we have successfully implemented the active directory authentication using the process given at the url http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx . Here we are able to authenticate the user on the https://login.microsoftonline.com/ and return back to web site but we are not able to get access token after successful authentication. following code through which we are able to access the user name, surname etc after successful authentication but not the access token.
can you provide me the code through which we can get the access token after authentication.
public class HomeController : Controller
{
public ActionResult Index()
{
ClaimsPrincipal cp = ClaimsPrincipal.Current;
string fullname =
string.Format("{0} {1}", cp.FindFirst(ClaimTypes.GivenName).Value,
cp.FindFirst(ClaimTypes.Surname).Value);
ViewBag.Message = string.Format("Dear {0}, welcome to the Expense Note App",
fullname);
return View();
}
}
You can use this code to access the security token that was used:
ClaimsPrincipal cp = ClaimsPrincipal.Current;
ClaimsIdentity ci = cp.Identity as ClaimsIdentity;
BootstrapContext bc = ci.BootstrapContext as BootstrapContext;
SecurityToken securityToken = bc.SecurityToken;
You also need to set the saveBootstrapContext attribute in your config file:
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
...
</system.identityModel>
Related
We have two separeate dotnet core apis(API1 & API2) that are protected using azure ad b2c. Both these apis are registered on the b2c tenant and have their scopes exposed.
We have a client web applicaiton that is to access the above protected apis. This web app has been registered as a applicaiton in b2c tenant and has api permissions set for the above apis with proper scopes defined.
We use MSAL.net with a signinpolicy to sign the user in to the web app.
the authentication call requires scopes to mentioned. So we add API1's scope in the call.
(note : one scope of a single resource can be added in a auth call shown below)
public void ConfigureAuth(IAppBuilder app)
{
// Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebChunkingCookieManager()
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}",
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager()
}
);
}
The OnAuthorizationCodeRecieved method in Startup.Auth.cs recieved the code recieved as a result of above auth call and uses it to get a access token based on the scopes provided and stores it in the cache. shown below
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
try
{
/*
The `MSALPerUserMemoryTokenCache` is created and hooked in the `UserTokenCache` used by `IConfidentialClientApplication`.
At this point, if you inspect `ClaimsPrinciple.Current` you will notice that the Identity is still unauthenticated and it has no claims,
but `MSALPerUserMemoryTokenCache` needs the claims to work properly. Because of this sync problem, we are using the constructor that
receives `ClaimsPrincipal` as argument and we are getting the claims from the object `AuthorizationCodeReceivedNotification context`.
This object contains the property `AuthenticationTicket.Identity`, which is a `ClaimsIdentity`, created from the token received from
Azure AD and has a full set of claims.
*/
IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
}
catch (Exception ex)
{
throw new HttpResponseException(new HttpResponseMessage
{
StatusCode = HttpStatusCode.BadRequest,
ReasonPhrase = $"Unable to get authorization code {ex.Message}.".Replace("\n", "").Replace("\r", "")
});
}
}
This access token is then used in the TasksController to call AcquireTokenSilent which retrieves the access token from the cache, which is then used in the api call.
public async Task<ActionResult> Index()
{
try
{
// Retrieve the token with the specified scopes
var scope = new string[] { Globals.ReadTasksScope };
IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
var accounts = await cca.GetAccountsAsync();
AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault()).ExecuteAsync();
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, apiEndpoint);
// Add token to the Authorization header and make the request
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
// Handle the response
switch (response.StatusCode)
{
case HttpStatusCode.OK:
String responseString = await response.Content.ReadAsStringAsync();
JArray tasks = JArray.Parse(responseString);
ViewBag.Tasks = tasks;
return View();
case HttpStatusCode.Unauthorized:
return ErrorAction("Please sign in again. " + response.ReasonPhrase);
default:
return ErrorAction("Error. Status code = " + response.StatusCode + ": " + response.ReasonPhrase);
}
}
catch (MsalUiRequiredException ex)
{
/*
If the tokens have expired or become invalid for any reason, ask the user to sign in again.
