I have a desktop app which uses ADAL for authentication, this app make requests to an API on the API Management azure service. After migrating the code to use MSAL, the API Management returns 401 saying that my token is invalid. The only difference that I see spying the requests is that ADAL makes a request to this endpoint /tenantID/oauth2/token and MSAL /tenantID/oauth2/v2.0/token.
In my API Management I have this policy:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid. AAD" require-expiration-time="false">
<openid-config url="https://login.microsoftonline.com/tenantID/.well-known/openid-configuration" />
</validate-jwt>
I tried to change the well known url to v2.0 endpoint but get the same error. How can I validate the token using MSAL?
From the Note in the doc, when changing the well known url to v2.0, you may need to use common instead of tenantID.
<openid-config url="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
Also, make sure you have done the step 10 in this link correctly:
If you use v2 endpoints, use the scope you created for the backend-app
in the Default scope field. Also, make sure to set the value for
the accessTokenAcceptedVersion property to 2 in your
application manifest.
Related
I'm trying to call a Web API secured by Azure B2C. I'm using .NET 5. I'm also using Azure B2C to secure my WebApp.
In my WebApp startup.cs I have:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAdB2C"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddDownstreamWebApi("API", Configuration.GetSection("AzureB2API"))
.AddInMemoryTokenCaches();
I'm using ITokenAcquisition to get the access token. I tried IDownstreamWebApi, but that didn't work.
string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(Scopes);
The problem I'm having is that, the version of the access token I'm receiving is version 1. However, the Web API is expecting version 2.
I tried to change the version to 1 in the manifest of the Azure B2C WebAPI (accessTokenAcceptedVersion) but it will not accept the change.
Any advice will be greatly appreciated.
The startup.cs of the Web API is:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");
Please check if below can be a work around.
AddInMemoryTokenCaches adds an in memory token cache provider, which will cache the Access Tokens acquired for the downstream Web API.
services.AddMicrosoftIdentityWebAppAuthentication(Configuration,
"AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
.AddInMemoryTokenCaches();
services.AddInMemoryTokenCaches();
So,you may clear the cache after changing the accepted version so that app doesn’t take the previous version which is cached and used till it got expired.
reference1
As you mentioned the Web API is expecting version 2, I think you may have to change the accessTokenAcceptedVersion to 2 in the manifest of the Azure B2C WebAPP that calls the web api in the portal.
"accessTokenAcceptedVersion": 2,
Note
If the value of Supported account types is Accounts in any
organizational directory and personal Microsoft accounts (e.g.
Skype, Xbox, Outlook.com), the accepted token version must be v2.0.
Otherwise, the accepted token version can be v1.0
If the value is 2, the web API accepts v2.0 tokens.
If the value is null, the web API accepts v1.0 tokens.
Other points:
Also do check for the scope and permissions Protected web API app registration
/ The ASP.NET core templates are currently using Azure AD v1.0, and
compute // the authority (as {Instance}/{TenantID}). We want to use
the Microsoft Identity Platform v2.0 endpoint
options.Authority =
options.Authority + "/v2.0/";
Also see this
I have an api project configured with oauth for authentication. since the application uses load balancer to manage multiple requests, let's assume (server-1 ad server-2).
first request with valid credentials => server 1 (here token was generated)
second request with token included in header => server 2
now second request getting "Authorization Denied". How to handle this scenario?
Guess you are looking for something like vouch-proxy.
Here some useful links:
Article: https://medium.com/lasso/use-nginx-and-lasso-to-add-google-authentication-to-any-application-d3a8a7f073dd
Project: https://github.com/vouch/vouch-proxy
Following the procedures outlined in the SDK docs.
Using .NET's WebRequest to make the API call. StatusCode "Forbidden" being returned along with additional message "Invalid issuer format".
What I'm not sure about is how I'm supposed to generate the token for the call. The instructions in the section I linked to simply say:
REST API calls must be authenticated using a custom HTTP header — X-OPENTOK-AUTH — along with a JSON web token. Create the JWT token with the following claims.
This led me to believe I was to use the JWT library of my choice to create the token. So I did. I used .NET's System.IdentityModel.Tokens.Jwt.
In the .NET section of the site, though, this appears:
You can generate a token either by calling an OpenTokSDK.OpenTok instance's GenerateToken... method, or by calling a OpenTokSDK.Session instance's GenerateToken... method after creating it.
Was that what I was supposed to do? Is that what's wrong?
I can include my code but no point if I've taken the wrong approach altogether.
TokBox Developer Evangelist here.
