Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔
Also, it only allowed me to request an access token when using .default for a scope, i.e. api://web-api-client-credential-flow/.default.
I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?
What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?
It would seem I would have to use application permissions?
Yes, you have to use application permissions.
Scopes aka delegated permissions only apply when a user is involved in the login process.
They allow you to act on behalf of a user.
Application permissions are sort of roles given to the application itself.
They only apply when doing client credentials authentication, where no user is involved.
You can define application permissions on the app via the Manifest in the app registration.
These can then be assigned to the client application.
When getting the token, you must use .default because you cannot change your app permissions dynamically.
You always get what has been granted already.
In the token the permissions will be in a roles claim.
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:
Then you can provide the client app permission:
Now when requesting a token with a scope of api://web-api-client-credential-flow/.default the "scopes" are returned in the roles claim. Sample JWT
Yes, you need to use api://web-api-client-credential-flow/.default for client credential flow.
And the application permissions will be returned in roles instead of scopes.
Related
I am reading documents for Microsoft Identity Platform to implement api and protecting it by using Microsoft Identity platform and I do understand some what OAuth code Grant flow and Client Credential flow (for daemon apps).
Now when I am reading the documents it is keep mentioning authorization on 'behalf of user' and and 'behalf of itself'. So my question is "on behalf of user" is same as Code Grant flow?. Similarly if client credential flow is "on behalf of itself'.
If not then what is the difference between 'On behalf of user' vs Code grant flow.
Really want to understand as it keeping me in confusion.
Thanks
Azure AD supports the following OAuth flows/grants:
Implicit
Authorization code (with/without PKCE)
On-behalf-of
Client credentials
Device code
Resource owner password credentials
Refresh token
Link to docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
In most of these, the application will get an access token that allows it to perform requests on behalf of the signed in user.
The access token contains both information of the app that requested token but also the signed in user's information.
This allows the target API to check both the application's access (scopes aka delegated permissions) and the user's access (roles/other form of access control).
The "on-behalf-of" flow might be a bit confusing here, but it has a specific purpose: exchange an access token obtained with one of the other flows (except client credentials) for a new access token.
It is used in scenarios where a client app uses e.g. authorization code flow to call API A, and API A wants to then call API B on behalf of that same user.
Client credentials flow is the only different one; when using it an application only provides its own credentials and a user is not involved.
Thus the access token only contains application information, and the application will perform requests as itself.
The target API will usually only check the roles in the token (application permissions, app roles with allowed member type application), though it can also check the id of the calling app if it has a list of allowed applications stored somewhere.
Would it be possible for a background service to use identity of specific shared mail box user in conjunction with the delegated access permissions without actually requiring an end user to authenticate ?
How would this be achieved in office365 exchange services with OAUTH 2.0 ?
Regards
Would it be possible for a background service to use identity of specific shared mail box user in conjunction with the delegated access permissions without actually requiring an end user to authenticate ?
If you use the client credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow so you service is then getting an Access token using a SSL certificate of client secret. It can then impersonate (so it not delegate access) any Mailbox in your tenant and send as that user.
If your on Office365 then you may want to look at the Graph API instead that allows you to have a much tighter set of permissions (eg you could for instance just grant your app/service SendAs rights) when compared to EWS which only allows full Mailbox access.
I am building an app which authenticates via microsoft and needs various that predominantly uses Delegated permissions. I use the v2 auth endpoints to do incremental authentication, only asking for additional scopes when the user needs them.
This has worked well for the many delegated permissions I have so far. In many cases I need admin approval for these permissions, but I have a flow for that which works well.
One of the scopes I have used as a delegated permission is "User.Read.All", I now need the same scope on the application permission level. But I am struggling to work out if there is a way to do incremental authentication for application permissions. The docs say to use the generic endpoint where you don't specify scopes, but this then asks for all the scopes I have on my application registration rather than just passing in the scopes as a param.
It has nothing do with the endpoint and the scopes you specified. Since you use Delegated permissions in your original job, so I consider you use auth code flow or username/passord flow. If we use auth code flow or username/password flow, we can't get application permission when we do authentication although you have assign the application permissions to your registered app. If you want to get application permission when do authentication, you need to use client credential flow instead.
It is not possible to do this unfortunately the consent flow allows either a dynamic set of delegated scopes to be submitted or /.default which acts like the v1 endpoints and requests all scopes for that client. See these docs
I am trying come up with a bash script to register an application in Azure AD using the /beta/applications endpoint from Microsoft Graph.
To call /applications, I would need to get an access token.
Is it possible to get an access token for Microsoft Graph using just email address/password (Without a client-id)? I am looking for something like "Resource Owner Password Credentials Grant Flow" mentioned in OAUTH2 spec.
Any other alternative I can look into. I want to write a simple script that would manage application registration and any updates to the application in future.
Yes, there are several means of running a script against the Microsoft Graph API without a user present:
AD supports the resource owner credential grant that you described in your question. This flow doesn't support some new auth features like multifactor auth and you'll have to be very careful about securely storing your credentials.
The other option is to use V2 auth client credential flow. In this case, the tenant admin consents to the application on behalf of the tenant. Afterwards, the application can run without a user present. One benefit of this flow as opposed to the V1 resource owner credential grant is that you pass a client credential which can be revoked and re-generated if needed (rather than dealing with raw user credentials).
When using Azure AD client credentials flow, should the oauth2 endpoint (of azure ad) produce a bearer token if the client application has NOT been granted permission to access the requested resource? I was certain it used to error in this case, but I'm now seeing different behavior (a valid bearer token is now provided even if the client application does NOT have permission to the resource application).
We have always allowed tokens to be issues between two services when using the client credential flow. This scenario is basically S2S between Daemon Services.
The important thing to note here is that the built in authorization model for AAD takes advantage of SCP and ROLE claims, which appear in the token and can help your API understand what permissions it has been granted by the user.
However, we want to also allow you, in this situation, to use your own authorization layer. For example, you could simply white-list the App ID of the client application to allow it to make S2S calls to your API, without the presence of any ROLE claims in the token. The token issuance behavior here enables this scenario.