As a design requirement, I need:
create a reactjs application where users will single sign-on using msal.
Once authenticated, the application will access several http azure functions endpoints that will be developed in C# and whose access authorization must be based on application roles.
I'm still in my infancy with MSAL and would like to know where I can find a tutorial that helps me with all this.
I understand that I somehow need:
Authenticate the user and acquire an access token.
Having this token, somehow forward it to the endpoints.
On the endpoints, read the token that was forwarded and check if the user has authorization or not.
Thank you very much
Related
I am trying to create a full stack app (with React.js on frontend and ASP .NET Core Web API on the backend). The login process needs to be done using Active directory, as users are employees within a single organization. Frontend must get a token (using a MSAL library) and then send it to backend, where it has to decode it and, basing on it recognize user and register every session in the database, and let users perform actions set with their roles. Those roles, need to be assigned in database.
Does anyone know how to do that? Even an example project like that would help me immensely, because everything I have found so far is very basic.
For implementing the authentication in Asp.net core follow this doc here.
Authorization in Azure AD can also be done with Application Roles. Application Roles in Azure AD are by no means mutually exclusive. They can be used in tandem to provide even finer grained access control.
In your react-app (client) you can get the token, then access webAPI with the token. You can then take a look to this source code.The only different will be that you will call your own webAPI instead of Microsoft graph.
For controlling the authentication session read more here link.
I am currently building an api along side our external app developers. I have read that the Authorization Flow with PKCE is definitely what we need for this set up however I am looking for some more detailed advice.
Our existing api uses the implicit flow and the app sends credentials + secret etc to the /Token endpoint in the api this then looks up the passed in data and compares with our users table. If that passes an Access Token is returned to the app.
With this new flow I have the following questions.....
Do I have to use Okta Portal/Dashboard and set up the api there?
Do all app users have to be stored in Okta dashboard? We usually manage our own users table where we add users from a custom tool. However I am presuming when using Okta our custom tool would need to call Okta api endpoint and register the user from there and then get and store the users Okta ID in our own table. **Does anyone have an example of how I do this from a C# Wpf application?
Do I then need to request the Redirect URL's from the App developer and set them up as a Native App in Okta dashboard. Presuming I need to give them some set values to hold their end to allow them to call Okta at authorization.
OpenID????? do I need this if so how and where does this get implemented?
I have read through so many tutorials but just havent quite found the exact fit yet.
Many thanks
You will need to access Okta admin console to register a client application. Once done, you can use Okta OIDC API's: https://developer.okta.com/docs/reference/api/oidc/.
You can use Okta SDK's to simplify the development process. Ex: https://github.com/okta/okta-oidc-ios
If Okta is going to be the authorization server, users and their credentials will need to exist in Okta
When you create a native App in Okta admin console, you will need to provide the redirect URI's that will be whitelisted
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. When you create a native application in Okta, will be a OIDC application.
I've seen a million different answers and none of them work.
Can someone please give me a link that works for:
I have a web api, I've registered it on Azure. I have Azure Active Directory configured.
I have a tenantId, a clientId, a client Secret, and every other variable I should need.
I can log a user into my system through AD via an MVC controller, how can I do the same with web api?
I basically need to generate the AD token so I can continue to use the API outside of my MVC controllers.
It must be the same token, because I need to access microsoft graph from the client side of the API.
HELP!
It’s up to the client to get a token and pass it to your API. You don’t specify what the client is (I.e. web, iOS, Android) but since you’re using Azure AD you could just use the appropriate ADAL library provided by Microsoft to do this.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I can log a user into my system through AD via an MVC controller, how
can I do the same with web api?
If you are interested in server-to-server interactions without direct interaction from the user side, you may have a look at OAuth 2.0 Client Credentials Grant Flow for AZAD.
The attached article contains simple examples of implementation. I think for your case, example with a daemon/console app (just replace it w/ Web API) is what you need. Download the example, replace configurations (Instance, TenantId, ClientId, and ClientSecret) in appsettings.json w/ yours, and try to play around with it.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I've implemented authentication based on the OpenID Connect sample found here. In development environment I'd like to add user impersonation which also works with on behalf of authentication. I want downstream APIs like the Graph API or other services like Azure Analysis Services to use the impersonated user too.
Where can I read up on how to implement this? Is this even possible?
Where can I read up on how to implement this? Is this even possible?
It is possible to implement this using OAuth 2.0 On-Behalf-Of (OBO) flow.
Detailed documentation from Microsoft is available here:
Service to service calls using delegated user identity in the On-Behalf-Of flow
The OAuth 2.0 On-Behalf-Of (OBO) flow serves the use case where an
application invokes a service/web API, which in turn needs to call
another service/web API. The idea is to propagate the delegated user
identity and permissions through the request chain. For the
middle-tier service to make authenticated requests to the downstream
service, it needs to secure an access token from Azure Active
Directory (Azure AD), on behalf of the user.
Your current sample that you've already implemented has taken care of the green part in picture above. Following the instructions in shared link for OBO you need to implement the remaining part. "Web API B" will be the downstream API like Graph API or others that you will call using delegated user identity from the first Web API (i.e. Web API A in your already implemented sample).