I've been working on a multi-app project for a few months now using Azure App Service for my database and ADD B2C for authentication. There are three applications in this project: an admin WPF app, a client web app, and an employee WPF app. All three applications use client managed authentication with my B2C tenant by getting a token from B2C and using that token to login to the App Service database. Everything has been working fine until seemingly overnight I am no longer able to authenticate with the app service. I have no problem displaying the B2C login screen and getting an access token as a result of the authentication, but when I package the token in a JObject and call the 'mobileServiceClient.LoginAsync()' function, all I get back is a 403 "forbidden" error.
First I tried seeing if all three projects were affected, which they are. I then tried rolling back to my last commit. Still the same thing. I then tried re-cloning to see if there was any little quirk with still the same results. Because I know my Azure resources have not hit their limits, I then tried making a completely separate WPF project and I made a table on the app service that allows anonymous access. After setting "Action to take when request is not authenticated" to "Allow anonymous access" on the app service, I was able to read and write to the anonymous table without issue. I then tried to have this new project authenticate the same way the others have been only to get the same 403 error. After checking all of this I can say I'm almost completely sure that there is no issue with the client applications and the issue has to be on the server side.The most confusing part for me is that aside from adding a new table to the database, I haven't changed a single thing server side. I've checked out both the B2C tenant and the authentication settings on the app service but nothing seems to be different than before I was experiencing this problem. Investigating a little bit more in the app service, I tried to find some JS code that handles authentication to see if I could find any useful information using the console output. I did not find any code, but I did find out the console outputs PID[31680] Information Sending response: 403.76 Forbidden whenever a client tries to authenticate.
Additional information that might help is that my request header timestamp is correct. I know from research that Azure only allows a 15 minute variance for incoming requests from its time.
Any help or suggestions for solving this issue would be greatly appreciated! Thanks!
Related
I've been working on this problem for a week now and I've got no further and was hoping someone had encountered this before. The documentation around this is frustratingly sparse and glosses over the particular issues i'm having trouble with.
So I have a bot I wish to integrate into a teams application, but before that I wanted to test it in the emulator and ensure it works in Azures Test in Webchat feature. The Web App Bot is hosted on Azure, as is the App Bot Service, which is what I deploy to. When I test it in web chat, There is an error in my browsers console, and in the Channel there is a listed issue stating "There was an error sending this message to your bot: HTTP status code Unauthorized"
What I assume is happening is that my Web App Bot is sending a malformed request to my web app service. But I don't understand why.
So, looking around here and other places, it looks like the cookie cutter answers for this are a combination of check your AppId and AppPassword are correct, make sure your endpoint is correct, make sure the admin has consented, test it in the emulator, update your bot framework nugets, make sure you subscribed your bot correctly, delete and resubscribe your bot etc etc, naturally all of these I've done.
I'm sure the Id and Password, endpoint, and consent are all correct, as I can connect to the bot fine in the emulator.
What I'm not clear on is the consent process. I think I've consented to everything I need to, but it might be worth double checking.
I've also tried remote debugging to see if it hits my code, and it does, but the postAsync() controller just throws out the request
[HttpPost, HttpGet]
public async Task PostAsync()
{
// Delegate the processing of the HTTP POST to the adapter.
// The adapter will invoke the bot.
await Adapter.ProcessAsync(Request, Response, Bot);
}
Is there anything I need to configure, or any thing I can look into here? Azure can be a confusing place so it would be nice to have some advice from someone more knowledgeable.
So that's my question. Why am I not authorised to test this in Test Web Chat on Azure? And why do I get the same errors when I include the bot ID in my teams manifest?
Make sure these things:
When you connect your Bot just mention the URL of the Bot Channel.
The UnAuthorized message comes when you have (unintentionally) mentioned MicrosoftAppId and MicrosoftAppPassword in your appSettings.json. Make sure you don't mentioned them. Pass empty string.
If you have created your Bot in Azure Portal you will get the MicrosoftAppId (in Overview section) and MicrosoftAppPassword (in Keys or may be Security on left side of the Azure Portal Bot pane). Use these credentials when you Connect to a BOT and also in your appSettings.json
Note: Step-3 only applies if you have created a Web bot in Azure Portal. Ignore otherwise.
You can also visit this link: https://stackoverflow.com/a/49377915/6029001
For those who stumble onto this thread, the answer was that I just had to delete my app service and deploy it again.
I originally created the service manually, and then used continuous deployment to deploy onto it, but I found that just deleting the app service, and having visual studio create the service for me, the bot suddenly began authorizing.
As far as I know, no configuration was different, so it must've been something to do with setup. Marking as solved.
I have an account that is successfully connected to Azure and an App which is registered to Active directory. I also added all permissions as instructed so I published the app. Now I can login into this app with my Azure credentials online.
I also tested Postman with success adding all credentials and headers as per instructions here (learn.microsoft.com/.../setup-postman-environment) and I got response from CRM as expected, so this is working good.
As I am new to C# and Azure services I have some questions about next steps:
Do I need to obtain token in order to make CRM queries (GET, POST, DELETE...) towards "accounts" and "contacts"? Or is logging into app enough?
How can I make Controller to make all REST requests from #1? Can you give me some example?
First of all excuse my bad english.
I'm a newby in oauth2 and I'm trying to setup an authorization server with JWT tokens.
