For an app I am working on, I would like to call the Microsoft Graph API but with the token provided by Okta, even after a login through Microsoft IdP, this is not possible.
Does anyone know if is it possible (and is the correct approach) to retrieve the original token generated by an IdP and use it to call some IdP API?
Something like this: https://auth0.com/docs/connections/calling-an-external-idp-api
If anyone else needs it, I have found an Okta API that allows you to get the original token generated by IdP.
https://developer.okta.com/docs/reference/api/idps/#social-authentication-token-operation
With that I am now able to correctly call the Microsoft Graph APIs.
Related
I have a Rest API that is used by different clients:
Browser, when using swagger
Postman, when calling API
Curl
Other HttpClients, jvm, Python and such.
I want all clients to get authenticated with Azure AD. So each of them has to have an email, authenticate itself in front of Azure AD and then pass some token to my Rest API, on the backend I will validate the token. I really don't understand which flow to use. The one that is closest to my scenario seems to be Credentials Flow but I still don't understand how it fits in.
This picture is what I am trying to achieve:
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
Based on your scenario it is recommended to use On-Behalf-Of flow (OBO).
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
I have created a new asp.net core 2 web application. I'm using individual user accounts and added my Microsoft account for external authentication. All of this works like expected.
Now I want to use Microsoft Graph to read my .live profile and eventually read my mailbox and things like that.
I created an authentication provider and I'm able to get an access token back but why I try to use the access token, I'm getting an Authorization_IdentityNotFound error although my clientId and secret is correctly entered.
I think it's caused by the fact that I'm not using the proper parameters to request the access token. I think I'm missing the authorization response code that is normally returned when I sign into my .live account.
Does anyone know how to retrieve that response code or has a working example in asp.net core2. The only sample I can find is in .net core 1.1 and things have changed rather drastically since then.
You're confusing a few different systems here.
In order to access Microsoft Graph API you'll need to pass an Access Token in the authorization header of your call. This is used to both provide Microsoft Graph with your identification as well where you're data is stored (you're tenant).
The actual Access Token isn't issued by Microsoft Graph, it is issued by your tenant. For work/school accounts this is the Azure Active Directory tenant where your account lives. For personal account this is the Outlook.com tenant.
Prior to receiving an Access Token, you first retrieve an Authorization Code. This is returned to the redirect_url you passed to login.microsoftonline.com after you've entered your credentials. Your app then takes this Authorization Code and exchanges it for an Access Token that you'll use to call Microsoft Graph.
If you're looking for a authentication library to handle this process, you should use MSAL.NET. You can find instructions for using this library in the microsoft-authentication-library-for-dotnet repository on GitHub.
Once you have a token, you can either call Microsoft Graph directly or you can leverage the Microsoft Graph Client Library for .NET.
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.