When using the authorization code flow, is there any way to receive user's groups in their ID token?
I've tried adding a "Groups claim filter" with "Matches regex" as .*, but it doesn't help.
Navigate to Security > API > Authorization Servers, and click on the default server. Click the Claims tab and Add Claim. Name it groups, and include it in the ID Token. Set the value type to Groups and set the filter to be a Regex of .*. Click Create.
Related
I have recently spent a substantial amount of time determining how to authenticate an OData feed from Project Online using Azure AD and Postman. There are many posts in different forums about this, but I wasn't able to find a single post that gave a complete working example. Following is the method that I have used.
ASSIGN PERMISSIONS IN PROJECT ONLINE
Open Server Settings / Manage Groups.
Choose the Group that you want to allow to access the OData Feed and Ensure it has the Access Project Server Reporting Service under General in Global Permissions ticked.
CONFIGURE AZURE AD
Register a new app in Azure.
Define the Redirect Uri. (For postman, use https://oauth.pstmn.io/v1/callback)
Define a client secret
CONFIGURE POSTMAN
Create a new Request and define a Get query along the lines of the following. https://[Your Domain].sharepoint.com/sites/pwa/_api/ProjectData/Projects
This requests a list of projects.
Under params, add a new key accept = application/json if you want Json output. default is XML
Under Authorization Tab, choose the following:
Type = OAuth 2.0
Access Token = Available Tokens
Header Prefix = Bearer
Token Name = [Any Name you want]
Grant Type = Authorization
Code Callback URL = [tick Authorize Using Browser. This will then
default to https://oauth.pstmn.io/v1/callback]
Auth URL = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL = https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID = [From Azure AD] Client Secret = [From Azure AD]
Scope = https://[Your Tenant Name].sharepoint.com/ProjectWebAppReporting.Read
State = [Anything you want]
Client Authentication = Send client credentials in body.
If you enter all of this correctly and then press Get New Access Token, you should see a browser open, enter your credentials and then a token should return to Postman as shown in screenshots below. Press Use Token.
Note, if you are interested to see what the token contains, you can decode it at https://jwt.io/
At this point, press Send, run your query and confirm that the Body contains odata output.
EDIT NOTE:
I have made multiple adjustments to this answer as I identified and resolved multiple roadblocks that I encountered. It turned out to be quite simple in the end, but the key concept that was needed to get this right was that the Scope parameter needed to be targeted to the PWA site. ie. https://[your tenant name].sharepoint.com.au/user.read
I am using the botbuilder-dialog OAuthPrompt class in my teams app to create a signin flow for my custom OAuth service.
(see https://learn.microsoft.com/en-us/javascript/api/botbuilder-dialogs/oauthprompt?view=botbuilder-ts-latest)
As part of this flow we create the dialog:
this.addDialog(
new dialogs.OAuthPrompt(OAUTH_PROMPT, {
connectionName,
text: 'Please sign in so I can show you your profile.',
title: 'Sign in',
timeout: 300000,
}),
)
We have defined a Generic OAuth 2 service in Azure OAuth connection settings. And this works fine.
The PATH that is sent to my service is:
/oauth/authorize?client_id=<redacted>&response_type=code&redirect_uri=https%3a%2f%2ftoken.botframework.com%2f.auth%2fweb%2fredirect&scope=read+write&state=89c54fc705a649fe8a2be3feacbbe89e
the state param in the query string here is likely a randomly generated GUID. I need to override this state for my application however, as I have a need to receive the tenant_id of the teams server and i'd like to include this in the state param.
Does anyone know of a way to do this?
Teams opens the start page in an iframe in a pop-up window. The start page generates random state data, saves it for future validation, and redirects to the identity provider's /authorize endpoint, such as https://login.microsoftonline.com//oauth2/authorize for Azure AD. Replace with your own tenant id that is context.tid. Similar to other application auth flows in Teams, the start page must be on a domain that is in its validDomains list, and on the same domain as the post sign in redirect page.
I have written one rule on firebase to restrict other domain sign up but it's not working and due to that anyone can able to sign-up with any domain.
My Rule On Firebase:
service cloud.firestore {
match /users/{userId} {
allow read, write: if request.auth.token.email.endsWith('#example.com');
allow create: if request.auth.uid != null;
}
}
Maybe some issues in my rule or I am missing something.
Help me in correcting the above rule to restrict sign up with other domains.
So basically as i stated in comments, your rule is fine. It's just that the token needs to be a custom JWT auth token with email property set.
Take a look at the following answer to get a picture of what i am talking about
Firebase rule auth.token.email is not working: "Simulated write denied"
Also since you will be using custom token, you will need a server side script which generates this token for the email that you want. Once you have this custom token with email property set, you sign in using this token on your app and your rule will work
Is it possible to send AD Group SID in SAML response? If yes, how can that be achieved so that we can process that SID value in our SP?
However we were able to send AD User SID in SAML response after doing profile mapping of appuser.objectSid to user.manager(as we didn't find user.objectSid) and adding it to attribute statements.
Is there any other/better way to obtain AD User SID in SAML response or above is the only way to do it?
So - you have 2 questions here:
1) Group SID. Okta does have Group SID but it isn't exposed as part of SAML config. You can send name(s) of groups that the user is a member of as part of the group attribute statement configurable in the SAML configuration of the app wizard (https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#Config_SAMLSettings)
2) For user SID, it's a 2 part setup. First, you want to add a custom attribute to the Okta user profile. That will allow you to then map the appuser.objectSid from AD to this custom attribute - rather than overloading some existing okta attribute that doesn't make sense. THen in the app wizard SAML config, you can add a new attribute to your SAML assertion and associate that with the newly added custom attribute.
Both group/user attribute statement config is done here (app wizard SAML config screenshot)
Hope this helps.
I have inherited a legacy web application that contains API credentials for a Twitter application.
I have the consumer_key and the consumer_secret.
How do I determine the actual account owner of the application?
Is there a way to regenerate the API credentials without knowing the actual account information (i.e. username/password)?
Perhaps you can get some additional information if you have an Access Token for the app, even if it has expired.
When you create a new app in https://apps.twitter.com you get:
Consumer Key (API Key)
Consumer Secret (API Secret)
If you want to use it, you have to create a Access Token, and the results will be two values:
Access Token
Access Token Secret
The page for the app under https://apps.twitter.com will show you the fields "Owner" and "Owner ID" for the app.
If you have an Access Token value --you should have one if you are using the app--, you'll find something like:
'access_token' => '12345678-XxxXXxxXxxXxX1XXXXxx2xXXxXxXXX3xXXxxxxxXX'
The value at the beginning of that value, just before the hyphen (that is, 12345678 in that example) will be the Owner ID of the user that created the Access Token (you'll have to use your actual value, instead of the 12345678 of the example).
If you go to
https://tweeterid.com/
and enter the Owner ID extracted from Access Token field (that will be the same of the app, for example: 20749410), you'll obtain the Owner (#finkd = Mark Zuckerberg in this case).
If you are lucky, and the user that create the Access Token is the same that created the app, you'll have the answer to your question. It they aren't the same person, at least you can get a minor clue to follow investigating.
Email api#twitter.com. They should be able to reach out to the original developer.