The server is running in a Owin self-hosted environment.
At this moment I've setup the token generation and it seems to work properly, I've also setup the refresh token provider and it seems to work (but it's just a minimal implementation); I didn't change the RefreshTokenFormat in the OAuthAuthorizationServerOptions leaving it to default (I don't know what is the default format), so the access-token is clearly a JWT token and the refresh token is something else.
All of this seems to work correctly, but I will need to run this authorization server in a microservices environment, so the authorization server service might be moved at any moment from one machine to another, so it needs to be stateless or at least to save needed informations on a shared storage (DB) or replicated local storage (I'm on Service Fabric) or some kind of distributed cache.
Testing I noticed that if I generate a refresh-token on a machine and then I try to use this refresh-token on another instance of the authorization server (on another machine) to get a new access-token, it fail with a generic invalid_grant error. My guess is that the auth server just keeps some token-related information in memory but I don't know exactly what and how.
I also would like someone to point me in the right direction to solve this issue.
Thank you very much.
I solved the situation using a JWT token also for the refresh token.
This way the authentication server seems to be completly stateless.
Here's a bit of a back story, feel free to skip to the problem below.
We have a handful of web applications exposed to the outside world (as opposed to ONLY on our internal business network) and these applications are using HTML5 for the offline capabilities. We also had IIS configured for Windows Authentication ONLY (no outside parties use our applications), thus we were issuing the challenge directly against our AD. With a recent update to Chrome for iOS, it broke the NTLM authentication (instead of prompting for use credentials, it just displayed a 401 unauthorized exception page) so we started looking at alternative solutions.
We figured we could leverage our current external ADFS/O365 access thus the user experience would be the same across all external facing applications (not just web apps).
We ended up adding OWIN to our WebForms app to use ADFS authentication and it works from a perspective of you can see the redirect to our external login page and then back to the web app. However, there is an additional problem. To get this to work, we had to DISABLE Windows Authentication in IIS and ENABLE Anonymous Authentication. Also, in the Web.Config in <system.web> we added <authorization><deny users="?" /></authorization>
PROBLEM
Since our applications are using HTML5 and are available offline, we are also using Web API to handle the push of data from the client device to the central system. When we moved to our "SSO type" solution, the POST methods in Web API started crashing. Turns out the line HttpContext.Current.User.Identity.Name stopped working.
How can I get the current authenticated [signed in] user when the user returns to the network and sync's their data? I'm not even sure what the best approach is here, I've tried a few different suggestions from SO and Google, but none seem to work. How does one get the current user in Web API with Owin using Federated Services?
I followed this Microsoft Azure Mobile Service Authentication Tutorial, to try to add a server authentication function for my Windows Store C# app. However, after completing every step, when I run my app, it showed that the application cannot connect to the service.
I found this useful blog tallking about troubleshooting Azure Authentication issues in Azure Mobile Service. To troubleshoot, I type the link in the firefox web browser: myServiceUrl/login/aad, but I receive the error response:
Authorization has been denied for this request.
I also followed the same tutorial to test with Google Log in. It turns out to work properly. And when I type the link: myServiceUrl/login/google, the web browser directed me to the google log in page, unlike the Unauthorization error message when I type in myServiceUrl/login/aad.
Although google log in works out fine, but it is desired for us to use Azure Active Directory authentication. Could anyone tell us what could possibly be wrong? Any troubleshooting suggestions are also appreciated. Thank you.
The "Application cannot connect to the service" error comes from whenever the Web Authentication Broker in Windows receives an error response from the resource it is trying to reach. There are a couple of issues that can cause this, and I'll try and address the most common ones.
I noticed the tutorial you linked to is for the .NET backend. If you are using the Mobile Services .NET backend, there is an extra step required to configure the AAD server flow, and it's a common cause of the issue being described. In the tutorial, it's under the title "Configure your .NET mobile service for AAD login." On the backend project, you will need to install the Mobile Services .NET Backend Security Extension NuGet package. Then, in WebApiConfig.cs, you will need to include
options.LoginProviders.Remove(typeof(AzureActiveDirectoryLoginProvider));
options.LoginProviders.Add(typeof(AzureActiveDirectoryExtendedLoginProvider));
This allows the runtime to use the server flow in addition to the client flow (leveraging the Active Directory Authentication Library) which was first released with the .NET backend.
Pending that, or in the case of the Node runtime, the next thing to do is check the AAD configuration. In the AAD portal, make sure that your application registration uses your mobile service's /login/aad endpoint for the resource URI. It must match exactly the value provided in the Mobile Services portal. This should also be one of the redirect URIs if you are using the Node backend. For .NET, you would use the /signin-aad endpoint for the redirect URI instead.
You should also check that you have copied the Client ID from the AAD registration and pasted it into the Mobile Services portal's Identity Tab. For completeness, the "Allowed Tenants" field should also be filled out, but I don't believe it is the cause of this issue.
Lastly, if your AAD tenant is federated with ADFS, then there is a wide range of issues that could lead to this. The biggest case comes from the WAB needing to be configured for Enterprise Authentication. This typically only causes problems when the device is domain joined / on the corporate network. That behavior is a known bug for the Mobile Services Windows Store SDK, but there is a workaround available. Glad to provide that if needed.