Unable to get Azure AD Groups to appear in user claims - asp.net-mvc

I've read every article and post on this subject, to no avail.
I have an MVC app in azure. I wanted to connect to Azure AD, and get the Groups for a user.
To do this, firstly I altered the Program.cs
// Azure AD
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
Also this:
builder.Services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
Once I did this, it asked me to authenticate when I ran it. I logged in, and it worked. On my MVC page I added #User.Claims.SingleOrDefault(_ => _.Type == "name")?.Value; and it works great.
Next, I wanted to see what groups the user is in.
I followed every guide I could find, but nothing seemed to work. In the user's claims, there is no 'groups' entry or anything suggesting overage (I assume it would appear in claims?).
Now I don't know if I am missing some configuration from my appsettings file? I say this because my appsettings ONLY has this:
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "a guid",
"TenantId": "another guid"
},
It's unclear. After adding the above, I went into Azure and I did various tasks:
My web app : Token configuration > Add groups claim
My web app : API permissions > GroupMember.Read.All (Granted)
My web app : Manifest > change to "groupMembershipClaims": "All"
I also did the same thing in Enterprise applications > MyApp | Single sign-on, I don't know what that is but it was in one of the many posts I read.
What could I possibly be missing that is preventing the groups from appearing?

Here's the answer, I hope this saves future people some insane levels of pain.
For whatever reason, your claims are cached. I've been working on trying to fix this for like, 2 days. So it caches for a long time.
Since the application is single-sign on, and resists most attempts to force it to sign out, this is the issue. Once I signed it out, it updated my claims.
So if you're having issues, REMEMBER TO SIGN OUT AND BACK IN!
Here's how:
Azure > Go to Azure Active Directory > App Registrations
Click your application, click Authentication
In the Front-channel logout URL, enter the value: https://localhost:[YOURPORTHERE]/signout-oidc assuming it's dev and you're using a port number.
Hit SAVE.
Now launch your website, and then browse to that URL. It will sign you out. Next time you hit it it will prompt you to log in again, and then all of your information will be updated.

Related

Auth0 React JS Quickstart Not Requesting all scopes

I am currently using the react JS quick start available at the following link.
https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01
About a year ago, I was able to repurpose it. That old app is still working fine, able to authenticate, authorize and also make calls to a custom API.
On the old app, I am getting all the scopes.
“scope”: “openid profile email read:profiledetails read:seeallquotes read:sitestats read:testperm1 read:testperm2”
Now, I have made a fresh copy of the react app using the quick start option, from the same auth dashboard as the old app. Updating the config file to match the old app config files. I get the following scopes
“scope”: “openid profile email”
Why am I not getting all the scopes as per the user login? Same user, on the old app, gets all the scopes. I believe, the new react app is not asking for all the scopes when it asks for token. But, I have updated all the scopes I need in the auth config.
Both apps - old and new - have the exact same auth file, and are linked to the same auth0 server, same custom api, same everything. I am also using the same user account for testing on both the apps.
{
“domain”: “removedonpurpose.us.auth0.com”,
“clientId”: “removedonpurpose”,
“audience”: “removedonpurpose”,
“scope”: “read:current_user update:current_user_metadata read:capquotes read:penquotes read:profiledetails read:seeallquotes read:sitestats read:testperm1 read:testperm2”
}
Why is this happening?
What else should be included in the react app to make it ask for all the scopes?
This question is related to the original question I posted on the Auth0 forums. Linking it here. https://community.auth0.com/t/scope-not-included-in-token-call/65173
Right after I posted this I discovered that the latest version of the react quick start makes some changes.
especially the following.
// Please see https://auth0.github.io/auth0-react/interfaces/auth0provideroptions.html
// for a full list of the available properties on the provider
// const config = getConfig();
// const providerConfig = {
// domain: config.domain,
// clientId: config.clientId,
// ...(config.audience ? { audience: config.audience } : null),
// redirectUri: window.location.origin,
// onRedirectCallback,
// };
I missed this part. in the old app, the configuration was done differently. It looked something like this.
<Auth0Provider
domain={config.domain}
clientId={config.clientId}
audience={config.audience}
redirectUri={window.location.origin}
onRedirectCallback={onRedirectCallback}
scope={config.scope}
>
<App />
</Auth0Provider>,
with the settings read directly from JSON.
Anyway, I went back to the old way for now. The quick start tutorial still shows the old options which threw me off as I was using the tutorial as reference and did not discover that they made changes.
Not blaming the tutorial. I should have investigated in the beginning.

