Can an AzureAD joined/hybrid device authenticate with Microsoft identity platform? I would like the device to retrieve the JWT access token, not a user account.
Related
I have asp.net core web api which is talking to MS Garaph Api.I have Implemented ROPC using service account to talk to onedrive. I have created the MS graph Api app in MS Portal 2 years back using the same service account. The the portal is obsolete now and the App is moved to Azure Portal. But i can get the Bearer token using ROPC and consuming Graph api and its working good.
Now i tried to mimic the same, i have created a new app in azure portal with same credentials and similar Metadata.The service account user type is member in azure Portal. I am getting the following error for the new App
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID
any ideas would be appreciated.
Thanks in advance
Subbiah K
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to here process.
Then follow this process to grant administrator consent to the app:
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
In the Azure portal, I registered the application for testing and used User.Read permission to demonstrate:
Then use the ROPC flow in postman to get the access token:
User Story: Given an ADB2C User, with Global Administrator role and an oid of 01234567-901a-bcde-f012-3456789abcde (not a real oid), I want to be able to log in as that user and retrieve the user profile from "https://graph.microsoft.com/beta/me" or "https://graph.microsoft.com/beta/users/01234567-901a-bcde-f012-3456789abcde". Both are listed in the documentation as valid endpoints for B2C.
It's not working:
In an app registration with only Microsoft Graph permission scopes assigned, I used postman to request a bearer token for access to MS Graph. There is one Web redirect URI (https://oauth.pstmn.io/v1/callback), one client secret, and implicit grant is on for both access and id tokens.
The scopes requested are: openid offline_access https://graph.microsoft.com/Directory.AccessAsUser.All
Again, the B2C user account has the Global Administrator role.
The Implicit flow returns the error message
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
The Authorization Code flow, when the app secret is included, lacks an access bearer token. There is an ID token and a refresh token, but no access token. That's with and without PKCE, whether or not I send the authorization to an external browser.
The app in my tenant has a user flow, B2C_1_postman, which is basically default. It works just fine with postman, other test apps, and the "Run User Flow" function in the B2C management blade.
The auth endpoint is:
https://{Tenant}.b2clogin.com/{Tenant}.onmicrosoft.com/B2C_1_postman/oauth2/v2.0/authorize
The token endpoint is:
https://{Tenant}.b2clogin.com/{Tenant}onmicrosoft.com/B2C_1_postman/oauth2/v2.0/token
I've duplicated this behavior with a couple of desktop demos from Microsoft's github repository, and now with Postman. The app, called "postman", is in the ADB2C tenant. I granted it the app API scopes of:
Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
Directory.email
Directory.offline_access
Directory.profile
This procedure mirrors what the desktop demo at https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop sets up, with the single exception being that instead of a NodeJS sample app, I want my desktop app to use MS Graph. (This app registration works just fine if I add the endpoints for the sample app. But specifying the MS Graph scopes always returns an empty access ID.)
How can I get this to work?
Managing users through Graph API still seems to require usage of application permissions.
So instead of adding delegated permissions to the app in B2C, you need to add application permissions, where you call the Graph API as the app, not on behalf of the user.
The instructions in the docs explain the app registration in detail: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started
You need to give this app application permissions to Graph API, not delegated permissions.
Then use those app credentials purely to call Graph API.
And you need to use the underlying Azure AD's token endpoint instead of your B2C policy token endpoint.
Since your app is a desktop app (a public client app), you'll need to do the Graph API interactions in a back-end service to which you can authenticate with a B2C token acquired on behalf of the user.
Mass confusion here.
You can definitely do what you are looking to do, except that this is all Azure AD functionality, not Azure AD B2C. So you are not looking to invoke any B2C user flow etc. B2C auths cannot get access to Microsoft APIs, only your own APIs.
AAD tenant - contains only AAD endpoints. It is a single token issuer
B2C tenant - contains both AAD and B2C token endpoints. There are two token issuers respectively
A B2C tenant contains:
AAD endpoint: login.microsoftonline.com THIS IS NOT BEING DEPRECATED
AAD B2C endpoint: tenantName.b2clogin.com+ B2C policyId parameter
Based on the authentication request, the request is routed to the two different token issuers.
The next key point:
AAD endpoints allow you to obtain tokens to your applications protected by an AAD Application Registration.