Another cause of this exception is when you restart the app using InMemory cache.
It will get wiped out while the user will be authenticated still because of their cookies, requiring the TokenCache to be initialized again
through the sign in flow.
*/
return new RedirectResult("/Account/SignUpSignIn?redirectUrl=/Tasks");
}
catch (Exception ex)
{
return ErrorAction("Error reading to do list: " + ex.Message);
}
}
The issue is the code recieved by the OnAuthorizationCodeRecieved method can only be used to get the access token for API1 since its scope was mentioned in auth call. When trying to get access token for API2 it returns null.
Question : How to configure the web app so that it is able to access multiple protected apis?
Please suggest.
The code can be found from the sample https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
A single access token can only contain scopes for a single audience.
You have 2 options:
Combine both services into a single app registration and expose different scopes.
Request multiple tokens - one per service. If your SSO policy is configured correctly in B2C, this should happen silently unbeknownst to the user.
I recommend using option 1 if you own both services (which it sounds like you do). A few tips related to this option.
When declaring the scopes in the combined app registration, use the dot-syntax {LogicalService}.{Operation}. If you do this, the scopes will be grouped by logical service within the Azure portal.
Make sure you are validating scopes in your service. Validating only the audience is not good enough and would allow an attacker to make lateral movements with a token bound for another service.
I'm working on implementing integrating Azure AD login authentication to my web app. I have created an account in azure development portal and registered my app details.
my app URL -> https://my-sample-app/my.dashboard/
my redirect url is ->https://my-sample-app/my.dashboard/ws/aad/callback/
Note : ws that comes after my app url is the servlet adapter configured
my web app is a java app and i'm using ADAL java SDK
I have referred this article Authenticate to an Azure API App from Java and did the similar way
this is the code logic written under web path "aad/callback"
String appIdUri = System.getProperty("azure.app.id.uri", "https://login.microsoftonline.com/");
String authority = System.getProperty("azure.authority.url", "https://login.microsoftonline.com/my-sample-app.onmicrosoft.com");
String clientId = System.getProperty("azure.client.id", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
String clientSecret = System.getProperty("azure.client.secret", "xxxxxxxxxxxxxxxxxxxxxxxx");
AuthenticationContext context = null;
AuthenticationResult result = null;
ExecutorService service = null;
UserVO userVO = null;
try {
HttpsURLConnection conn = (HttpsURLConnection) new URL(appIdUri).openConnection();
service = Executors.newFixedThreadPool(1);
context = new AuthenticationContext(authority, false, service);
ClientCredential credential = new ClientCredential(clientId, clientSecret);
Future<AuthenticationResult> future = context.acquireToken(appIdUri, credential, null);
result = future.get();
HttpSession session = request.getSession();
LOGGER.info("session :{}",session);
String accessToken = null;
if (result == null) {
throw new ServiceUnavailableException("authentication result was null");
} else {
accessToken = result.getAccessToken();
}
String data = "{\"access_token\": \"" + accessToken + "\"}";
LOGGER.info("access_token :{}", data);
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.addRequestProperty("Content-Length", data.length() + "");
new DataOutputStream(conn.getOutputStream()).writeBytes(data);
String authTokenResp = IOUtils.toString(conn.getInputStream());
Gson gson = new Gson();
Map<String, Object> map = gson.fromJson(authTokenResp, Map.class);
String authenticationToken = (String) map.get("authenticationToken");
System.out.println("Authentication Token: "+authenticationToken);
I'm able to see the access token value in the log statement but the authTokenResp output value that i received from authTokenResp = IOUtils.toString(conn.getInputStream()); looks like some html page (probably the login page response of portal.office.com ) doesn't has key authenticationToken in it.
