I am trying to create a cross-platform app that allows a user to login to Azure Management Portal using his Live ID and manage his services. I know that the REST API can be used to access the Management portal.
But I am not sure how to implement the authentication part of it. I have gathered that to authenticate, the user has to upload a X.509 certificate for every request (if it is done by REST) or he has give info like subscription id, domain name etc. and also create a new application in the Active Directory of the Management portal using ADAL library.
But the user isn't expected to do this. Is there anyway to access the Management portal using ONLY the Live ID and password the user provides. Another dilemma I have is whether authentication can be implemented in a portable class library. The required classes for X.509 certificate are not accessible in a PCL. So, does authentication need to implemented for every platform separately?
Related
I'm not really sure what to call this but basically I have a service app that just serves up an API while occasional calling external APIs in the background to keep the data updated. Aside from authenticating to the external APIs there is no other authentication on this app.
Then, I have a front end app that uses the API of the service app to get data and display it to the user, and optionally modify some of the data. This app is setup to authenticate against Azure AD and has app roles setup to restrict access to various sections.
How would I secure the service app API so only calls from the front end app are served, and everything else gets rejected with 401?
You can protect the API by using OAuth with Azure AD. The below overview can help you out with your scenario:
Register an application in Azure AD to represent the API. Reference
Basically in this step, you will be making sure only the application (your app) who has permission can access the API.
Register another application in Azure AD to represent a client application.
Reference.
In this step, you are creating another application representing your app so that trust can be created between API and your app.
Grant permission in Azure AD. Reference.
In this step, you are giving permission to your app to access your API.
Make use of Client Credential flow to authenticate your app to your API. Reference.
In this step, you will be configuring your app with the information of Azure AD application of the API. Using that information, you will be retrieving access token and you need to pass this access token to your API.
I am creating a web application that will authenticate users based on their azure ad / office 365 accounts. To log into their computers they use their ad / office 365 account and they will have access to the web app without signing in based on their AD access.
I have tried to follow tutorials to set up this type of authentication using spring and angular:
https://learn.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable
Almost all of these guides or docs require setting up the app on the azure ad site, which produces a client id, key, and tenant id for the web application, which can be used with spring security to authenticate users.
I do not have access / permission to create a app registration, but I still need to get the ad userId of the user attempting to access my web application.
There is an existing web application created using asp.net core and angular which accomplishes what I am trying to achieve in java spring. I have tried to understand how it authenticates users but I am still stumped.
In the .net core project a controller makes a call to HttpContextAccessor.HttpContext.Request.Header to grab the userId of the user logged into their office 365 / ad account. This call is made in a controller class.
I cannot post more of the c# code so it will probably be hard to help me understand how it works in asp.net, but if there is any way to achieve what I described above in Java Spring I would love to know.
There is no way to achieve this without registering your application in these users AAD tenant. That's part of establishing trust between your app and the authority (AAD) which does the work of authenticating users. By registering your app id and reply url(s) you tell AAD that it's OK for it to send you user's info.
I am trying to develop a concept to support multiple authentication methods in an ASP.NET core server environment which should support both Windows (WPF) clients as well as Web clients (Angular). Users should be able to login using three methods:
using username & password, which is checked against database of valid logins
using Windows authentication (i.e. the currently logged in user). This may require user PC and server to be on the same network/domain
using selected external authentication providers, such as Google
Users should have individual rights (claims), which either derive from their individual profile or group membership (e.g. in case of AD).
I am still at the concept phase, trying to figure out the basics here, so no code has been written yet.
My thinking is as follows:
users logging in using username & password receive a token (JWT) of some sort which then authorizes them to access protected/restricted calls.
users logging in using their Windows identity would basically receive the same token
users logging in via external auth-providers would receive the external token from the provider and use that to login and also receive an token from the server
regardless of 1-3, users end up with a server-issued token that gives them access to restricted features
Is that a common/correct approach for mixed authentication? If so, how would this be implemented on the ASP.NET core server side?
Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios?
1. Internal users will be able to consume the web api via the angular backend app without an explicit login page.
2. External users via the mobile app will consume the web api with their active directory account.
I found this:
https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE
I am trialling Azure B2C Customer Preview and have configured a new application, set up policies e.t.c and I now want to write some integration tests that use a non-interactive flow to connect and interact with my protected WebApi services.
However, I have just read the following quote:
Daemons/Server Side Apps
Apps that contain long running processes or that operate without the
presence of a user also need a way to access secured resources, such
as Web APIs. These apps can authenticate and get tokens using the
app's identity (rather than a user's delegated identity) using the
OAuth 2.0 client credentials flow.
This flow is not currently supported by Azure AD B2C - which is to say
that apps can only get tokens after an interactive user flow has
occurred. The client credentials flow will be added in the near
future.
from this link which suggests that what I am trying to do is not yet possible. Can anyone from the Azure team tell me whether this information is up to date, and better yet a rough timescale for delivery on this feature?