Call secure Azure API from Azure Scheduler - oauth

I have developed an Azure API which is secure with "log in with azure active directory" configured in ExpressMode.
In Azure management portal, under application, choosing the registered app
in configure section I copied , Client ID and generated key
Now I need to call this API , from azure scheduler, I configured Authentication setting under job Action setting to use "Active Directory OAuth" and I entered the related value for Tenant, ClientId , Secret and for Audience I left the default value which is : https://management.core.windows.net/
but when I try to run the job will be failed
Unauthorized' Response Headers:...
body : You do not have permission to view this directory or page.
I was wondering which part I have missed to configure?
Thanks!

after some more research, finally found answer, Thanks to the
"Unauthorized" when invoking an API App from Azure Scheduler with Azure AD OAuth authentication
Browse to AzureResource Explorer
Select your API app , under config select authsettings node
Edit "allowedAudiences" like below
"allowedAudiences": [
"https://xxxx.azurewebsites.net",
"https://management.core.windows.net/"
],

Related

DocuSign Power Apps Custom Connector not working

I am setting up the DocuSign rest connector in power apps. I have other API's that working well this same way.
I want to get this setup to sweep completed files on a scheduled.
I started by going through this tutorial and tried the same setup. But when I try to test the connector I don't get prompted for credentials. We use SSO - so the window comes up and goes away without an error message.
https://www.docusign.com.au/blog/get-the-flow-sending-docusign-envelopes-microsoft-power-automate
I then tried to create a connection in in power automate Data/Connections and get an error message after entering my dev credentials. The clientid (integration key) and the secret match.
OAuth2 authorization flow failed for service 'Generic Oauth 2'. OAuth 2 sign in failed to exchange code for access token. Client ID and secret sent in form body.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" } Client ID and secret sent in Basic authorization header.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" }
The setup looks correct. It seems like a reference problem = like the production account and the developer account are not in sync or something. I have the same email address for both production and developer accounts and we use SSO - maybe its trying to reference production and not the developer account when its logging in? Just guessing.
I have a ticket with them, but they have note been able to help so far and they are on AEST time and I won't be able to get a response back from them for another couple of days :(
(I tried using the DocuSign Git repo API to create the connection as well - same problem)
Anyone have problems like this or know a solution? Anything else I can look at. This seems all straight forward -standard OAuth setup.
Using this setup like in the article for the demo (dev) account.
DEMO:
IKey: Integration Key [captured earlier]
Secret Key: Secret Key [captured earlier]
Authorization URL (DEMO): https://account-d.docusign.com/oauth/auth
Token URL (DEMO): https://account-d.docusign.com/oauth/token
Refresh URL (DEMO): https://account-d.docusign.com/oauth/token
Scope: signature extended
This will connect to a single DocuSign user (like a "service account"). It will not prompt each user for their credentials. You will need 1 generic user setup within your DocuSign account, without SSO (you can setup an exception user in DocuSign admin. This is best practice when setting up SSO as a fallback in case SSO fails to login as well).
The envelope will be sent from that generic user, not the actual user. This is common practice with some "system level" integrations.
Also, are you connecting a DocuSign "demo" or production account?
I ask because there's two connectors for power automate - "DocuSign" (for production) and "Docusign Demo" (for demo). I would recommend doing it all in demo first, as the "client id" (aka "integration key") needs to go through a go-live process to be promoted from demo to prod (see the link in the guide).

Newly deployed cloud run app inaccessible, despite having requisite permissions (403)

Following this quickstart guide (Python version), I was able to quickly create and deploy a Python Flask app to a project owned by my organization. However, toward the end the guide instructs "Visit your deployed container by opening the service URL in a web browser", and but this is the step I can't get to work.
Curiously, in the logs
(https://console.cloud.google.com/logs/) the 'textPayload' data element for the request is "The request was not authenticated. Either...", which seems unusual, as I'd expect an unauthenticated request to return 401, not 403. In any case, it does not list my org email address in the request, suggesting my identity for some reason isn't being supplied. Any way to fix this so I can access the URL using a user with appropriate permissions?
Note: I can access the URL by manually running "curl -H 'Authorization: Bearer <my token>'"
Cloud Run URLs aren't directly accessible if the service only allows authenticated invocations because passing the URL on your browser will not generate the credential for you. You will have to pass auth credentials on your request and the easiest way to invoke the service is to use a tool like curl which is exactly what you noted.
You have two options to authenticate your end users which are the following:
Integrate Google Sign-In.
Implement Identity Platform or Firebase Authentication.
In either of the above choices, you need a public web or mobile app that handles the sign-in flow and then makes authenticated API calls to a Cloud Run (fully managed) service.
For more information on authenticating end users, check out the official documentation.
To complement what Mr. Donnald Cucharo said, you can also use Identity Aware Proxy (IAP) to expose your application in a secure way.

