTokenReq = CreateRequest("https://login.windows.net/common/oauth2/authorize"
+ "?response_type=id_token"
+ "&client_id=" + clientId
+ "&redirect_uri=https://login.live.com/oauth20_desktop.srf"
+ "&state=" + Guid.NewGuid().ToString()
+ "&resource=" + new Uri(resourcePool).Host.ToString()
, "GET",token);
var accessTokenResp = GetResponse(accessTokenReq);
my GetResponse and CreateRequest methods:
public static string GetResponse(HttpWebRequest request)
{
string response = string.Empty;
using (HttpWebResponse httpResponse = request.GetResponse() as System.Net.HttpWebResponse)
{
//Get StreamReader that holds the response stream
using (StreamReader reader = new System.IO.StreamReader(httpResponse.GetResponseStream()))
{
response = reader.ReadToEnd();
}
}
return response;
}
public static HttpWebRequest CreateRequest(string uri, string method, string accessToken)
{
HttpWebRequest request = System.Net.WebRequest.Create(uri) as System.Net.HttpWebRequest;
request.KeepAlive = true;
request.Method = method;
request.ContentLength = 0;
request.ContentType = "application/json";
request.Headers.Add("Authorization", String.Format("Bearer {0}", accessToken));
return request;
}
accessTokenResp is an office online logon page, not the access token I need to move forward... so I'm stuck. I've tried quite a few variations of the above code.
I've been scouring the net for more examples but can't really find any, especially since UCWA support for Office 365 is so new. Does anyone have an example of how to do what I am trying to do or can point me to one? Everything I've found so far hasn't really even been close to what I'm trying. I can't use the Skype for Business client SDK unfortunately either as it doesn't meet all of my requirements.
I came to a working solution using ADAL (v3), with the help of steps outlined at
Authentication using Azure AD
Here the steps, which involve requesting multiple authentication tokens to AAD using ADAL
Register your application, as Native Application, in Azure AD.
Perform autodiscovery to find user's UCWA root resource URI.
This can be done by performing a GET request on
GET https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=yourdomain.onmicrosoft.com
Request an access token for the UCWA root resource returned in the autodiscovery response, using ADAL
For instance, your root resource will be at
https://webdir0e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=yourdomain.onmicrosoft.com
you'll have to obtain a token from AAD for resource https://webdir0e.online.lync.com/
Perform a GET on the root resource with the bearer token obtained from ADAL
GET https://webdir0e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=yourdomain.onmicrosoft.com
This will return, within the user resource, the URI for applications resource, where to create your UCWA application. This in my case is:
https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications
Residing then in another domain, thus different audience / resource, not included in the auth token previously obatained
Acquire a new token from AAD for the host resource where the home pool and applications resource are (https://webpoolam30e08.infra.lync.com in my case)
Create a new UCWA application by doing a POST on the applications URI, using the token obtained from ADAL
Voilá, your UCWA application is created. What I notice at the moment, is that just few resources are available, excluding me / presence. So users' presence can be retrieved, but self presence status can't be changed.
I've been able however to retrieve my personal note, and the following resources are available to me:
people
communication
meetings
Show me some code:
Function to perform the flow obtaining and switching auth tokens
public static async Task<UcwaApp> Create365UcwaApp(UcwaAppSettings appSettings, Func<string, Task<OAuthToken>> acquireTokenFunc)
{
var result = new UcwaApp();
result.Settings = appSettings;
var rootResource = await result.Discover365RootResourceAsync(appSettings.DomainName);
var userUri = new Uri(rootResource.Resource.GetLinkUri("user"), UriKind.Absolute);
//Acquire a token for the domain where user resource is
var token = await acquireTokenFunc(userUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped));
//Set Authorization Header with new token
result.AuthToken = token;
var usersResult = await result.GetUserResource(userUri.ToString());
//
result.ApplicationsUrl = usersResult.Resource.GetLinkUri("applications");
var appsHostUri = new Uri(result.ApplicationsUrl, UriKind.Absolute).GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped);
//Acquire a token for the domain where applications resource is
token = await acquireTokenFunc(appsHostUri);
//Set Authorization Header with new token
result.AuthToken = token;
//
var appResult = await result.CreateApplicationAsync(result.ApplicationsUrl, appSettings.ApplicationId, appSettings.UserAgent, appSettings.Culture);
return result;
}
Usage code ato retrieve OAuth tokens using ADAL
var ucSettings = new UcwaAppSettings
{
UserAgent = "Test Console",
Culture = "en-us",
DomainName = "yourdomain.onmicrosoft.com",
ApplicationId = "your app client id"
};
var acquireTokenFunc = new Func<string, Task<OAuthToken>>(async (resourceUri) =>
{
var authContext = new AuthenticationContext("https://login.windows.net/" + ucSettings.DomainName);
var ar = await authContext.AcquireTokenAsync(resourceUri,
ucSettings.ApplicationId,
new UserCredential("myusername", "mypassword"));
return new OAuthToken(ar.AccessTokenType, ar.AccessToken, ar.ExpiresOn.Ticks);
});
var app = await UcwaApp.Create365UcwaApp(ucSettings, acquireTokenFunc);
It should be of course possible to avoid hard-coding username and password using ADAL, but this was easier for PoC and especially in case of Console Application as you asked
I've just blogged about this using a start-to-finish example, hopefully it will help you. I only go as far as signing in, but you can use it with another post I've done on sending IMs using Skype Web SDK here (see day 13 and 14) and combine the two, it should work fine.
