if I have a service account set up and am initializing the app in a firebase function with the service account credentials to do some database maintenance work, how can I restrict the rules in the database so that only the service account is able to access that path in the database, how can I go about it?
The only available options in the auth object appear to be token, uid, and provider.
The only fields available in the service account json file are:
{
"type": "service_account",
"project_id":
"private_key_id":
"private_key":
"client_email":
"client_id":
"auth_uri":
"token_uri"
"auth_provider_x509_cert_url"
"client_x509_cert_url"
}
Service accounts always bypass all security rules. It's not possible to write any security rules that limit the permissions of a backend SDK initialized with a service account.
Related
We are not able to generate a token for an app which is at the same time offering an API and acts as a client for another app. We want to use the client credentials workflow in OAuth.
The app ApiAndClient has client credentials and the permission to use the api of app ApiApp.
We granted the ApiAndClient app admin consent to use the api of ApiApp.
We configured a redirect URI in ApiApp.
When we want to issue a token for ApiAndClient, the following error message comes up:
{
"error": "invalid_request",
"error_description": "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key.\r\nTrace ID: XXXXX\r\nCorrelation ID: XXXXXXXXX\r\nTimestamp: 2020-09-04 07:40:31Z",
"error_codes": [
501461
],
"timestamp": "2020-09-04 07:40:31Z",
"trace_id": "XXXXXX",
"correlation_id": "XXXXXX"
}
We compared the settings of both ApiAndClient and ApiApp to other apps, where the token works.
There is one difference in the ApiApp, it has"acceptMappedClaims" set to true, other api app have set to null. If we set that to null, the error message changes:
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.\r\nTrace ID: xxxxxx\r\nCorrelation ID: xxxxxxx\r\nTimestamp: 2020-09-04 08:15:26Z",
Setting it to false does not change anything.
We have the suspicion, that the client app which acts also as a api might be the problem.
Keep acceptMappedClaims as true.
Now that ApiAndClient is also used as an API app, you should click on Expose an API and Set the Application ID URI, which will be treated as the tenant's verified domain.
There was a completely different problem which I was able to fix with some AD expert.
We use custom claims in our AD. Therefore, the application scope must start with a verified domain (https://companyname.com/).
Otherwise the token was not generated. Now that I changed it, the token can be generated.
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
I have app A ( Java API backend) as authentication server based on username and password. After successful login, the authentication server returns below JSON response:
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWNjb3VudC1yZXNvdXJjZSJdLCJ1c2VyX25hbWUiOiJzZWNvbmRfbGV2ZWxfbWFuYWdlckBjb21wYW55LmNvbSIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJleHAiOjE1MzMwMTk1ODksImF1dGhvcml0aWVzIjpbIlNFQ09ORF9MRVZFTF9NQU5BR0VSIl0sImp0aSI6ImZiYWJjZDM3LTc3OTEtNGU5YS1hNDg3LTU1YjI5ZDJhMDZhMiIsImNsaWVudF9pZCI6ImNybS1mcm9udGVuZCJ9.CdIe1xtDJhgk5px3uIfAS9cvabMNox9Pa7KUEc5qka4","token_type":"bearer","refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWNjb3VudC1yZXNvdXJjZSJdLCJ1c2VyX25hbWUiOiJzZWNvbmRfbGV2ZWxfbWFuYWdlckBjb21wYW55LmNvbSIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJhdGkiOiJmYmFiY2QzNy03NzkxLTRlOWEtYTQ4Ny01NWIyOWQyYTA2YTIiLCJleHAiOjE1MzM2MjA3ODksImF1dGhvcml0aWVzIjpbIlNFQ09ORF9MRVZFTF9NQU5BR0VSIl0sImp0aSI6IjM5OTAwNDZjLThmOWMtNDMzNi1hOTlmLTFiMjIzZjAyMjcwNyIsImNsaWVudF9pZCI6ImNybS1mcm9udGVuZCJ9.V8cn5x7OefgJUwF68abxHCF8cB0axZf1edRGGnd4wkY","expires_in":3599,"scope":"read
write","jti":"fbabcd37-7791-4e9a-a487-55b29d2a06a2"}
The login form is in VueJS frontend app B. After successful login, the user is authorized to access protected resources (lets say view Bar objects, perform CRUD operations on Bar objects). The backend API for these Bar objects is another app C which is NodeJS app. So app A and app C backends running on separate servers and ports.
How can I protect (ie. allow only successfully logged in user) to accesss and manipulate Bar objects using above access_token and jti and expiration?
One way is to check for expiration time before allowing access to protected resources each time protected resource URL endpoints are touched. But is this correct approach and hack proof?
You can read the authentication header from the incoming message and base64 decode the first half of the JWT to get your user details and the expiry. I've done that using jwt.io and you get
{
"aud": [
"account-resource"
],
"user_name": "second_level_manager#company.com",
"scope": [
"read",
"write"
],
"exp": 1533019589,
"authorities": [
"SECOND_LEVEL_MANAGER"
],
"jti": "fbabcd37-7791-4e9a-a487-55b29d2a06a2",
"client_id": "crm-frontend"
}
But to trust that this hasn't been tampered with you need to check the signature. I normally use passport with node https://www.npmjs.com/package/passport-jwt
You probably defined the 256 bit secret when you encoded the JWT to begin with
Checking the signature makes sure the the base64 encoded part which is not securely encoded has not been altered.
I'm creating a web app in MVC c# where you can login using your AD account and read secrets. The problem is that there are lots of Key Vaults - each with specific permissions. I've managed to do this with one particular vault and list the secrets in the vault using the vault URL using an AD login.
I would like to be able to list the vaults that the user has access too. I understand this is very easy to do in Powershell but I cannot find out how to do this in C#.
Is there a way to do this? Thanks!
As far as I know, there is no such REST we can get all the key vaults across the different subscription at present.
As a workaround, we need to list Key Vault under all the subscriptions and resource group. And check the accessPolicies to see whether the Key Vault is accessible.
For example an accessPolicie likes below, we can check whether users' object match the objectId in accessPolicie.
{
"tenantId": "",
"objectId": "",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
},
To list Key Vault under all the subscriptions and resource group you can refer the REST below:
GET: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults?api-version=2015-06-01
authorization: bearer {access_token}
And if you have any idea or feedback about Azure, you can submit them from here.
I'm developing an OpenID connect/JWT auth provider and part of the module is to allow the client to get a token and use it only with a specific IP address (if the client requests so).
I was thinking to make use of the scopes (i.e. to basically prefix them with the IP address and use an internal function to encode/decode it like 127.0.0.1:::getEmail) but if there is any standard I would definitely like to use it rather than to butcher the scopes.
Is there any other field that I can use to store this information? (e.g. azp).
Nothing prevent you from creating a new claim set in your JWT.
When the JWT is issued by your provider and if the client requested it, one (or more) IP address(es) could be added into your JWT payload.
Then, the resource server will take this claim into account.
Example:
{
"exp": 123456789
"iss": "Provider"
"aud": "Resource Server"
"sub": "My Client"
"ips": ["127.0.0.1","192.168.0.0/24"]
}