I have set up a new B2C Tenant in Azure and I'm using oauth2_proxy (more specific: docker-oauth2_proxy) to authenticate against it.
There was a need to configure custom login URLs, but the login process itself is working:
- name: OAUTH2_PROXY_LOGIN_URL
value: https://login.microsoftonline.com/tfp/<my-tenant-name>.onmicrosoft.com/b2c_1_policy/oauth2/v2.0/authorize
- name: OAUTH2_PROXY_REDEEM_URL
value: https://login.microsoftonline.com/tfp/<my-tenant-name>.onmicrosoft.com/b2c_1_policy/oauth2/v2.0/token
However, I get an error after I'm redirected back to https://my-app.example.com:
oauthproxy.go:527: error redeeming code missing email
I tried to have a look at the token that I get back, but could not decode it via https://jwt.ms.
As I don't know what exactly is contained in there, I am reluctant to post it here, but it does start with eyJraWQi..., which can be base-64-decoded to {"kid":"cpimcore_09252015","ver":"1.0","zip":"Deflate","ser":"1.0"}
The full format of the reply is:
/oauth2/callback?state=a0d367fd2d7337b8fbae8d72052022c7%3a%2f&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..[base64*16].[base64*568].[base64*22]
where [base64*n] indicates a string of n characters that look like base 64 encoded data.
Any ideas on how to decode that token?
You can't decode the authorization code that is issued to /oauth2/callback because it is encrypted.
oauth2_proxy's Azure AD provider expects a mail or otherMails claim to be issued. Azure AD issues this but Azure AD B2C doesn't issue it. Azure AD B2C issues the emails claim.
You might have to modify this Azure AD provider to match the emails claim.
No idea if this is still relevant to you, Azure AD B2C essentially uses standard OpenID Connect, however with the addition that you need to supply a policy as additional parameter.
We also had the need to use Azure AD B2C with oauth2_proxy, so we modified the oauth2_proxy generic oidc provider so it can take a B2C policy as additional config option.
If you want, give it a try: https://github.com/karrieretutor/oauth2_proxy#microsoft-azure-ad-b2c
If you're building from source, be aware that you also need to use our forked 'go-oidc' package (on which oauth2_proxy relies, but has part of the issuer URL hardcoded, so we had to change this, too, for including the B2C policy). Take a look at the Dockerfile, this can properly build it.
Related
I am setting up the DocuSign rest connector in power apps. I have other API's that working well this same way.
I want to get this setup to sweep completed files on a scheduled.
I started by going through this tutorial and tried the same setup. But when I try to test the connector I don't get prompted for credentials. We use SSO - so the window comes up and goes away without an error message.
https://www.docusign.com.au/blog/get-the-flow-sending-docusign-envelopes-microsoft-power-automate
I then tried to create a connection in in power automate Data/Connections and get an error message after entering my dev credentials. The clientid (integration key) and the secret match.
OAuth2 authorization flow failed for service 'Generic Oauth 2'. OAuth 2 sign in failed to exchange code for access token. Client ID and secret sent in form body.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" } Client ID and secret sent in Basic authorization header.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" }
The setup looks correct. It seems like a reference problem = like the production account and the developer account are not in sync or something. I have the same email address for both production and developer accounts and we use SSO - maybe its trying to reference production and not the developer account when its logging in? Just guessing.
I have a ticket with them, but they have note been able to help so far and they are on AEST time and I won't be able to get a response back from them for another couple of days :(
(I tried using the DocuSign Git repo API to create the connection as well - same problem)
Anyone have problems like this or know a solution? Anything else I can look at. This seems all straight forward -standard OAuth setup.
Using this setup like in the article for the demo (dev) account.
DEMO:
IKey: Integration Key [captured earlier]
Secret Key: Secret Key [captured earlier]
Authorization URL (DEMO): https://account-d.docusign.com/oauth/auth
Token URL (DEMO): https://account-d.docusign.com/oauth/token
Refresh URL (DEMO): https://account-d.docusign.com/oauth/token
Scope: signature extended
This will connect to a single DocuSign user (like a "service account"). It will not prompt each user for their credentials. You will need 1 generic user setup within your DocuSign account, without SSO (you can setup an exception user in DocuSign admin. This is best practice when setting up SSO as a fallback in case SSO fails to login as well).