-tom
Similar to Massimo's solution, I've created a Skype for Business Online C# based console app that demonstrates how to sign and use UCWA to create/list/delete meetings and change user presence. I haven't gotten around to extending it to send IM's, but you're certainly welcome to clone my repository and extend it to your needs. Just drop in your Azure AD tenant name and native app ID into the code.
I think they just turned this on today - I was doing something unrelated with the Skype Web SDK samples and had to create a new Azure AD app, and noticed that there are two new preview features for receiving conversation updates and changing user information.
Now everything in the Github samples works for Skype For Business Online.
how to Authenticate and Authorize Asp.Net Web application through QuickBooks.
I want to integrate QuickBooks Accounts System in ASP.NET web Application I have successfully make developer account on quickbooks and make an app and got consumer key, consumer Secret and App Token and all URL's
Know I need some asp.net web api code snipped to successfully authenticate and authorize my web user's and than show there accounting detail
Please help me i Google alot but have no success.
I'm Strange this form is 0% active related to quickbooks API's or etc, after alot of struggling i found an answer of above mention question,
Download Quickbooks IPP.NET SDK it will provide you different classes for CURD.
var appToken = "";
var consumerKey = "";
var consumerSecret = "";
// the above 3 fields you can get when create your app on quickbook go to My app----> select youre app--->goto KEYS
var accessToken = "";
var accessTokenSecret = "";
// this two tookens you will get from URL on the same above page
var realmId = "1400728630"; //1400728630
// this is youre company ID which can be used when you create youre //company on freshbook
var serviceType = IntuitServicesType.QBO;
var validator = new OAuthRequestValidator(accessToken, accessTokenSecret, consumerKey, consumerSecret);
var context = new ServiceContext(appToken,realmId, serviceType, validator);
var service = new DataService(context);
try
{
Customer customer = new Customer();
//Mandatory Fields
customer.GivenName = "Mary";
customer.Title = "Ms.";
customer.MiddleName = "Jayne";
customer.FamilyName = "Cooper";
service.AddAsync(customer);
//service.Add(entity);
}catch(Exception ex)
{
System.Console.WriteLine(ex);
}
need solution for website publishing form web application hosted in Azure.
I tried the following code, It create the domain but I was not able to upload the Published website.
private HttpResponseMessage CreateWebsite(CreateSiteViewModel site)
{
var cert = X509Certificate.CreateFromCertFile(Server.MapPath(site.CertPath));
string uri = string.Format("https://management.core.windows.net/{0}/services/WebSpaces/{1}/sites/", site.Subscription, site.WebSpaceName);
// A url which is looking for the right public key with
// the incomming https request
var req = (HttpWebRequest)WebRequest.Create(uri);
String dataToPost =string.Format(
#"<Site xmlns=""http://schemas.microsoft.com/windowsazure"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"">
<HostNames xmlns:a=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
<a:string>{0}.azurewebsites.net</a:string>
</HostNames>
<Name>{0}</Name>
<WebSpaceToCreate>
<GeoRegion>{1}</GeoRegion>
<Name>{2}</Name>
<Plan>VirtualDedicatedPlan</Plan>
</WebSpaceToCreate>
</Site>", site.SiteName, site.WebSpaceGeo, site.WebSpaceName);
req.Method = "POST"; // Post method
//You can also use ContentType = "text/xml";
// with the request
req.UserAgent = "Fiddler";
req.Headers.Add("x-ms-version", "2013-08-01");
req.ClientCertificates.Add(cert);
// Attaching the Certificate To the request
// when you browse manually you get a dialogue box asking
// that whether you want to browse over a secure connection.
// this line will suppress that message
//(pragramatically saying ok to that message).
string postData = dataToPost;
var encoding = new ASCIIEncoding();
byte[] byte1 = encoding.GetBytes(postData);
// Set the content length of the string being posted.
req.ContentLength = byte1.Length;
Stream newStream = req.GetRequestStream();
newStream.Write(byte1, 0, byte1.Length);
// Close the Stream object.
newStream.Close();
var rsp = (HttpWebResponse)req.GetResponse();
var reader = new StreamReader(rsp.GetResponseStream());
String retData = reader.ReadToEnd();
req.GetRequestStream().Close();
rsp.GetResponseStream().Close();
return new HttpResponseMessage
{
StatusCode = rsp.StatusCode,
Content = new StringContent(retData)
};
}
I am not entirely sure what you try to achieve here. But if I understand correctly you want to publish a website programmatic.
You cannot do this (publish a website programmatic) with Azure Management APIs. Azure management APIs are to manage Azure services and resources. The web site content itself is not in any way Azure Service, nor an Azure resource.
If you want to programmaticly publish a website to Azure Web Site, I would suggest taking deep read into How to deploy an Azure Web site.
Out from what is mentioned there, pretty easy to automate are
Web Deploy
Repositories using GIT
MSBuild
any other that you are familiar with ...