I think I have made mistake by mentioning wrong URL for the appIdUri.
please can i someone tell me what URL should be given for appIdUri ? where can i find this URL value in azure portal ?
This sample is just a client credential flow to get access token.
please can i someone tell me what URL should be given for appIdUri ?
where can i find this URL value in azure portal ?
The first parameter of acquireToken method is the value of a resource which you want to access.It is the App ID URI of the target web API (secured resource). To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the application's Settings page, then click Properties. It may also be an external resource like https://graph.microsoft.com. This is required in one of either the authorization or token requests.
Is my-sample-app.onmicrosoft.com your tenant name?
String authority = System.getProperty("azure.authority.url", "https://login.microsoftonline.com/{your_tenant_name}");
If you want to integrate Azure AD login authentication to your web app, you should refer to this sample.
I'm pretty new to Azure AD Graph and the authentication process. I was able to incorporate a single-sign on using the Azure AD Graph client as found in this example using a .NET MVC application: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
My dilemma is that even though I've authenticated my session, it's still requesting that I login again to perform the actions found in the controller below:
public ActionResult Test()
{
if (Request.QueryString["reauth"] == "True")
{
//Send an OpenID Connect sign -in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
HttpContext.GetOwinContext()
.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
// Access the Azure Active Directory Graph Client
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
// Obtain the current user's AD objectId
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// Query and obtain the current user object from the Azure AD Graph Client
User user = (User)client.Users.
Where(u => u.ObjectId
.Equals(userObjectID, StringComparison.CurrentCultureIgnoreCase)).
ExecuteSingleAsync().
Result;
// Get the employee Id from Azure AD (via a directory extension)
IReadOnlyDictionary<string, object> extendedProperty = user.GetExtendedProperties();
object extendedProp = extendedProperty["extension_ExtensionId_employeeID"];
// Hash the employee Id
var empId = PasswordHash.ArgonHashString(extendedProp.ToString(), PasswordHash.StrengthArgon.Moderate);
// Send to the view for testing only
ViewBag.EmployeeName = user.DisplayName;
ViewBag.EmployeeEmail = user.Mail;
ViewBag.EmployeeId = empId;
return View();
}
The error I get is a:
Server Error in '/' Application
Authorization Required
With the following lines of code in the yellow box:
Line 22: if (token == null || token.IsEmpty())
Line 23: {
Line 24: throw new Exception("Authorization Required.");
Line 25: }
Line 26: return token;
Since I'm fairly new to the authentication piece, I need a little guidance on how-to obtain the current session token so I don't get this error.
I'm using the Azure AD Graph because I'm obtaining a specific directory extension in Azure that I wasn't able to obtain through Microsoft Graph (for right now and based on my current deadline).
Any advice will be helpful.
If the token is null , user needs to re-authorize . As shown in code sample , you could use try catch statement to handle the exception :
try
{
}
catch (Exception e)
{
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return View(userList);
}
Show message to user(for example , Index.cshtml in Users view folder) :
#if (ViewBag.ErrorMessage == "AuthorizationRequired")
{
<p>You have to sign-in to see Users. Click #Html.ActionLink("here", "Index", "Users", new { reauth = true }, null) to sign-in.</p>
}
If you want to directly send an OpenID Connect sign-in request to get a new set of tokens instead show error message to user , you can use :
catch (Exception e)
{
....
HttpContext.GetOwinContext()
.Authentication.Challenge(new AuthenticationProperties {RedirectUri = "/"},
OpenIdConnectAuthenticationDefaults.AuthenticationType);
.....
}
If the user still has a valid session with Azure AD, they will not be prompted for their credentials.The OpenID Connect middleware will return to current controller after the sign-in response has been handled.
I've successfully implemented MSAL JS for Azure AD B2C.
The next step is to let the user edit their profile. I've created a new policy for Edit Profile.
But how to redirect the user there? There are only login methods / acquire token methods.
