Suppose that I have a web application and a mobile app which consume both API A and API B, which the API is use to access the database to get information. So, in this case the client ID is the web application/mobile app or the API?
ClientID ClientName
1 API A
2 API B
ClientID ClientName
1 Mobile App
2 Web App
You should assign client IDs to the mobile app and the web app. So,
ClientID ClientName
1 Mobile App
2 Web App
Related
What is the usage of client secret in Azure AD B2C? The Microsoft doc only said
If your application exchanges a code for a token, you need to create
an application secret..
Will the azure ad b2c encrypt the token by the client secret, or if a native app requests a token need to send the client secret to the azure ad b2c endpoint?
And, does the client secret can be used to make only my trust native app can get the jwt then to visit my server, third part untrust app can't get the token from the b2c to visit my server?
and what is the usage of application id uri?
thanks.
It has nothing to do with whether you are using Azure AD or Azure AD B2C.
client_secret is required for web apps rather than native apps because client_secrets can't be reliably stored on devices.
It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side.
The official document: Add a native client application to your Azure Active Directory B2C tenant also doesn't mention that you need to add a client secret.
What you have seen in Microsoft doc is for web apps.
and what is the usage of application id uri?
Application ID URI is the unique URI that is used to identify your API. When requesting an access token for this API, the whole URI should be added as the prefix for each scope.
If you have a web API protected and use another client app to access this API, you can enter the identifier used for your web API. See details here.
I have an Asp.Net Core 2.0 Web API running as a web app in Azure. My API is consumed by client applications which are windows service running on servers at various client sites. So, this is a "Daemon or Server Application to Web API" communications flow as described in Authentication Scenarios for Azure AD
I register the client application at each site as a separate unique app in Azure AD, obtain the ClientId and AppKey and send it to the respective site for their devs to use in their service to request a JTW access token from Azure AD to use in the authorization header when making an http request to my API.
This is all working just fine.
The question I have is this; is there any way, in this scenario, that I can identify which site is making the request? From what I understand, it doesn't seem like I can add custom claims to an OAuth2.0 access token, like can be added to an OIDC ID token.
If you register the apps yourself then you know all the client ids for each different site so your API could use the appid in the JWT access token (which is the client id) and cross reference it against a list of sites. Here is an example of a JWT token obtained using the client credentials grant type:
I'm working with a company that is using the Google Apps free subscription. This company has a web site. They want to let users who have Google Apps accounts in their domain to authenticate into the web site via OAuth.
My question is, where do I find the ClientId and ClientSecret needed to do OAuth?
Thank you!
OAuth 2.0 for Client-side Web Applications will allow you to authenticate users using Oauth2. This will allow the users to grant your application access to their private data.
You will need to go to Google Developer console and create credentials on this page Credentials
Open the Credentials page in the API Console.
Click Create credentials > OAuth client ID.
Complete the form. Set the application type to Web application. Applications that use JavaScript to make authorized Google API requests must specify authorized JavaScript origins. The origins identify the domains from which your application can send API requests.
I have an ASP.NET MVC web application that wants to send email messages to different users. The goal is to have a re-usable API in my MVC app that can send single/bulk emails from different views.
My idea is to create a custom Web API that my MVC application can call to send emails using Office 365 API. Now assume that we have 2 projects:
MVC Web App -> This contains a page with UI fields like To, From, Body, Send Button etc.
MVC Web API -> This contains references to Office 365 library and endpoints to send emails
Will this scenario work to send emails as I do not want the users to be redirected to their individual sign in page and enter their office 365 credentials. I was wondering if I could call some office 365 API endpoint and pass them an email address like xyz#office365.com and it would send me an auth token which I could use to send the emails.
Correct me if I am wrong or anyone has a better idea?
-------UPDATE ON 17th May 2017 -------
Sorry Nan Yu for replying late. I was a bit occupied with other priorities so did not get a chance to look into more details on your code samples. I appreciate your suggestions but at this point I have other priorities to work on. I don't know how will I be able to authenticate against the AD as we have a different sort of architecture. Imagine we have 5 companies who use our web application. All 5 companies have their own Office 365 accounts and AD. We use our SQL database to authenticate them before giving access to our web application like most web applications will do but we cannot authenticate them against their AD as they are not part of our AD network.
If you want user to authentication in Azure AD in MVC app(user login with their credentials) , then in mvc app calls a web API and then the web API calls O365 rest apis after obtaining a token to act On Behalf Of the original user. You could use the OAuth 2.0 On-Behalf-Of flow . For more information about how the protocols work , you could refer to this document and this code sample .
If you want to call Office 365 library in web api using its app identity (instead of a user's identity) to get access token , without any human interaction such as an interactive sign-on dialog , you could try OAuth 2.0 client credentials . Please refer to this document and you could related code samples in here(Server or Daemon Application to Web API section).
Update :
You could 1) use asp.net identity and enable azure ad External login , then in web api you could send mail On Behalf Of the original user by using OAuth 2.0 On-Behalf-Of flow .
2) Acquire token With client credentials flow in web api :
POST https://login.microsoftonline.com/<tenant>/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id=<clientid>&resource=https://graph.microsoft.com/&client_secret=
<client secret>&grant_type=client_credentials
Then using the access token(app identity) you could send mail by :
POST https://graph.microsoft.com/v1.0/users/<userPrincipalName>/sendMail
Content-type: application/json
Authorization : Bearer token
{
"message": {
"subject": "Meet for lunch?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "ny#chencl.onmicrosoft.com"
}
}
],
},
"saveToSentItems": "true"
}
You could pass userPrincipalName from MVC . And you should grant Send mail as any user application permission of microsoft graph for you web api in azure portal.
We have 1 google app with 2 separate sets of credentials.
One for a web app, the other for an iOS app.
We're trying to have users authenticate on mobile and send the "code" parameter to our api where we turn that into an access_token and refresh_token(for use with background processing). The issue that we're getting is "unauthorized_client".
We've been following the portion for "enable server-side api access for your app" https://developers.google.com/+/mobile/ios/sign-in
The api is using the same credentials as the iOS app for these type of exchanges.