I am struggling to find if I can authenticate my users with Azure AD using ADAL in a MVC Web Application directly.
I have the application setup and working. When a user hits a page requiring authorization it redirects to MS to login, then redirects back just fine. I need to host the login form.
Is this supported? I find a lot of misleading information and no definitive documentation or examples.
Thanks in advance.
Related
The Problem
I am going to develop a web application using MVC .NET6. The requirement is that I need to use Asp.net core identity to authenticate users in the local database and from Azure Active Directory at the same time. The authorization part is simple there is no policy, role, or claim is required at the moment. I only need to use the [Authorize] attribute once the authentication is succeeded.
The UI login page would have a username/password and a login button to authenticate the user from the database. There will be another button like Azure Sign In for authentication from azure and redirects to the Microsoft page for credentials.
I've tried to find sample code or similar examples but couldn't find any.
Please help me to achieve this.
Thanks.
I am building a sample ASP.NET 5 (vNext) web application to act on behalf PowerBI users through Power BI API.
I followed all the steps here to register my application and I have the ClientId.
The app was added to my Azure Active Directory realavaloro.onmicrosoft.com
My web application is able to redirect the user to the authority https://login.windows.net/common/oauth2/authorize/passing as query parameters the response_type, clientId, resource and redirect_uri
"response_type": "code"
"resourceUri": "https://analysis.windows.net/powerbi/api",
"clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"redirectUri": "http://localhost:59136/"
The browser is properly redirected to the microsoft page and the user enters his Power BI credentials. If authenticated, it is redirected to the redirect_uri with the code + session_state
The problem is that I don't fully understand this mechanism.. :)
If I use my PowerBI test account credentials (diego#realavaloro.onmicrosoft.com) the authentication is successful and the browser is redirected properly with code + session_state
But if I try to authenticate with other PowerBI credentials, for example joe#companyb.com it fails to authenticate with the Bad Request message:
AADSTS70001: Application with identifier 408c866f-ad71-4354-b9fd-c954cae84dd7 was not found in the directory companyb.com
I thought any user with an account in PowerBI would be able to, through our web application, user his PowerBI account through the API provided our web application has permission.
But it seems that if we want that to happen with this approach every user would need their own Azure Active Directory to authenticate against.
Is there anything I am missing here?
Is there any option to allow our application act on behalf ANY Power BI user?
Thank you!
PS: I built my test web application following guidelines at https://github.com/PowerBI/getting-started-web-app-asp.net
I will answer myself. The reason I my web application couldn't authenticate external users with their Power BI credentials was (duh!) because I had not configured my web application in Azure AD as multi-tenant.
Thanks to this great presentation https://channel9.msdn.com/Events/Ignite/2015/BRK3551 I found some good answers including the meaning of multi-tenant :)
I still have to investigate the Azure libraries to manage all these Authentication headers for me and get my head around OAuth2 but at least I can say now that the authentication works for external users.
Context
I'm building a web application deployed to Azure Webapps where users need to sign in. To accomplish this, I'm leveraging Azure AD with OAuth 2.0 Authorization Code Grant. Since I'm using Nancy (with the ASP.NET host) instead of MVC, I can't follow the official Azure AD MVC examples where all the OAuth handling seems to happen magically in the background.
Redirecting to the OAuth endpoint is straight-forward, and the user is also correctly redirected back to my application with an authorization code.
Problem
Now I need retrieve the user ID in order to match it to the user database in my application. I'm using ADAL for this, because this is basically step D & E of the authorization code grant flow, from what I understand.
Now what puzzles me is that this use case is not supported by Azure AD, stating that
The client '[ClientId]' and resource '[ResouceId]' identify the same application.
Also, as indicated by this answer, "ADAL is not meant to achieve web sign-on in a web application."
I've been able to work around this problem by creating two applications in Azure AD, as suggested by this blog, but it feels like I misunderstood something. This could very well be the case, as I am new to OAuth and Azure AD.
So my question is, what is the correct way to authenticate a user from a non-MVC web application using Azure AD?
the OWIN middleware should work with non-ASP.NET as well. See for example http://unlustrously55.rssing.com/browser.php?indx=24287735&item=13 - in your case you will have to use the OpenId Connect one or the ww-federation one.
Is this purely for users inside your organisation/tenant? It sounds like it.
Why don't you use an App Registration in Azure AD and grant it permissions to access the users profile? You should then be able to retrieve a user's UPN from the token. Please see here:
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
I am spiking a solution with Thinktecture IdentityServer V3. The setup of the project is an Asp.net MVC 5 site which uses forms authentication to authenticate the user, we also have a number of web api sites which are hosted seperately.
I would like to use IdentityServer to SSO into the web api sites. this is an internal solution and would like to somehow programatically login to the identity server instead of been shown the login screen.
Is this possible?
Many thanks
Check this link.
https://github.com/IdentityServer/IdentityServer3/issues/831.
You can sign in as resource owner, but SSO won't be possible.
We can always customize the login page provided on IdentityServer.
I have a SharePoint 2007 portal configured to authenticate againsts a STS (ADFS 2.0) using the FormsSignIn (Forms Authentication on the ADFS). Is there any way to have a few pages living in the SharePoint portal that allow anonymous access? I've tried checking the "Enable Anonymous Access" in the SharePoint Central Admin, and I've tried adding location sections in the web.config, but both of these still redirects to the ADFS login page.
I have re-branded the ADFS login site so it looks less generic and more like our SharePoint login page. Should I just move those anonymous access pages out of SharePoint and into the ADFS site?
ADFS is new to me and I'm not sure what the best practices are for customizing the login process.
Thanks,
After a couple days without an answer, I re-posted this question on SharePoint.SE. After re-enabling allow anonymous access, I was able to get to these pages. Although, I am getting an internal error 500 for all stylesheets that are in the /Style Library/ library. So I'm not sure if I'm that much better off.