I've tried to set the authority to a different policy. It then does redirect to the right page, but then it starts complaining about errors in scopes, and it messes up the token locally.
editProfile() {
this.userAgentApp.authority = this.policyEditProfile;
this.userAgentApp.loginRedirect();
}
The ASP.NET code examples explicitly have an option to set the editProfile Policy ID: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi#update-code-to-use-your-tenant-and-policies
Feels like this is missing from MSAL.JS and I have to manually craft the URL, is that correct?
Yes, this is correct. You will need to use a different authority which URL is composed of the tenant and the policy name, as shown here:
private static string Tenant = "yourTenant.onmicrosoft.com";
public static string PolicySignUpSignIn = "b2c_1_susi";
public static string PolicyEditProfile = "b2c_1_edit_profile";
private static string BaseAuthority = "https://login.microsoftonline.com/tfp/{tenant}/{policy}/oauth2/v2.0/authorize";
public static string Authority = BaseAuthority.Replace("{tenant}", Tenant).Replace("{policy}", PolicySignUpSignIn);
public static string AuthorityEditProfile = BaseAuthority.Replace("{tenant}", Tenant).Replace("{policy}", PolicyEditProfile);
BTW, that sample, although for .NET Desktop shows how to use the edit profile and password reset policies: active-directory-b2c-dotnet-desktop , see in particular the EditProfileButton_Click method, the factor of acquiring the token (interactively) will trigger the dialog to edit the profile:
AuthenticationResult authResult = await App.PublicClientApp.AcquireTokenAsync(App.ApiScopes, GetUserByPolicy(App.PublicClientApp.Users, App.PolicyEditProfile), UIBehavior.SelectAccount, string.Empty, null, App.AuthorityEditProfile);
I'm trying to implement OAuth using OWIN for a Web API v2 endpoint on my local intranet. The API is hosted in IIS using built-in Windows Authentication. In short, this is what I want to happen.
When I ask for my Token at /token
Pull the WindowsPrincipal out of the OWIN context
Use the SID from the WindowsPrincipal to look up some roles for this
user in a SQL table.
Create a new ClaimsIdentity that stores the username and roles
Turn that into a Json Web Token (JWT) that I sent bak
When I request a resource from my API using my token
Convert the JWT Bearer token back to the ClaimsIdentity
Use that ClaimsIdentity for authorizing requests to the resource by
role
This way I don't have to do a database lookup for user roles on each
request. It's just baked into the JWT.
I think I'm setting everything up correctly. My Startup.Configuration method looks like this.
public void Configuration(IAppBuilder app)
{
// token generation
// This is what drives the action when a client connects to the /token route
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
// for demo purposes
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromHours(8),
AccessTokenFormat = GetMyJwtTokenFormat(),
Provider = new MyAuthorizationServerProvider()
});
//// token consumption
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions()
{
Realm = "http://www.ccl.org",
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = GetMyJwtTokenFormat()
}
);
app.UseWebApi(WebApiConfig.Register());
}
MyAuthorizationServerProvider looks like this...
public class MyAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Since I'm hosting in IIS with Windows Auth enabled
// I'm expecting my WindowsPrincipal to be here, but it's null :(
var windowsPrincipal = context.OwinContext.Request.User.Identity;
// windowsPrincipal is null here. Why?
// Call SQL to get roles for this user
// create the identity with the roles
var id = new ClaimsIdentity(stuff, more stuff);
context.Validated(id);
}
}
My problem is that context.Request.User is null here. I can't get to my WindowsPrincipal. If I create some other dummy middleware, I can get to the WindowsPrincipal without issue. Why is it null in this context? Am I doing something wrong?
Swap the order of UseOAuthAuthorizationServer and UseOAuthBearerAuthentication. UseOAuthBearerAuthentication calls UseStageMarker(PipelineStage.Authenticate); to make it (and everything before it) run earlier in the ASP.NET pipeline. User is null when you run during the Authenticate stage.