Teams notifications are not received when using Graph's sendActivityNotification

I've created a Teams app using the Teams App Visual Studio template, and configured it with a single personal tab. I've set set up ngrok so that this can be debugged locally. I've sideloaded the app, and all looks fine - Teams can load the tab, and it displays as it should.
I'm now trying to send an activity notification to this tab. Graph accepts the post activity just fine - I'm returned a 204 - but the activity is never delivered to my Teams client.
My test teams user and the Azure AD app are configured in the same tenant. The Azure AD app has the TeamsActivity.Send permission.
All URLs in my manifest are configured with the ngrok endpoint. I have a valid activityType defined, and my webApplicationInfo section is configured with the AAD App ID and redirect URI as outlined here. I've also added TeamsActivity.Send to the applicationPermissions section of webApplicationInfo
I'm posting the following json to Graph:
{
'topic': {
'source': 'entityUrl',
'value': 'https://graph.microsoft.com/beta/users/<my user id>/teamwork/installedApps/<my app id>'
},
'activityType': 'testActivity',
'previewText': {
'content': 'Something happened'
},
'templateParameters': [
{
'name': 'teammember',
'value': 'Bobby muffin'
}
]
}
This all ties up correctly with the manifest, and as I mentioned, Graph accepts the POST just fine. I've also tried adding the "recipient" section to the json, but get the same result.
I have no idea why I'm not seeing notifications. After I post the notification, I don't see any traffic to ngrok (although I'm not sure whether the notification would come in that way, or via the Teams client).
It feels like I'm missing some config somewhere.
My bad... while I was testing this, I was trying to send a notification to myself, which is explicitly not supported - https://learn.microsoft.com/en-us/graph/teams-send-activityfeednotifications#faqs

We can't do account linking using iOS's Google assistant app

I want to realize account linking to Google account with Google Home.
On realizing this, our app's flow of account linking follow to
this page.
It page shows this.
...so we send back a message saying they need to visit our website to authorize us to access their Google services. We may require them to switch to a mobile device to do this part and even include a link to the login page.
At this part, we use GoogleHome's rich response to send authentication link to user's mobile device.
For example,
payload: {
google: {
expectUserResponse: true,
richResponse: {
items: [
{
simpleResponse: {
textToSpeech: "textToSpeech"
}
},
{
basicCard: {
title: "Title",
formattedText: "formattedText",
buttons: [
{
title: "ButtonTitle",
openUrlAction: {
url: "https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&scope=https//www.googleapis.com/auth/calendar.readonly&response_type=code&client_id=xxx.apps.googleusercontent.com&redirect_uri=https//project.com"
}
}
],
}
}
]
}
}
}
We can do account linking using Android OS, but iOS can't do that due to 403 error.
We've investigated the cause, it needs to use a specific browser to see google authentication page.
How can I do account linking to avoid such problem?
Or could you tell me another way to do account linking to Google account.
Please excuse my poor English. Thank you.
As per Actions on Google policy, your account linking should be owned or controlled by you. It seems like your account linking is trying to use Google OAuth directly.
You could use Google Sign-in directly, which provides a better UX, although that flow will not give you the ability to request any scopes like calendar. You would need to handle users who don't have authorized scopes until they grant the scopes to your service in another matter such as visiting your website in a web browser.

