I am using ADAL in order to log in to my app which is being made in Xamarin.Forms against Azure AD. That is all working fine, however I now want to be able to register a new user and to do this need an access token to pass to the constructor of one of my methods.
However, as the user hasn't yet been registered, I need to be able to get an access token from Azure AD without actually supplying any user credentials. I have been told that in a normal web app, I'd be able to send the client id and app key so that Azure AD would know who I was and then send me back an access token but I can't figure out how to implement this in a cross-platform Xamarin app.
If anyone has come across this before, your help would be greatly appreciated.
Thanks.
Use of an app key in a native application is not recommended, regardless sof the dev stack you use to implement it. The reason is that generally devices should not be trusted with secrets. Furthermore, secret distribution is complicated (you can't embed it in the app code).
As a result, ADAL for Xamarin (and all the other flavors of ADAL meant to be used in native apps) does not expose any method for acquiring tokens with an app key.
From a antive app you really need to bootstrap secure communication with a user identity. Once you have that, you can do all sorts of interesting things on the server side (e.g. you API can, given that is running on the server, obtain tokens as an app).
HTH
V.
Related
I have a web app (rest API) on azure, and I have a B2C setup that is securing it, requiring you to be signed in to access the API. This is good, as i wanted the API to be restricted to members. Basically, the entire web app requires authentication, and will prompt you for a sign in.
Heres the problem - my app has users (who have accounts) and clients (who do not have accounts). These clients might receive an email about a new appointment being set up with one of the users - this email should have one or more links/buttons (ie, a button to Confirm appointment, one to Decline, and one to request a reschdeule) and upon clicking this link I would like to update a field in my database via the rest api, so the USER knows the CLIENT's response. The trouble is, since the client wont have an account, I have no idea how I can give them a link they would be allowed to go to, and have the update happen.
I have tried to do a bunch of research - ive looked into AD external identities with a one time passcode - but i cant seem to find any info on how i would actually get this to work for my purposes.
Does anyone know how I might implement this in azure? Is there a way to call to azure form c# to generate a one time authentication that i can encode into a URL or something?
Any thoughts would be greatly appreciated.
Thanks!
You could do an anonymous authentication by using a magic link. The users account won’t even need to live in the directory. The link can be short lived, and potentially one time use. We call it id_token_hint or a magic link.
Sample here
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
And reference here
https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
I'm working on a small application to connect to Microsoft Azure, list all databases belonging to a certain resource group, and export all said databases. I'm using the Microsoft.WindowsAzure.Management.Sql library for this.
Following this guide, I've managed to set up an app registration in AD for my application and assign it the Owner role (for testing), authenticate with Azure and get an access token.
However, when I try to use that token to perform any operations on the database (such as listing all databases, using IServerOperations.List), I get the following exception:
ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
The tenant ID, subscription ID, client ID and client secret are all correct, and changing any of them results in a different exception, already at the authentication stage.
How can I fix this? If the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
HIf the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
Microsoft.WindowsAzure.Management.Sql implements the ASM API(Azure old API).
The reason you're getting this error is because you're trying to authenticate/authorize an Azure Resource Manager (ASM) API with application permission.
But Service Management API is a delegated permission and not an application permission.
For more detail information about how to authenticate for ASM and ARM Rest API, please refer to another SO thread.
How can I fix this?
Microsoft.Azure.Management.Sql implements the ARM API. As you mentioned that you could use the Microsoft.Azure.Management.Sql to instand of Microsoft.WindowsAzure.Management.Sql
or you could use X509 Certificate based authorization to authorize your ASM API requests.
For more information about how to authenticate using a management certificate, you could refer to this tutorial.
Note: It is recommanded that to use Microsoft.Azure.Management.Sql to instead of Microsoft.WindowsAzure.Management.Sql
We have a client that currently use a ERP-system to store all their clients. This is a closed source ERP so they can not change the authentication flow. Right now they have an authentication API that various other APIs use but development is slow. They are now facing a challenge in that they need to bring more systems in and given the current structure this takes time since their APIs are tightly coupled with the rest of the systems. They absolutely wan't to avoid other departments from creating applications with their own authentication simply because they cannot keep their pace up.
