I have an app registered in Azure, and it needs to be able to communicate with dozens of different apps in my organization (those apps are also registered in Azure).
The problem is that I do not know the client_id and scope for these apps in advance.
Is it possible to retrieve this information using Graph API knowing only DNS name of the target app?
You can call list applications endpoint
GET /applications
appId property represents client id that is assigned to an application by Azure AD.
requiredResourceAccess property has resourceAccess property which represents collection of scopes.
resourceAccess has id property which is the unique identifier of an app role or delegated permission exposed by the resource application.
Unfortunately resourceAccess doesn't expose any information about the name of the permission.
All Graph API permissions and their IDs can be found here
Resources:
resourceAccess
Related
I've got following setup:
IdentityServer4 using asp.net core identity
Accounts app - where user can edit his account data and users can register
Portal - where users can login and select an organization to which they're connected (same as in azure devops)
API that is used by portal
Does anyone have experience setting up something similar ? My question would be how to authorize the calls at API level to make sure he is only editing entities that belong to his organization.
Thanks !
One way could be to use a tenant claim within each bearer token, so that when a user changes an organization on the portal (in case one user has access to several orgs), you perform relogin to the chosen tenant, or just request a new access token with a chosen tenant_id inside.
You can use this and this answers for the reference on how to pass a custom parameter (such as tenant id) with your request to Identityserver.
I'm trying to configure Active Directory to work in the following use case.
I have 1 API exposed in Azure API Management. I want this API to be called only by authorized apps.
I have created one AD App Registration representing this API and associated an App URI ID.
I have also created one AD App Registration representing my client app.
In POSTMAN, I use an OAuth2 client credentials grant type to get a token and it works. I have a token containing the right audience (= the application App URI ID of my API).
What is very weird is that I didn't do anything regarding permissions between the 2 AD apps. I thought that I need to authorize the client app to use the API app thanks to "API Permissions / Configured Permissions" but it sounds like it is not needed.
But it is not what I'm looking for because I want only authorized apps to be able to get a token with the right audience value.
Am I missing something in the configuration?
By default audience often means 'all APIs using an Authorization Server'. Some - but not all - vendors allow it to be customised in a more fine grained way.
Another option that is sometimes useful is to use custom scopes as high level privileges:
UI 1 includes scope=Orders
UI 2 includes scope=Reports
API 1 requires scope=Orders
If UI 2 calls API 1 you can deny access because it is missing a required scope
This can be a more flexible mechanism than audience, while achieving the same goals
It may not make sense if you are showing these details on consent screens to end users though ..
I found how to proceed, here are the steps:
In the Backend application, we need to set the User assignment required to true
We then need to update manually the manifest of the Backend app to create "app roles". We can create multiple roles to act as "scopes"
Then we need to set API Permissions in the AD Client App to authorize several app roles of the BackEnd App.
Thanks to this configuration, when the client App requests a token, it will obtain it if roles are authorized and the token will contain the list of roles if the "role" claim of the token.
Detail of the configuration is explained in the section of the post: https://github.com/Azure-Samples/active-directory-dotnet-daemon#ensure-that-tokens-azure-ad-issues-tokens-for-your-web-api-only-to-allowed-clients
CompanyA is integrating with CompanyB where CompanyA's users will be buying devices of CompanyB.
CompanyA wants to show user's device(CompanyB) details on their app by calling
CompanyB's API on each user login.
CompanyA user is authenticated on CompanyA IAM.
CompanyA has to call register device when user tries to add an device first time.
Help me to identify the flow which i can use to query particular loggedin user's device only.
Do i need to create duplicate user account on CompanyB's IAM?
If i use client credential flow for API to API call, access token given by CompanyB is only provides access for API calls but it does not tell that on behalf of correct user only call is invoked.
Assume that CompanyA uses IdentityServer or any other provider as IAM and CompanyB uses Azure AD B2C.
Any other approach?
Please see below diagram,
You should be able to do this by making the Company B API multi-tenant in their Azure AD.
There are other options surely, this is just the first one that came to my mind.
Overview of the multi-tenant pattern
You would have to do admin consent on it to get the API's service principal in your Azure AD tenant.
The Company B API can give you an endpoint for doing this, redirecting you with the proper parameters to the authorization endpoint. How to send a sign-in request
After doing this, you should be able to then require permissions on the API from Company A API in your tenant (configured in Azure AD).
Configure a client application to access web APIs
After doing those things, your API should be able to use On-Behalf-Of grant flow to get an access token for Company B API.
Using Azure AD On-Behalf-Of flow in an ASP.NET Core 2.0 API
Company B API must be configured to accept access tokens from another issuer than their Azure AD of course.
In general multi-tenant scenarios, the issuer validation is commonly turned off.
If Company B wishes to have control over this, currently they will have to explicitly list the valid issuers.
Issuer values look like this: https://sts.windows.net/31537af4-6d77-4bb9-a681-d2394888ea26/, the GUID is your Azure AD tenant id.
The Company B API can extract the tenant id and user object id from the access token, and authorize the user to resources based on them.
I was looking at the AWS side and looks like they have something that could meet the requirements
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html
Was wondering if something like this exists in Azure.
we have an existing "private/internal" API (non MS/Azure) that we would like to protect with oAuth2 provided by Azure AD, so, that the user's access to the API could be maintained by the Azure AD administrators.
It seems like the way to do this is to configure the API as a web application in the Azure AD. Then, users can get the authorization token from the Azure oAuth2 server and send it to the api (e.g. from a single page web app).
The API is expected to validate the scope, as per my understanding, received in the token and make a decision regarding the access.
But I can't figure out how to configure the API access scope in the Azure AD against a user. I.e. how to link a particular user and the API scope in Azure AD?
Can someone pls advise?
Thank you.
When you configure the app, you can enable "User assignment required" (in the Enterprise application Properties in the Azure Portal), and then configure which users or groups should have access.
Alternatively, if you need more granularity, you can use the Role based access, where you define roles in the application manifest (https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles), and then assign users to the different roles.
The [Authorize] attributes on the API controllers or on actions in them can then be configured with the required roles to access them, like so:
[Authorize(Roles = "Admin, Writer, Approver")] (any of the three named roles have access).
There is a sample which demonstrates this.
One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.
I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:
If your iOS app is making calls to an Endpoint that requires
authentication, you must Add a Sign-in Dialog to your iOS client.
I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.
Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.
I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.
I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).
GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.
So until further notice I will add an API key to my application-level API requests and check it in each #ApiMethod.