Get Azure AD directory users in a Rails app

I have a Rails 6 application and I want to use Azure Active Directory as an authentication system (with open id connect, saml2 and ldap).
The authentication is done.
Now I am trying to display user information like names or email addresses. I also want to be able to export all users of a directory.
I have tried to set a configuration up like so:
In my Rails app, in the admin panel, an admin can configure Azure AD for my application
in the config, the admin copies and pastes the configuration link provided by Azure AD (a JSON response)
Then, copies and pastes the app client_id
Then, the tenant_id (directory id)
Here is a piece of code that I expected to work:
def update_oidc
identity_provider = IdentityProvider.find_by(provider_type: 'open_id_connect', id: params[:id])
client_id = params[:client_id].strip
metadata_url = params[:metadata_url].strip
tenant_id = params[:tenant_id].strip
metadata = HTTParty.get(metadata_url).parsed_response
identity_provider.update(config: {
metadata: metadata,
metadata_url: metadata_url,
client_id: client_id,
tenant_id: tenant_id,
})
if tenant_id
directory_access_url = "https://graph.windows.net/#{tenant_id}/users?api-version=1.6"
result = HTTParty.get(directory_access_url).parsed_response
identity_provider.directories.find_or_create_by(tenant_id: tenant_id).update(
business_phones: result["business_phones"],
display_name: result["display_name"],
given_name: result["given_name"],
job_title: result["job_title"],
email: result["user_principal_name"],
mobile_phone: result["mobile_phone"],
office_location: result["office_location"],
surname: result["surname"]
)
end
redirect_to identity_provider
end
As the tenant_id is the directory id, i thought that we might be able to access user info this way (and following the Microsoft Docs). The thing is, it doesn't work because even though I'm connected to my Azure AD directory in my app, when I run result = HTTParty.get(directory_access_url).parsed_response, i have an authentication error telling me the token has expired or that i need to be connected.
I don't want to use PowerShell or anything like this. I want to be able to access directories data through my app.
Can someone tell me what i'm doing wrong or come up with an idea ?
Thanks
Just according to your code, I think you want to get the collection of users via the Azure AD Graph REST API Get users using jnunemaker/httparty library.
However, it seems to be missing the required header Authorization with its value like Bearer eyJ0eX ... FWSXfwtQ as the section Authentication and authorization of the offical document Operations overview | Graph API concepts said. Meanwhile, you have done the authentication with OpenID Connect, but Azure AD Graph API requires the access token as Authorization value from OAuth2 as the content below said.
The Graph API performs authorization based on OAuth 2.0 permission scopes present in the token. For more information about the permission scopes that the Graph API exposes, see Graph API Permission Scopes.
In order for your app to authenticate with Azure AD and call the Graph API, you must add it to your tenant and configure it to require permissions (OAuth 2.0 permission scopes) for Windows Azure Active Directory. For information about adding and configuring an app, see Integrating Applications with Azure Active Directory.
Azure AD uses the OAuth 2.0 authentication protocol. You can learn more about OAuth 2.0 in Azure AD, including supported flows and access tokens in OAuth 2.0 in Azure AD.
So I'm afraid you have to get the access token manually via OAuth2 for Azure AD again for using Graph API, or just simply refer to the sample code samples/authorization_code_example/web_app.rb using the adal library of GitHub repo AzureAD/azure-activedirectory-library-for-ruby for Ruby.

"Unauthorized" when invoking an API App from Azure Scheduler with Azure AD OAuth authentication

I have an API App which I have secured with Azure Active Directory authentication. Actions of this API App I want to invoke with Azure Scheduler. I entered tenant id, client id & secret into the Scheduler action.
When I schedule or run the job I get:
Http Action - Response from host 'xxxx.azurewebsites.net': 'Unauthorized'
Diagnostic application log gives me:
JWT validation failed: IDX10214: Audience validation failed. Audiences:
'https://management.core.windows.net/'. Did not match:
validationParameters.ValidAudience: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' or
validationParameters.ValidAudiences: 'https://xxxx.azurewebsites.net'.
After some digging I found this somehow related entry.
So I really got into the Resource Explorer, down to the authsettings node of my API App and added the missing audience entry:
"allowedAudiences": [
"https://xxxx.azurewebsites.net",
"https://management.core.windows.net/"
],
Problem solved.

Thinktecture Identity Server - setup external identity providers

I'm following Brock's tutorial on OAuth2 identity providers: OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers and I'm having problems trying to setup each provider details. I'm trying to use google and facebook.
Google: What I've done is. I've created new project, within which I've gone to APIs & auth > Credentials > Create New Client ID and then chose "Web Application" option. On "Client ID for web application" panel in "Javascript Origins" section I have pasted base URL of my IdSrv (https://somename). I have copied Client ID and Client secret and pasted both into appropriate sections in IdSrv identity provider shown in tutorial. When I run the application I get the invalid_request error from Google saying Invalid parameter value for redirect_uri: Non-public domains not allowed: https://somename/idsrv/issue/hrd/oauth2callback
In case of Facebook, I've created new App, and was trying to set "Site URL" in basic settings to https://somename, but got an alert saying "must be a URL with a valid domain." which I believe is essentially the same as what the Google error message is saying
My question is: How can I deploy a test version of my IdSrv then? I just want a quick and simple environment for testing purposes for now. Am running the IdSrv in my local IIS, was following Dominick installation tutorial video Thinktecture IdentityServer v2 Tutorial: Installation
When we setup IdentityServer for local testing we configure it to run under IIS with a custom host name and then setup a entry in the local hosts file. To google this should appear as a public URL.
An easier approach is to use one of the localhost DNS services that exist.
For example, whatever.vcap.me resolves to 127.0.0.1 as does production.vcap.me, staging.vcap.me and development.vcap.me.

Resources