I have a Cognito user pool, an app set up and a resource server set up. We do not want to use the hosted UI to log in and I am trying from the back end to authorize with Oauth 2.0 with a user name and password and send the token back to the front end to use with api gateway calls. I am using c# and the provided SDK does not allow for the right scope, so I am trying the manual oauth2 method of logging in, but nothing I have tried is working.
Edit:
I have gotten a bit further today trying to use postman, however, I am getting the error: unsupported_grant_type with the following setup:
As of now, this is not supported without hosted UI. Basically, you can not expect AdminInitiateAuth to include custom scopes in the access_token.
This is not a limitation in .NET SDK. This is a limitation in Cognito itself.
As per this answer, someone can argue that this the intended behaviour.
Signing in via initiate Auth or admin initiate Auth is not via the Oauth endpoints so the Oauth custom scopes will not be included in the token.
Also this issue has been mentioned in different other SDKs/Libs like: android sdk, Amplify JS as well. Several issues are mentioned in this comment.
Maybe you could try to use id_token along with Lambda Authorizers as a workaround.
Related
I have an older webapp that has implict flow I need to continue to support. I tried to use Microsoft.Identity.Web 1.9.0.0 but it does not allow me to use id_token it requires only access token in the authorization header I get the error message below :
[10:09:31.861 -04:00] [ERR] [] [] An unhandled exception has occurred
while executing the request. System.UnauthorizedAccessException:
IDW10201: Neither scope or roles claim was found in the bearer token.
at
Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<b__1>d.MoveNext()
Is there a setting to allow it? I couldn't see one in JwtBearerOptions or MicrosoftIdentityOptions.
It does work when I use Microsoft.AspNetCore.Authentication 3.1.0.0 library, but I wanted to have newest library possible. Any recommendations would be great.
Edit: More details
Our company is under major tech shift. he have built alot of stuff in .net core and web components (Polymer) for front end but . We decided to switch to Azure AD B2C. We have no problems switching our .net core and existing polyymer UI's to authorization code flow.
We have alot of assets in .net web forms. Those Web Forms are large projects that are using forms Authentication membership. We don't have the resources to switch all the UI's to Web Components and .net core at one shot. The plan is switch the identity to Azure AD B2C and release it to production. When there is a change request or new feature request we would build the new pages only in HTML and Web Components (Polymer) and have a .net core api to handle those api requests. The problem is that the Web Coponents doesn't have access to the access token.
The solution I found was when the Web Forms gets a responds from B2C I conect OpenIdConnectAuthenticationNotifications to SecurityTokenReceived which reads the IdToken and I put it in a cookie with an expiry in (30 seconds) and return it to the browser. I have javascript code that reads to see if the cookie exists and takes it and stores it in the Session Storage and deletes the cookie. Also on load the browser checks if the user is signed in if not it deletes the Session Stored id_token.
This works as expected, but the problem is it is using the id_token and not using the authorization code flow. So When accessing any other api I can't request a token from B2C for the other API. Also I can't get a refresh token (plan is to set it to 8hrs to expire which is good enough). I have looked at if it's possible to make it work with code flow. i have looked at how it works in MVC but it I haven't made it work,
This is the project I used to switch to B2C https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet
After deciding to give up on this. Working on a different project I had to run a cross this issue. Decided to do another search and found this post
https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#to-support-acl-based-authorization
through this Stack overflow Q/A
IDW10201: Neither scope or roles claim was found in the bearer token
this is what is needed to use the latest Microsoft.Identity.Web Package. To sum it up in the you need to set the Azure options variable AllowWebApiToBeAuthorizedByACL = true
The error message expects scope or roles in the bearer token. Please follow this document for implicit flow versus authorization code flow concept.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
I'm building an application in WPF that is client side and will only depend on external API.
To this point I could use open API which I build in RestSharp and everything worked well. But from last week this API uses CAS authentication, so to use them I need to be authenticated. API I want to call is in external server. They have two API's and my assumption is that if I will log in on their site using CAS then I will be able to use this auth for my API calls for second API.
I'm new to SSO, CAS and security overall, so this was my first thought: I will build WebBrowser control, get returned TGC cookie and use ticket from it to use in requests I will be making. But this failed, setting cookie still got me and 401 error and from what I understand from CAS auth for now, TGC is a go to for checking if I'm an authenticated user in current session?
My next thought was to use some CAS c# library. Unfortunately all of advices / libraries focus on creating CAS in .NET projects. Is there some library which will provide a way to log in to CAS auth and then allow me to make API calls?
I hope this makes sense and I didn't messed up things completely. I'm new to secutity and I will be grateful for any help or guidance how to approach this problem. Things I have: API specification (endpoints paths) and username and password to log in to the system.
I've seen a million different answers and none of them work.
Can someone please give me a link that works for:
I have a web api, I've registered it on Azure. I have Azure Active Directory configured.
I have a tenantId, a clientId, a client Secret, and every other variable I should need.
I can log a user into my system through AD via an MVC controller, how can I do the same with web api?
I basically need to generate the AD token so I can continue to use the API outside of my MVC controllers.
It must be the same token, because I need to access microsoft graph from the client side of the API.
HELP!
It’s up to the client to get a token and pass it to your API. You don’t specify what the client is (I.e. web, iOS, Android) but since you’re using Azure AD you could just use the appropriate ADAL library provided by Microsoft to do this.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I can log a user into my system through AD via an MVC controller, how
can I do the same with web api?
If you are interested in server-to-server interactions without direct interaction from the user side, you may have a look at OAuth 2.0 Client Credentials Grant Flow for AZAD.
The attached article contains simple examples of implementation. I think for your case, example with a daemon/console app (just replace it w/ Web API) is what you need. Download the example, replace configurations (Instance, TenantId, ClientId, and ClientSecret) in appsettings.json w/ yours, and try to play around with it.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
My app used to be able to log into Tumblr, but late last year they changed their api to use OAuth. I am having a hell of a time trying to log in to Tumblr programmatically from a client-side app. I am using this app as a guide. Everything seems all right, but I keep getting Missing or invalid request token from Tumblr.
My question is this: is there an actual working example of logging in to Tumblr via OAuth in C#?
Temboo simplifies the OAuth process for Tumblr by breaking it down into two calls:
InitializeOAuth - returns a Tumblr authorization URL that you can show to your users and have them grant your application access to their Tumblr account.
FinalizeOAuth - returns the access tokens your app needs for authenticated access to Tumblr accounts.
You can experiment with Temboo's Tumblr OAuth support in your browser from the link below, and then generate the source code you need to use this behavior in your app with the Temboo SDK. If your language isn't supported (Temboo does not currently have a C# SDK), you can generate REST API cURL commands.
https://www.temboo.com/library/Library/Tumblr/OAuth/
(Full disclosure: I work at Temboo, so let me know if you have any questions!)