The envelope will be sent from that generic user, not the actual user. This is common practice with some "system level" integrations.
Also, are you connecting a DocuSign "demo" or production account?
I ask because there's two connectors for power automate - "DocuSign" (for production) and "Docusign Demo" (for demo). I would recommend doing it all in demo first, as the "client id" (aka "integration key") needs to go through a go-live process to be promoted from demo to prod (see the link in the guide).
I need to create an organizational feed to host nuget packages shared among projects on our Azure DevOps environment.
After several unsuccesful attempts and research, I discovered that the only way to create an organizational feed is, by design from Microsoft mouth, the Azure DevOps API.
Source for the claim : This question on VS dev community
and The MS docs on project-scoped feeds
Basically, I just need to be able to perform a POST here :
https://feeds.dev.azure.com/{organization}/_apis/packaging/feeds?api-version=5.1-preview.1
with the body :
{
"name": "{myfeedname}",
"hideDeletedPackageVersions": true,
"upstreamEnabled": true
}
And of course, a Bearer token to authenticate myself. That's the point where I'm confused.
What is the simplest way to obtain one ? I'm logged in through my company Microsoft AD account on my computer browser on Azure DevOps. I don't see any Bearer token that I can "steal" to use in PostMan in my browser dev tools.
The API docs described some relevant info, but I'm confused on how to use it in Postman :
Security oauth2
Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes Name Description
vso.packaging_write Grants the ability to
create and read feeds and packages.
Here is the interface in Postman for OAuth2:
Ican see how the info in the docs relates to the fields 1 - 2 - 3 - 4, but then, what callback url should I use ? What credentials ? my Microsoft email + password from AD ?
I tried this, and all I seem to get is this from Postman :
{"$id":"1","innerException":null,"message":"A potentially dangerous Request.Path value was detected from the client (&).","typeName":"System.Web.HttpException, System.Web","typeKey":"HttpException","errorCode":0,"eventId":0}
TLDR
How do I properly proceed to get a token with Postman, or other tool to manually execute my one-time request to Azure DevOps REST API ?
notes :
Following info here : Unable to get Authorization code for Devops using Postman oAuth2.0
, leading here : https://github.com/Microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample , I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
Yes, you are right. You have to register whole web application.
As the interface in Postman for OAuth2, we need provide the CallbackUrl, ClientID, ClientSecret and so on. Then, we check the document Requesting an OAuth 2.0 token, we could to know the Callback URL is:
The client application callback URL redirected to after auth, and that
should be registered with the API provider.
So, we have to register an OAuth client app in Azure DevOps (https://app.vsaex.visualstudio.com/app/register), then we could get the following information, like:
You could check the document Authorize access to VSTS REST APIs with OAuth 2.0 for some more details.
AFAIK, there is currently no simpler way to get a bearer token to send requests to the Azure DevOps API.
Hope this helps.
I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.
Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?
Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.
Is there any reliable way to tell whether an API is being called by a machine or by a human?
Should I still do it with two seperate app registrations?
My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.
As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :
Register an Azure AD App
Getting an access token from Azure AD by request below :
URL:
POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token
Header:
Content-Type: application/x-www-form-urlencoded
Body:
client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials
Result:
Use this access token to call Azure function :
If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .
I have a Rails 6 application and I want to use Azure Active Directory as an authentication system (with open id connect, saml2 and ldap).
The authentication is done.
Now I am trying to display user information like names or email addresses. I also want to be able to export all users of a directory.
