SSO integration using FastAPI with OAuth2 & Azure AD - oauth-2.0

I have a requirement to integrate azure SSO to the WebApp. My WebApp is built in FastAPI. Currently I implemented it by referring https://pypi.org/project/fastapi_msal/. It's working and giving me logged in user information which I need. But the usecase which i need is little different from this, This link implemented as user should enter clientID & Client Secret. But in my case on button click or on page load user should directly login it should not prompt to add clientID & Secret.
How i can achieve this? I am not getting any proper document WRT FastAPI

For the scope that you can get are identified in the app registration api Permission and NOT "delegated permissions" client credentials flow cannot get delegated permissions flow.
Once you give an application permission, you have to click grant for tenant. If you don't it won't be able to use it. This option specifies the client secret for the confidential client app. This secret (app password) is provided by the application registration portal or provided to Azure AD during app registration with PowerShell AzureAD, PowerShell AzureRM, or Azure CLI.
Read more here for more information on client secret.

Related

Azure JWT in PowerAutomate for Execution user

I am setting up a PowerAutomate flow which will be called from a PowerApp. I would like fetch a JWT token from Azure AD in Power Automate and use that token to authenticate call a REST API, return back the result to PowerApps.
However, I would the JWT token be generated for the user which executes the flow and I dont want to hard-code user credentials in the flow. There would be multiple users executing the flow and each user would have different permissions in my App ( to which the REST call is made) so I want the authentication to the app be done as a named user rather than a service account/generic account
Thank you #lona Varga for your valuable suggestion. Posting your suggestion as an answer to help other community members.
To authenticate your application as a named user, please try the
following:
Create both backend and client application registrations in Azure portal.
After configuring these, create a custom connector by updating your security setting as below:
Authentication type: OAuth 2.0
Identity Provider: Azure Active Directory
Client ID: Client ID for Client App Registration
Client Secret: Client Secret for Client App Registration
Resource URL: Client ID fot Backend App Registration.
Update the redirect url by removing the existing value and add this newly created one, this is same for all connectors and it is :
https://global.consent.azure-apim.net/redirect
For more in detail, please refer below link:
Solved: Re: custom connector secure using Azure Active Dir... - Power Platform Community (microsoft.com)

How can i add google OAuth2 to authenticate an angular node application which uses wso2 identity manager as authentication provider?

We are currently working on an Angular node application which uses WSO2 Api Manager and Identity Server . The current mode of login is done through emails which gets saved as WSO2 Carbon users . We need to allow users to login using their google or facebook accounts using OAuth2. I have implemented the code for fetching access token,refresh token on login through google on click of a button from my app . But How can i link it to save this user as a user in our application's identity server . I found the below link which helps in the process: https://docs.wso2.com/display/IS570/Logging+in+to+an+Application+Using+Google#50629d9a6ddf4769ae2d8953c5a25645 .
Can anyone suggest me whether this one would help ?
I would like to know how the google account user details will be saved as a user in our identity manager ?
Is it possible ? If possible, what all data will i get from google ?
I assume that you have already done the configurations for the communication between your application and the WSO2 Identity Server according to the description in the question.
From the description, I'm not certain that you have done the configurations to federate the login to Google. Follow the below steps if you already haven't done so.
Generate OAuth client ID from the google developer console.
Configure a federated authenticator in WSO2 IS with google authenticator using the generated client id and secret values.
Add newly created IDP as an option to the first step of your application.
More information can be found in here. From Google, you can get email and default profile attributes of the user. Reference.
Follow the same steps for Facebook login as well. More information available here.
Now the federated login is configured. Now you need to enable JIT provisioning for the configured Identity Providers above to save the user in the Identity Server when the user is logged in with those social login options. More information available in here. You have a few modes to create the user in the Identity Server.

Authenticate and Show an Azure AD secured Web App View from an Third Party App

Background
I have a MVC 5 Web App and hosted in Azure App Service as Web App and secured with Azure AD; Anybody with valid AD credentials can authenticate themselves and view all HTML Content in the Web App;
Objective
I need to give just one of these MVC-View to outside individuals to view. For such we have already created an User in Azure AD which we will be sharing the details with the outside world. Hence, the thrid party will need to write some code to authenticate to our Azure AD and view this HTML content non interactively (Which means without allowing the third party app to prompt to enter user credentials from Azure AD).
What I have thought about
Assume that I am the third Party, I am going to authenticate to Azure AD from a Console/WinForms/HTML
Page and get myself a token; Then I will be using the token, to open
up a Browser to view this page.
Challenges I see
Session Expiration
Session Validity
Putting everything intto a Picture
Please show me some guidence to accomplish the objective.
Hence, the thrid party will need to write some code to authenticate to our Azure AD and view this HTML content non interactively (Which means without allowing the third party app to prompt to enter user credentials from Azure AD).
Per my understanding, you could leverage the OAuth 2.0 Client Credentials Grant Flow by using the client_id and client_secret.
Also, you could use OAuth 2 Resource Owner Password Credentials grant. Note: The resource owner password grant doesn't provide consent and doesn't support MFA either. Detailed tutorial, you could follow here.
Based on the authentication implementation part in your Web App, you could follow the approaches below to implement your scenario:
For using App Service Authentication / Authorization
You do not need to modify any code in your Web App project.
For using Microsoft.Owin.Security.OpenIdConnect middleware
You could use Microsoft.Owin.Security.ActiveDirectory package in your Web App for supporting AAD bearer token authentication, and this middleware need to be configured before the other authentication middlewares as follows:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "{the-AAD-clientId}",
Tenant = "{TenantId}"
});
//app.UseCookieAuthentication
//app.UseOpenIdConnectAuthentication
For the client (the third Party), they could leverage the above two flows (Client Credentials Grant Flow ,Resource Owner Password Credentials Grant Flow) to retrieve the access token without user interaction. Then they could access the specific view page by using the token as follows:
Get https://{your-app-name}.azurewebsites.net/home/index
Header Authorization:Bearer {the-AAD-accessToken-or-IdToken}
For retrieving the token, you could follow this tutorial for using User Password Credential flow. For Client Credential, you could just construct the ClientCredential instance when invoking AcquireTokenAsync for getting the token.
Additionally, you could create a new AAD application for this scenario or just use the AAD application for your current Web App. Moreover, there may exists risks when exposing the username & password or clientId & ClientSecret to the third Party, I would recommend you expose a new endpoint for generating the token in your Web App backend and return the token to the third party for security consideration.

Registering application in Azure portal using 'POST /applications' Graph endpoint

I am trying come up with a bash script to register an application in Azure AD using the /beta/applications endpoint from Microsoft Graph.
To call /applications, I would need to get an access token.
Is it possible to get an access token for Microsoft Graph using just email address/password (Without a client-id)? I am looking for something like "Resource Owner Password Credentials Grant Flow" mentioned in OAUTH2 spec.
Any other alternative I can look into. I want to write a simple script that would manage application registration and any updates to the application in future.
Yes, there are several means of running a script against the Microsoft Graph API without a user present:
AD supports the resource owner credential grant that you described in your question. This flow doesn't support some new auth features like multifactor auth and you'll have to be very careful about securely storing your credentials.
The other option is to use V2 auth client credential flow. In this case, the tenant admin consents to the application on behalf of the tenant. Afterwards, the application can run without a user present. One benefit of this flow as opposed to the V1 resource owner credential grant is that you pass a client credential which can be revoked and re-generated if needed (rather than dealing with raw user credentials).

Oauth resource owner password credentials grant type with WSO2 API manager when sso is setup with identity server

I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)

Resources