I followed this Microsoft Azure Mobile Service Authentication Tutorial, to try to add a server authentication function for my Windows Store C# app. However, after completing every step, when I run my app, it showed that the application cannot connect to the service.
I found this useful blog tallking about troubleshooting Azure Authentication issues in Azure Mobile Service. To troubleshoot, I type the link in the firefox web browser: myServiceUrl/login/aad, but I receive the error response:
Authorization has been denied for this request.
I also followed the same tutorial to test with Google Log in. It turns out to work properly. And when I type the link: myServiceUrl/login/google, the web browser directed me to the google log in page, unlike the Unauthorization error message when I type in myServiceUrl/login/aad.
Although google log in works out fine, but it is desired for us to use Azure Active Directory authentication. Could anyone tell us what could possibly be wrong? Any troubleshooting suggestions are also appreciated. Thank you.
The "Application cannot connect to the service" error comes from whenever the Web Authentication Broker in Windows receives an error response from the resource it is trying to reach. There are a couple of issues that can cause this, and I'll try and address the most common ones.
I noticed the tutorial you linked to is for the .NET backend. If you are using the Mobile Services .NET backend, there is an extra step required to configure the AAD server flow, and it's a common cause of the issue being described. In the tutorial, it's under the title "Configure your .NET mobile service for AAD login." On the backend project, you will need to install the Mobile Services .NET Backend Security Extension NuGet package. Then, in WebApiConfig.cs, you will need to include
options.LoginProviders.Remove(typeof(AzureActiveDirectoryLoginProvider));
options.LoginProviders.Add(typeof(AzureActiveDirectoryExtendedLoginProvider));
This allows the runtime to use the server flow in addition to the client flow (leveraging the Active Directory Authentication Library) which was first released with the .NET backend.
Pending that, or in the case of the Node runtime, the next thing to do is check the AAD configuration. In the AAD portal, make sure that your application registration uses your mobile service's /login/aad endpoint for the resource URI. It must match exactly the value provided in the Mobile Services portal. This should also be one of the redirect URIs if you are using the Node backend. For .NET, you would use the /signin-aad endpoint for the redirect URI instead.
You should also check that you have copied the Client ID from the AAD registration and pasted it into the Mobile Services portal's Identity Tab. For completeness, the "Allowed Tenants" field should also be filled out, but I don't believe it is the cause of this issue.
Lastly, if your AAD tenant is federated with ADFS, then there is a wide range of issues that could lead to this. The biggest case comes from the WAB needing to be configured for Enterprise Authentication. This typically only causes problems when the device is domain joined / on the corporate network. That behavior is a known bug for the Mobile Services Windows Store SDK, but there is a workaround available. Glad to provide that if needed.
Related
I'm trying to get service-to-service authentication working in Azure AD. I have it working when the two services (webapps) are running locally against an Azure AD app registration. But when the webapps are running in Azure (against the same Azure AD app registration), it doesn't work.
I've created two Azure App Service webapps (which are ASP.NET Core Web API projects) - one acting as the client and the other the server. The bit that breaks is the client webapp, where it requests an access token from AzureAD. It only breaks when requested a token with a custom scope. This same 'custom scope' token request works fine from a local webapp though.
In Azure, I've created an 'App Registration', and given it a custom scope called 'bob'...
In the client ASP.NET Core webapi app, I've added the Azure.Identity nuget package, and am getting a token like this...
var tokenRequestContext = new TokenRequestContext(new[] {scope});
token = await new DefaultAzureCredential().GetTokenAsync(tokenRequestContext, cancellationToken);
(where the scope variable matches the name from the screenshot above)
Locally, this works fine and returns a token.
In Azure, I get this exception:
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
- ClientSecretCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://<guid>/bob is not valid.
(I've removed the GUID from that snippet)
When running this locally and in Azure, I'm setting the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID environment variables to the same value. I don't understand why it would work differently locally than in Azure, given these environment variables are the same.
Note that my intention is to use a Managed Service Identity instead of setting those environment variables. But for the time being, by using those environment variables both locally and in Azure - both should be using the same "ClientSecretCredential" authentication - so I'd expect the same results.
There are 2 parts of the answer:
Azure.Identity is currently meant to be ONLY for the native Azure Services SDK using new Azure.* client libraries. In your case, you are trying to use it for your custom web app auth with custom scope which is not officially supported or documented. For regular auth flow (like in this case Client Credential Grant for example) You should be still using MSAL, OR for easier integration with asp.net core apps, Microsoft Identity Web.
NOTE: Specifically for Client Credential Flow, it only allows .default scope. There is an open UserVoice and another thread for workaround.
Now coming to your problem of why it's is not working in Azure.Identity DefaultAzureCredential (regardless of the fact it's not officially supported). I suspect at your deployed Web App, it's probably one or more context missing (IDENTITY_ENDPOINT or AZURE_AUTHORITY_HOST would be my wild guess looking at code). But no idea unless we do little trial and error (again, I would only want to do it for experimental purpose, not in a real production application due to lack of official support). The DefaultAzureCredential attempts to authenticate via the following mechanisms in order. In your local machine, it might be able to get the required context from one of mechanisms down in the chain (like VS or CLI) whereas in the deployed app, those are simply non-existent.
While explicitly stated - you can use the .default claim as hinted at here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope.
