I'm working on OData/webAPI service implementation. PowerBI desktop app will be used to retrieve info from the service using odata feed datasource.
Service in protected by Azure B2C auth. Accessing odata endpoints using browser works fine - after signing in access is granted. But when I'm trying to connect to the feed using powerbi desktop by performing signin attempt, it reports that token source is not trusted.
picture related: sign in error
Also, in case of single-tenant Azure AD auth (not B2C) usage, authentication in PowerBI worked though.
So, is there a possibility to make PowerBI work with Azure AD B2C (to make it trust the token source)?
No, Azure AD B2C does not issue tokens which Microsoft first party services recognize. AAD B2C is used to protect you own services which you supply to your own customers.
If you would like your customers to have self service sign up, and access Power Bi resource, then have your front end web app talk to a backend API. Protect the front end and backend with AAD B2C. That backend API should use client_credentials to authenticate via AAD endpoints to access Power Bi data on behalf of the user.
Related
I have an application (Blazor WebAssembly in my case but I believe this scenario applies to other application types as well) that uses the excellent (and convenient) Azure B2C login services to allow my users to register and log in using either a local account or some social accounts. In particular, I am supporting logging in with a Microsoft account. Once a user is logged in using his Microsoft account I want to give the user the option to save content on OneDrive without the user having to provide credentials again to access the Microsoft Graph API.
In the returned claims after logging in using Azure B2C API I see that there is a idp claim (that's how I can determine if the user is logged in using a Microsoft account) and there is also a idp_access_token claim but it is not a valid JWT to use against the Microsoft Graph unfortunately.
What is the nature of the idp_access_token? How can I use it to access the Microsoft Graph and request additional scopes?
Azure AD B2C receives an access token (idp_access_token) from the identity provider. Azure AD B2C uses that token to retrieve information about the user. See details here.
No matter whether idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As the document has stated, it is for retrieving information about the user. Usually the embedded IdP access token is used to call the services that the IdP hosts. But Microsoft Graph data is hosted in Azure AD, not Microsoft Account side.
Currently, if you want to call Microsoft Graph API for B2C tenant, you have to follow Azure AD Authentication protocols. For example, OAuth 2.0 authorization code flow.
If you want to call you own API protected by B2C, you should choose Azure B2C Authentication protocols. For example, OAuth 2.0 authorization code flow in Azure Active Directory B2C.
I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.
I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".
The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.
However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).
I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.
The API Management product expects a "subscription key" to identify the products the third party implementation can use.
Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?
It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?
Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?
Apologies if I have mixed any terminology up.
1) Does this mean with regards to the authentication part that every
third party system using my API would use the same oAuth "audience" id
and therefore the same Active Directory app?
They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.
2) It makes more sense to me that each third party implementation
would have a different app on Azure Ad but that would mean my Web API
would need to recognise a huge number of audience ids and redirect
uris?
Yes they should register their applications as clients to your B2C Auth server.
The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.
Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.
That should result in a token with:
aud value of the Application ID associated with https://yourwebapiAppIDURI/
scp value of Read
OK, so B2C doesnt use consent:
Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.
I have an Asp.Net Core 2.0 Web API running as a web app in Azure. My API is consumed by client applications which are windows service running on servers at various client sites. So, this is a "Daemon or Server Application to Web API" communications flow as described in Authentication Scenarios for Azure AD
I register the client application at each site as a separate unique app in Azure AD, obtain the ClientId and AppKey and send it to the respective site for their devs to use in their service to request a JTW access token from Azure AD to use in the authorization header when making an http request to my API.
This is all working just fine.
The question I have is this; is there any way, in this scenario, that I can identify which site is making the request? From what I understand, it doesn't seem like I can add custom claims to an OAuth2.0 access token, like can be added to an OIDC ID token.
If you register the apps yourself then you know all the client ids for each different site so your API could use the appid in the JWT access token (which is the client id) and cross reference it against a list of sites. Here is an example of a JWT token obtained using the client credentials grant type:
According to this documentation, the on-behalf-of flow is not supported in B2C:
Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.
Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
Can't I just pull out the JWT from the first Web API request and pass it along to the next Web API? I know technically, I can, but is there a reason I wouldn't want to?
This approach would only work if both Web API's are configured for the same B2C App. Maybe that is the difference. Is the documentation referring to 2 separate B2C apps maybe?
Reference: Access the JWT bearer token when using the JWT middleware in ASP.NET Core
The OAuth 2.0 On-Behalf-Of flow is related to a first resource, "https://resourceserver1", receiving an access token from a client; then exchanging this access token for another access token for access by the delegated identity to a second resource, "https://resourceserver2" without any user interaction; and then sending that access token to the second resource.
This Azure AD documentation explains the On-Behalf-Of flow.
Given this, two different applications are necessary for two different resources, which in turn can require two different scopes.
You can vote for this feature at B2C Support for on-behalf-of flow.
Right now, I have a native azure app that my iOS app uses ADAL to authenticate to with no issues. I've added a Web API in azure and it's being managed by the Azure API Management resource. I have this API using an oAuth server that uses Azure AD for authentication (all created within the Azure API Management).
The issue I'm having is the oAuth token I'm receiving from my iOS App is not being accepted by my Web API. They are both using oAuth to the same Azure Active Directory. I tried changing in my iOS app, to use the Web API app client ID instead of the native app client ID. The issue then becomes during authentication, it needs a "client_secret" in the request. Looking at the ADAL iOS library, I'm not seeing a method to get a token that passes in a client secret as a parameter.
Scroll down to the Keys section, you will see the key as the client secret. They are used for calling the web api.
These two methods of authenticating the applications are referred to as interactive (user signs in) and non-interactive (app provides its own credentials). In the non-interactive mode, you must assign the service principal to a role with the correct permission. About the AAD authentication's more information, you could refer to: https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/