AAD endpoints allow you to obtain tokens to Microsoft APIs, since they are also protected by AAD on our side. Such as MS Graph API.
AAD endpoints allow client_credentials
B2C endpoints allow you to obtain tokens to your applications only protected by an AAD B2C Application Registration.
B2C endpoints do not allow client_credentials
You cannot use tenantName.b2clogin.com to obtain a token for MS Graph API, based on the above rule set.
This means a users B2C authentication cannot be used to authorize to AAD protected apps, or Microsoft APIs. (Eventhough the new App Reg experience allows assigning the permissions to MS Graph for B2C Application Registrations- we are looking to fix that).
When you use login.microsoftonline.com and don't provide any policy id parameters against a B2C tenant, you hit the AAD endpoints of the B2C tenant, again it works. You can get tokens to Microsoft Graph API for example, using the users context.
When you use tenantName.b2clogin.com and provide any policy id parameters against a B2C tenant, you hit the AAD B2C endpoints of the B2C tenant, now it will not work as you expected it to. Hopefully the above clarifies why. And since there is no deprecation of the AAD endpoint, you don't need to be using this domain name for this type of call.
The summary is, treat your scenario as a pure Azure AD scenario, as per this sample. You create an Application Registration for Accounts in this organizational directory only. when prompted for the type.
Context:
AD domain, AAD Connect, Office365 tenant
ADFS deployed, federation between AD and AAD
SAP GW on premise, with SAML and OAuth configured
SAP GW does not support integration with AAD (only SAML SSO, and it's required to use it's own OAuth server)
Scope:
I'm trying to build an application in SharePoint online where the authenticated user can:
fetch data from the SAP gateway (oh behalf of the user)
fetch data from Microsoft Graph
Design (So far):
The user access Office 365 and authenticate with ADFS
With ADAL/MSAL I'm able to acquire an OAUTH token from AAD and get data from Graph (supported by the registration of an Enterprise application in AAD with permission for Graph)
Issue:
The OAuth token generated by AAD is not validated by SAP OAuth Server onprem if I try to access the onprem SAP API.
What should I do?
Should I get another SAML assertion directly from ADFS to get another OAuth token for SAP OAuth Server to access the onpremise SAP API? If so, how can I get a SAML assertion (to call the SAP OAuth server) from ADFS without passing to adfs user credential (like in this example: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion) and by using information available in the user session (already authenticated with AAD)?
Is there a way to configure ADFS to accept SAML assertions / JWT tokens originating from AAD?
Should I do something else?
Any idea on how could I support this scenario?
Thank you
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
I have an app that supports saml based sso and oauth based access to cloud storage providers such as google drive, dropbox, and microsoft onedrive. I have an account setup that uses OneLogin as an identity provider, and my app and onedrive acting as service providers. the app requires users to authenticate with their cloud storage provider, so I redirect the user from the app to onedrive during this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and agree to grant the app certain permissions and send back a code. I use this code to ping onedrive's /token route to exchange it for an access_token and a refresh_token. however we are not receiving the refresh_token, thus requiring the user to frequently have to reauthenticate with onedrive.
does anyone have any insight as to why we are not receiving a refresh_token? I have reached out to onelogin and microsoft as well (no progress/response yet).
I have toyed around with settings in MS azure and onelogin but haven't solved the issue yet.
other details:
in microsoft azure, users are federated using ws-federation
so far, this issue only occurs with users who are using onedrive and an sso provider
i am using the v1 onedrive api
the auth response includes the access_token and other properties, just not the refresh_token
here is a link detailing the oauth flow for onedrive, indicating that i can expect a refresh_token from the https://login.microsoftonline.com/common/oauth2/token route: https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth (in fact this refresh_token is necessary to finish the flow)
here is another SO post that seems to be having a similar issue, but with godaddy: Refresh token not returned for Office365 accounts purchased through GoDaddy (i have tried messing with the StsRefreshTokensValidFrom attribute but to no avail)
to be clear, the flow is:
from app, attempt to oauth auth with onedrive
get redirected to onelogin
login to onelogin
get redirected to onedrive
grant permission for 3rd party app access
get redirected back to app with access code
exchange code for oauth tokens
fail to receive refresh_token
thanks!
To get a refresh_token, you need to set up the Refresh Token (timeout) field in the Token Timeout Settings of the SSO tab in the Application configured in your OneLogin Administration portal.