I use authentication with Azure AD B2C.
var Claims = User.Claims;
var ClientIdClaim = Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
gives me the Object-ID back. But I need also the user name. How I can access the username (marked yellow)?
You need to check if the claim is returned to the application. Go to azure portal->your user flow policy->Application claims
Also, you can test your policy using the "Run Now" link from the Azure portal(just like #Jas Suri suggested).
You will be redirected to https://jwt.ms/.
Related
I'm trying to access Azure Table Storage using the TableClient class, but I want to authenticate using AzureAD credentials via the browser popup.
I have tried 2 approaches and are sure I have things configured correctly in Azure, but I just keep getting
This request is not authorized to perform this operation using this
permission.
Here is test code 1 using MSAL
let app = PublicClientApplicationBuilder.Create("---registered app ID---")
.WithAuthority(AzureCloudInstance.AzurePublic, "---tennant id----" )
.WithDefaultRedirectUri()
.Build()
let! ar = app.AcquireTokenInteractive(["https://storage.azure.com/user_impersonation"]).ExecuteAsync()
let tokenCredential = { new TokenCredential() with
member x.GetTokenAsync(_,_) = task {return AccessToken(ar.AccessToken, ar.ExpiresOn)} |> ValueTask<AccessToken>
member x.GetToken(_,_) = AccessToken(ar.AccessToken, ar.ExpiresOn)}
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", tokenCredential)
and test 2 using Azure.Identity
let io = new InteractiveBrowserCredentialOptions(ClientId = "---registered app ID---", RedirectUri = Uri("https://login.microsoftonline.com/common/oauth2/nativeclient"))
let tc = new TableClient(Uri("https://--endpoint---.table.core.windows.net/"), "--Table--", new InteractiveBrowserCredential(io))
I have the app registered in Azure & I have added api permissions for Azure Storage, with Admin consent. My account is a Service Administrator for the tennant so I have full access to the storage account. I have scoured all the docs but just cant see what I'm missing.
To access table data using your Azure AD credentials, your user account should be assigned either Storage Table Data Contributor or Storage Table Data Reader role.
Please assign one of these roles to your user account and re-acquire the token. You should not get the error you are getting then.
I'm using this code
var app = ConfidentialClientApplicationBuilder.Create(AzureAdApplicationId)
.WithTenantId("organizations")
.WithRedirectUri(AzureAdRedirectUrl)
.WithClientSecret(AzureAdSecretKey)
.Build();
azureAdScopes = new List<string>() { "email" };
var signInRequest = app.GetAuthorizationRequestUrl(azureAdScopes);
var uri = await signInRequest.ExecuteAsync();
which produces the url
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?scope=email+openid+profile+offline_access&...
All I need is the user's username and I don't need offline access to the user's account. How can I remove them from the scope?
You could request the url without offline_access, but Azure AD v2.0 OAuth2 Account Consent Page automatically lists "Access your data anytime" even though offline_access is not specified in scope. This is an issue related.
The Note shows in the document:
At this time, the offline_access ("Maintain access to data you have
given it access to") and user.read ("Sign you in and read your
profile") permissions are automatically included in the initial
consent to an application.
I want to build a web application. Clients can use the web application to read their google Adwrods accounts information( campagins or budgets ).
First, I use oath2 get client's refresh_token and access_token.
Using the refresh_token, I can get all adwords id under the client by (https://github.com/googleads/google-ads-ruby)
client = Google::Ads::GoogleAds::GoogleAdsClient.new do |config|
config.client_id = "client_id"
config.client_secret = "client_secret"
config.refresh_token = "refresh_token"
config.login_customer_id = "XXX-XXX-XXXX"
config.developer_token = "XXXXXXXXXXXXXXXX"
end
accessible_customers = client.service.customer.list_accessible_customers().resource_names
When I want to get client Adword account information,
resource_name = client.path.customer("XXXXXXXX")
customer = client.service.customer.get_customer(resource_name: resource_name)
I get "GRPC::Unauthenticated: 16:Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential", but the config file can't let me set access_token.
So, where can i set client's access_token, or which step i missed?
The error is telling you that client has not been set up correctly. It could be a bunch of issues from Google account to wrong information. I would check and make sure all the info you are passing in Google::Ads::GoogleAds::GoogleAdsClient.new is correct.
Also, you only need to pass 'login_customer_id' for manager accounts only, it doesn't sound like you are a manager account.
From https://github.com/googleads/google-ads-ruby/blob/master/google_ads_config.rb
# Required for manager accounts only: Specify the login customer ID used to
# authenticate API calls. This will be the customer ID of the authenticated
# manager account. If you need to use different values for this field, then
# make sure fetch a new copy of the service after each time you change the
# value.
# c.login_customer_id = 'INSERT_LOGIN_CUSTOMER_ID_HERE'
Users sign up/login via Azure AD B2C using Identity provider Local Account-Email.
I can see users signed up (with their password) for the tenant:
When I run example "Manage User Accounts with Graph API" to check for local identity passwordProfiles they show null. My assumption is this property is automatically populated when a user creates the password same as other User resources.
Can someone give me some guidance what I'm missing?
public static async Task GetUserByIssuerAssignedID(AppSettings config, GraphServiceClient graphClient)
{
Console.Write("Enter user sign-in name (username or email address): ");
string userName = Console.ReadLine();
Console.WriteLine($"Looking for user with sign-in name '{userName}'...");
try
{
// Get user by sign-in name
var result = await graphClient.Users
.Request()
.Filter($"identities/any(c:c/issuerAssignedId eq '{userName}' and c/issuer eq '{config.TenantId}')")
.Select(e => new
{
e.PasswordProfile,
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
if (result != null)
{
Console.WriteLine(JsonConvert.SerializeObject(result));
}
Thank you for your help
It is an expected result.
Azure AD B2C doesn't require the local identity users to change password next sign in. As the document says:
The property must set to .forceChangePasswordNextSignIn false.
Set forceChangePasswordNextSignIn as true is meaningless. In this case, passwordProfile won't be visible through GET method of Microsoft Graph API.
You can quickly verify it in Microsoft Graph Explorer.
For example, if you create a user with "forceChangePasswordNextSignIn": true in an Azure AD tenant, you will get passwordProfile in the result.
If you create a user with "forceChangePasswordNextSignIn": true in an Azure AD B2C tenant, you can get "passwordProfile" in the result but the password is null.
"passwordProfile": {
"password": null,
"forceChangePasswordNextSignIn": true,
"forceChangePasswordNextSignInWithMfa": false
}
We can never get user password using Microsoft Graph API or any other official API. Azure AD won't store password. So you can't get it.
I am trying to make AAD to provide group information. I have changed manifest file of my Web App:
"groupMembershipClaims": "SecurityGroup"
I would expect my Identity to contain membership information, but it dosent. I have tried following:
ClaimsIdentity claimsId = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
var rr = claimsId2.FindFirst("groups");
var rr2 = claimsId2.Claims.ToList();
But both are empty. Do you need to do more than changing the manifest file?
As we figured out in the comments, it required a sign out and sign in to refresh the claims from Azure AD.