Resetting a User's Password with Microsoft Graph

I also would like reset a user password using Microsoft Graph from a windows service using admin permissions. Using PATCH request to the user's profile
seemed promising but the required Directory.AccessAsUser.All permission is not on the list at apps.dev.microsoft.com so I get a "Insufficient privileges to complete the operation." error.
I had promised to replace PowerShell cmdlets with Microsoft Graph in our application and this small but essential feature now becomes a blocker.
Is there a plan to add this permission to the list?
Is there any way I can assign this permission? perhaps by editing the manifest? If so does anyone know the correct info
"resourceAppId": "????",
"resourceAccess": [
{
"id": "????",
"type": "Scope"
,
What's with the office portal Azure Directory Admin, app registration (preview)? I can see the app I registered at apps.dev.microsoft.com. Is it now an alternative to apps.dev? I like the interface better and the built-in admin consent button.
There is no application permission (yet) that allows you to reset a user's password using Microsoft Graph.
Is there a plan to add this permission to the list?
Yes, but that's about all there is to share, at the moment.
Is there any way I can assign this permission?
The only way to achieve this today (2019-01-17) is to assign the "Company Administrator" role to the ServicePrincipal object for your app — a very risky move (which is not recommended), as it will give your app full admin permissions.
What's with the office portal Azure Directory Admin, app registration (preview)? [...] Is it now an alternative to apps.dev?
Yes, though it's still in preview and it's possible some things might not work (as with all things in preview).

Creating Admin Accounts for Domains Created from Reseller API

I am trying to automate the entire process of creating a google apps account through my company's reseller account with google, without any human having to manually enable anything.
Here's a quick scenario of what I am doing.
Create Customer (Domain) with Reseller API
Create Subscription with Reseller API
Create Admin Account for the Sold Domain
I am having trouble automating step 3.
There are 2 different APIs that can accomplish this tast, Provisioning (depricated) and Directory.
I have already successfully created user accounts with the Directory API, but this step requires you to enable API access for that domain, and that can only be done manually by a human - So thats a break in automation flow, and wont work for what I am trying to accomplish.
I was instructed by google tech support to use the Provisioning API, wich is deprecated, because it supposedly allows you to create an admin user without the need to enable the API access manually per domain. When I attempt to do this, I face this error:
Uncaught exception 'Zend_Gdata_App_HttpException' with message 'Expected response code 200, got 403 <HTML> <HEAD> <TITLE>You are not authorized to perform operations on the domain mydomain.com</TITLE>
Here's the code im attempting to run:
// .....
$customerid = "somedomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient("mylogin#foo.com", "mypassword",Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
$gdata->createUser('Admin', 'Firstname', 'Lastname', 'somerandompassword', TRUE);
//......
When I consulted google tech support, they told me I needed to enable the provisioning api following the same instruction I posted earlier (enable api access per domain). I have done this on both my reseller domain, and the customer domain Im trying to provision on (just to test, becasue the entire point is to be able to make an admin account WITHOUT enabling it on the customer domain.) - But it still returns this error.
Here's my settings -- as you can see, its enabled.
In google's docs, under "Enabling the Provisioning API", it has some instructions, but they appear to be out of date and dont really reflect sections available in the current google apps admin panel.
Im at a loss. Am I missing something obvious, or is it just not possible to do at this time?
Just for reference, I have found a few other people asking a similar question, but with less detail:
Google Reseller Customer Admin User Creation Admin SDK How
How to create the domain administrator of a Google Apps domain purchased via the reseller API
EDIT: Added image showing settings, and code sample.
try to delete "TRUE" parameter in createUser , it's works for me.
$customerid = "sampledomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient($email, $password, Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
var_dump($gdata->createUser('trial', 'Firstname', 'Lastname', 'somerandompassword'));
in Google app console
domain settings ->user settings
check the box "enable API access"
in Google app console --> advanced tools --> Manage third party OAuth Client access
Add the scope :
https://apps-apis.google.com/a/feeds/user

Resources