They wan't to keep SSO for all their customer systems but have better control which users are allowed to do what.
I have been reading about Azure Active Directory B2C and it seems really great. We use Azure Active Directory (AAD) authentication for our internal applications and it works flawlessly most of the time.
Here comes the two part question:
Is it possible to use Azure AD B2C and still keep users in the ERP? For example if we can connect Azure AD B2C to send a request to a service that responds with user data if that user exists given that the credentials are correct.
Extension of question 1. The current ERP-systems gives the user an access token and refresh token. Is it still possible to use Azure Active Directory B2C in this case? Basically add our own Identity Provider that will refresh the access token when needed. Is this a feasible thing to do and are there any guides in creating this? Perhaps IdentityServer4 could be used or can it be simplified? http://openid.net/developers/certified/#OPLibs https://github.com/IdentityServer/IdentityServer4
Given these words on their website I think it should work:
Support all platforms and open standards
https://azure.microsoft.com/en-us/services/active-directory-b2c/
Yes, it is possible. As Miroslav mentions, you should use custom policies. This requires a ramp up on custom policies which can have a steep learning curve, but essentially you would take the starterpack (see getting started) and you would modify the userjourney to not write to the B2C directory (basically remove this step). Instead, you would do a call out to wherever the users are. This call out can either be an OIDC identity provider or a REST API, which are specified using technical profiles.
I am trying to enable cross app SSO into our Xamarin apps so that if a user has installed and signed in to one of the apps, he is automatically logged in to other apps of my organization. The following document claims to achieve the requirement
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-sso-android. We are following the non broker assisted login flow.
I have carefully fulfilled the three conditions stated below-
The apps are using the same android:sharedUserId in the manifest file.
The native client used for them is the same. Only the redirect url is different for the apps.
All of them are signed using the same keystore.
But still the functionality is not yet achieved. When i installed and logged in to one app, the second app is still prompting for credentials when i try to acquire the access token using the below line
authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri), new PlatformParameters((Activity)Forms.Context));
Kindly help me know if there is something that i can do to achieve that.
Due to restrictions in Xamarin.Forms, SSO without a broker (Microsoft Authenticator or Company portal) does not work with current version of ADAL.
We have a work item to update the documentation.
This is a Xamarin.Forms issue. In order for SSO to work across apps without broker, you need to enable the "Ignore Security" flag, which is not recommended. This requires the app name to be hardcoded and "ignore security".
For example: Application.Context.CreatePackageContext(“com.companyname.ReproApp1”, PackageContextFlags.IgnoreSecurity).GetSharedPreferences(..)…
For the time being, it's recommended to use broker for SSO. You can use Authenticator for both iOS and Android.
It would be great if somebody could help me with strategic input, how to achieve my goal:
I wrote a C# Desktop Application (WPF)
I have a Google App Engine Project, which delivers Data for an Android App
Now my Desktop Application needs to pass some Data to my App Engine Application. Therefore, the Application must authenticate as Owner of the App Engine Application. As, all other Google Methods are deprecated, I have to go heading OAUTH2 to let my Desktop App authenticate itself as owner.
Therefore I have to register a project at Google Apis Console.
BUT:
I dont need any Service(s) of the listed Google APIS (Maps, ...), because to authenticate as Owner, its absolutely enough to sign in to a Google Account (GmailAccount, Google Account, whatever). This lets my App Engine App recognize me as Owner.
I would appreciate advice about:
Should I register a project without Service just to Sign In via OAUTH2?
(Is this possible?)
Sign in to another Service (means, taking the easiest way, just to be able to authenticate as Owner) seems not to be very "clean" sollution. Is this right, or should I go this way?
.. I also read about Service Accounts, but dont want to use this, because I want to be able to manipulate my app also via my "Human"-Account via any Webbrowser.
Thanks for any advice!
You can provide Google OAuth sign in without using any of Google's other services. Your OAuth client would just have an empty scope. You should be able to get the basic user info and email (so you can figure out who is who by something other than full name) without enabling any services as well.
You will still need a way to flag that you are you in your app (probably just hardcode your email in your app, then check it against who authenticates with OAuth would be the easiest)