This will let you generate an access token for your API but it will not have any other scopes for you to verify.
I've been working on a multi-app project for a few months now using Azure App Service for my database and ADD B2C for authentication. There are three applications in this project: an admin WPF app, a client web app, and an employee WPF app. All three applications use client managed authentication with my B2C tenant by getting a token from B2C and using that token to login to the App Service database. Everything has been working fine until seemingly overnight I am no longer able to authenticate with the app service. I have no problem displaying the B2C login screen and getting an access token as a result of the authentication, but when I package the token in a JObject and call the 'mobileServiceClient.LoginAsync()' function, all I get back is a 403 "forbidden" error.
First I tried seeing if all three projects were affected, which they are. I then tried rolling back to my last commit. Still the same thing. I then tried re-cloning to see if there was any little quirk with still the same results. Because I know my Azure resources have not hit their limits, I then tried making a completely separate WPF project and I made a table on the app service that allows anonymous access. After setting "Action to take when request is not authenticated" to "Allow anonymous access" on the app service, I was able to read and write to the anonymous table without issue. I then tried to have this new project authenticate the same way the others have been only to get the same 403 error. After checking all of this I can say I'm almost completely sure that there is no issue with the client applications and the issue has to be on the server side.The most confusing part for me is that aside from adding a new table to the database, I haven't changed a single thing server side. I've checked out both the B2C tenant and the authentication settings on the app service but nothing seems to be different than before I was experiencing this problem. Investigating a little bit more in the app service, I tried to find some JS code that handles authentication to see if I could find any useful information using the console output. I did not find any code, but I did find out the console outputs PID[31680] Information Sending response: 403.76 Forbidden whenever a client tries to authenticate.
Additional information that might help is that my request header timestamp is correct. I know from research that Azure only allows a 15 minute variance for incoming requests from its time.
Any help or suggestions for solving this issue would be greatly appreciated! Thanks!
Let's say I have an installed app, a console app for example, not a web app, that I want to interact with the QBO API - I want to perform calls to QBO from my console app (but not from a web application). So I must authenticate from the console app, make a call and output in the console.
All QBO SDKs seem to ask for a callback URL or a redirect URL, i.e. a page on my server, that will perform the required leg of the OAuth 2.0 authentication. As my installed app is not a webserver, I don't have a place to host this logic. Yes, I can host a webserver to handle this logic, but I don't want to do it, this is a waste of resources for my use case (why leave an auth server on standby?). I just want to authenticate without a webserver with QBO API. Is this possible? Have I messed up my understanding of the API or of OAuth? I am at a total loss. In none of the sample code I can find a suitable example despite this being the use case that I have. (I am working with .NET / C#)
It appears that at the moment the QuickBooks Developer platform will not accommodate this (non web End-Point).
As per Intuit:
These URIs handle responses from the OAuth 2.0 server and are called
after the user authorizes the connection. URIs in this list are the
only ones to which the authorization response can be sent from the
OAuth 2.0 server. You must define at least one URI specifically for
your application's auth endpoint before you can use OAuth 2.0.
Additionally they add in a note:
Mobile- or desktop-based apps that implement OAuth 2.0 must provide a
separate SaaS layer for the Redirect URI to handle responses from the
OAuth 2.0 server.
I realize this is not what you had hoped for. Please understand, however, understand that the end-point must be a URL so as to securely return the authentication token.
I'm new to azure, and I'm trying to setup a single page website(web api 2). How can I limit access to my services so only my website can use it?
I know that I can use app services to setup my web applications/services but as far as i understand it will be open to everyone.
I also read about APIs, but Api management service seems very expensive and advanced for such a simple task. Is there any options? Am I in the wrong track?
Update
Ok, I saw the link for filtering based on IP. But as I've mentioned that single page application also is hosted on Azure. There is no static IP. If that is the way, I still need to know how you will find out about the IPRange.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
Here's a bit of a back story, feel free to skip to the problem below.
We have a handful of web applications exposed to the outside world (as opposed to ONLY on our internal business network) and these applications are using HTML5 for the offline capabilities. We also had IIS configured for Windows Authentication ONLY (no outside parties use our applications), thus we were issuing the challenge directly against our AD. With a recent update to Chrome for iOS, it broke the NTLM authentication (instead of prompting for use credentials, it just displayed a 401 unauthorized exception page) so we started looking at alternative solutions.
We figured we could leverage our current external ADFS/O365 access thus the user experience would be the same across all external facing applications (not just web apps).
We ended up adding OWIN to our WebForms app to use ADFS authentication and it works from a perspective of you can see the redirect to our external login page and then back to the web app. However, there is an additional problem. To get this to work, we had to DISABLE Windows Authentication in IIS and ENABLE Anonymous Authentication. Also, in the Web.Config in <system.web> we added <authorization><deny users="?" /></authorization>
PROBLEM
Since our applications are using HTML5 and are available offline, we are also using Web API to handle the push of data from the client device to the central system. When we moved to our "SSO type" solution, the POST methods in Web API started crashing. Turns out the line HttpContext.Current.User.Identity.Name stopped working.
How can I get the current authenticated [signed in] user when the user returns to the network and sync's their data? I'm not even sure what the best approach is here, I've tried a few different suggestions from SO and Google, but none seem to work. How does one get the current user in Web API with Owin using Federated Services?