I have tried to set a configuration up like so:
In my Rails app, in the admin panel, an admin can configure Azure AD for my application
in the config, the admin copies and pastes the configuration link provided by Azure AD (a JSON response)
Then, copies and pastes the app client_id
Then, the tenant_id (directory id)
Here is a piece of code that I expected to work:
def update_oidc
identity_provider = IdentityProvider.find_by(provider_type: 'open_id_connect', id: params[:id])
client_id = params[:client_id].strip
metadata_url = params[:metadata_url].strip
tenant_id = params[:tenant_id].strip
metadata = HTTParty.get(metadata_url).parsed_response
identity_provider.update(config: {
metadata: metadata,
metadata_url: metadata_url,
client_id: client_id,
tenant_id: tenant_id,
})
if tenant_id
directory_access_url = "https://graph.windows.net/#{tenant_id}/users?api-version=1.6"
result = HTTParty.get(directory_access_url).parsed_response
identity_provider.directories.find_or_create_by(tenant_id: tenant_id).update(
business_phones: result["business_phones"],
display_name: result["display_name"],
given_name: result["given_name"],
job_title: result["job_title"],
email: result["user_principal_name"],
mobile_phone: result["mobile_phone"],
office_location: result["office_location"],
surname: result["surname"]
)
end
redirect_to identity_provider
end
As the tenant_id is the directory id, i thought that we might be able to access user info this way (and following the Microsoft Docs). The thing is, it doesn't work because even though I'm connected to my Azure AD directory in my app, when I run result = HTTParty.get(directory_access_url).parsed_response, i have an authentication error telling me the token has expired or that i need to be connected.
I don't want to use PowerShell or anything like this. I want to be able to access directories data through my app.
Can someone tell me what i'm doing wrong or come up with an idea ?
Thanks
Just according to your code, I think you want to get the collection of users via the Azure AD Graph REST API Get users using jnunemaker/httparty library.
However, it seems to be missing the required header Authorization with its value like Bearer eyJ0eX ... FWSXfwtQ as the section Authentication and authorization of the offical document Operations overview | Graph API concepts said. Meanwhile, you have done the authentication with OpenID Connect, but Azure AD Graph API requires the access token as Authorization value from OAuth2 as the content below said.
The Graph API performs authorization based on OAuth 2.0 permission scopes present in the token. For more information about the permission scopes that the Graph API exposes, see Graph API Permission Scopes.
In order for your app to authenticate with Azure AD and call the Graph API, you must add it to your tenant and configure it to require permissions (OAuth 2.0 permission scopes) for Windows Azure Active Directory. For information about adding and configuring an app, see Integrating Applications with Azure Active Directory.
Azure AD uses the OAuth 2.0 authentication protocol. You can learn more about OAuth 2.0 in Azure AD, including supported flows and access tokens in OAuth 2.0 in Azure AD.
So I'm afraid you have to get the access token manually via OAuth2 for Azure AD again for using Graph API, or just simply refer to the sample code samples/authorization_code_example/web_app.rb using the adal library of GitHub repo AzureAD/azure-activedirectory-library-for-ruby for Ruby.
I have an application registered in Azure AD which uses certificates. I am trying to write a script which would add a new certificate to the application. This can be used to add a new certificate when the existing certificate is going to expire.
I am trying to use AddKey function of Azure AD Graph API. The request body of this api as a parameter 'proof' which is a JWT assertion signed by the existing certificate of the application. The doc says the "aud" claim in JWT should be set to "AAD Graph SPN". Here what is meant by "AAD Graph SPN"?
I tried with a JWT where "aud" was set to "00000002-0000-0000-c000-000000000000". But I am getting the following error,
{
"odata.error": {
"code":"Authorization_RequestDenied",
"message":{
"lang":"en",
"value":"Insufficient privileges to complete the operation."
}
}
}
Any thoughts on this?
I am getting the access token to call the Azure AD Graph API via "Resource Owner Credentials Grant" flow . To get the access token i am using the client_id "1950a258-227b-4e31-a9cf-717495945fc2" (The Well Known Client ID for Azure PowerShell")
My script (For deployment purpose) does something like below,
i) Get the access token as described above and registers a new application in Azure AD with a initial certificate.
ii) When the initial certificate is about to expire it should add a new certificate to the created application.
According to the documentation, you must use a self-signed JWT token to access that API:
As part of the request validation for this service action, a proof of
possession of an existing key is verified before the action can be
performed. The proof is represented by a self-signed JWT token. The
requesting application needs to generate a self-signed JWT token with
the following requirements...
The "Resource Owner Credentials Grant" won't work here in this situation. Instead, use the "Client Credentials Grant":
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service
The application you want to update should be the Client ID used to get this access token.
The other option is to update the application directly using an PATCH request on the Application Object:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#application-entity
Using this method, you should be able to update using the method you described above (user credentials and an external Client ID)
Let me know if this helps.