There are two token concepts within the OpenTok API. One of the tokens is used to authenticate an OpenTok Session and the other is a JWT token used to authenticate each HTTP request you make from the server side.
It looks like the token that you're trying to create is used to interact with the OpenTok REST API. Each request you make to the OpenTok REST API has to have a JWT token which is signed by your API Key and API Secret. The signing would look something like this:
var payload = new Dictionary<string, object>
{
{ "iss", "12321312" }, // apiKey
{ "ist", "project" },
{ "iat", now }, // current time
{ "exp", expiry } // current time + 300 seconds
};
You can use the GenerateJWT method in the OpenTok .NET SDK as reference. Alternatively, you can use the OpenTok .NET SDK to make the StartBroadcast request which would handle the JWT token creation for you.
Lastly, to authenticate an OpenTok Session you have to use one of the OpenTok Server SDKs. Please note that tokens used to authenticate OpenTok Sessions are not created by any library.
I am trying to create the Web Performance tests for an app that is using Identity Server 3. I can't figure out how to simulate login and get token.
For example, I am using myapp.com and identity server is hosted on identity.com. All my endpoints in myapp.com/api are secured and require Bearer token.
identity.com can provide me token in exchange for a username and password. identity.com will redirect me to a myapp.com/tokenRedirect?token=***. How can I catch the token and use it as an Authorization header for API requests?
There are some solutions for JMeter but could not find any for VS 2017 tests.
Redirections are handled automatically, by default, in a test recorded by Visual Studio and hence the redirection response containing the token is not accessible. Setting the FollowRedirects property of the request to False allows the response containing the redirection to be accessed by the usual extraction rules and/or plugins etc. One of them can be used to find the token value and save it to a context parameter (CP). Having turned off the automatic redirection handling, a new request should be added (use the Insert request command, do not use Add dependent request) and it should have the request that the redirection wants. Hence its url should be of the form myapp.com/tokenRedirect?token={{TheCPWithTheToken}}.
In later requests the CP with the token can be added via the Add header command, or an existing header field can be modified to use the CP.
I am coding against the Microsoft Graph API and I am trying to proof out the ability to generate an OAuth Token. I am using Postman and have my application hosted on Azure Active Directory. I am running into an issue in Postman when trying to pass in the correct Scopes - I am trying to pass in User.read however, Postman is not generating a Token.
My Settings:
Auth URL: https://login.windows.net/{my_tenent}/oauth2/authorize
Access URL: https://login.windows.net/{my_tenent}/oauth2/token
Scope: User.readAll
Are these the correct values to be passing in to generate an OAuth Token?
It sounds like you're mixing a bit of v1 and v2 endpoints here. I've written up a Microsoft v2 Endpoint Primer that might help you out here.
The URI for authentication with v2 should be https://login.microsoftonline.com/common/oauth2/v2.0/ rather than https://login.windows.net/{my_tenent}/oauth2/authorize.
When requesting scopes with Graph, be sure and use the full URI and not just the scope name itself. For example, user.read should be requested as https://graph.microsoft.com/user.read. Multiple scopes are space delimited so requesting user.read and mail.read would be formatted as "https://graph.microsoft.com/mail.read https://graph.microsoft.com/user.read.
If you would prefer to use the v1 Endpoint, you do not request scopes as part of the OAUTH workflow. With v1, scopes are defined in Azure Active Directory when you register the Application.
If you're not sure which to use, take a look at Deciding between the Azure AD and Azure AD v2.0 endpoints. In general, I tend to recommend v2 as it will eventually replace the legacy v1 implementation. There are however some older APIs (EWS, SfB, etc) that only support v1 at the moment so there are cases where your choice is made for you.
Did you make sure to set up your application to request permissions to the Microsoft Graph?
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications
The "permissions to other applications" section. You must statically select the scopes you want your application to call Microsoft Graph with, unless you are using the V2 endpoint which supports dynamic consent.
Let me know if this helps!
I fought with this same issue for nearly a day before finally figuring it out. These are the settings that work for me:
Token Name: [anything you want]
Auth Url: https://login.windows.net/common/oauth2/authorize?resource=https://graph.microsoft.com
Access Token URL: https://login.windows.net/common/oauth2/token?resource=https://outlook.office365.com/ (although, I don't think the refresh works)
Client ID: [your app's client id]
Client Secret: [your app's client secret]
Scope: I have a bunch of scopes in here, but they seem to be ignored. Scopes should be set in the app console
Grant Type: Authorization Code
Check "Request access token locally"
If everything works, you should get the login screen when you click "Request Token"