We are working on web application which interacts with Microsoft Graph/OneDrive using REST APIs.
We are using Authorization code flow to obtain access token.
This flow presents Microsoft login page & consent page which we are looking to automate. As this UI is tend to change we could not leverage Selenium or similar framework.
Could you please help/suggest framework/technology to automate such flow?
Do not use Authorization code flow. Use client credentials grant flow.
More here.
Related
I have a Rest API that is used by different clients:
Browser, when using swagger
Postman, when calling API
Curl
Other HttpClients, jvm, Python and such.
I want all clients to get authenticated with Azure AD. So each of them has to have an email, authenticate itself in front of Azure AD and then pass some token to my Rest API, on the backend I will validate the token. I really don't understand which flow to use. The one that is closest to my scenario seems to be Credentials Flow but I still don't understand how it fits in.
This picture is what I am trying to achieve:
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
Based on your scenario it is recommended to use On-Behalf-Of flow (OBO).
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I'm trying to use KeyCloak as identity provider service for 3rd party applications support. The idea is to register the client application in KeyCloak, trusted clients will not require this authorization approval, but there should be "untrusted" client flow, e.g. display user authorization interface as specified in OAuth 2.0 specification.
From what I see in the docs, they have pretty good fine-grained authorization mechanisms which can be used for that on the backend. However I don't see any way to provide authorization screen for /authorize endpoint as shown above.
Maybe this can be custom created SPI or something else which can be used for implementing this to move further. Any ideas of how this can be implemented in KeyCloak? Are there any built-in features which can be reused or custom way implementation?
In Keycloak you can turn on the Consent Required switch per client (see client settings in admin console).
After successful authentication this will bring up a confirmation page similar to your example.
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?
I am developing web application which consists of a Silverlight application and a REST API. An optional use case is that the customer may also want to integrate with Salesforce. By "integrate" I mean utilize SSO with Salesforce when logging into my application as well as access data via Salesforce's REST API. The current hurdle I can't seem to get over is that SSO uses WS-Federation while Salesforce's REST API uses OAuth 2.0. What is the best way to being these two authentication mechanisms together?
My knee-jerk reaction was for my Federation Provider STS to acquire an OAuth access token from Salesforce and add it as a claim to the security token received from Salesforce's Identity Provider STS, but I think this might require me to write a custom STS. I'd rather not do that. Is there a better way?
This question is old but comes up often, so ...
There is now information on how to do this here
Configuring-SSO-to-SharePoint
This approach uses WS-Fed.