With my outlook.com account I logged in to portal.azure.com and I created a new application. Microsoft has provided a sample app (daemon_console) for quick experiments (in QuickStart guide) and I followed steps provided for the sample app, the app automatically takes the application id and client secret you generated and updates the configuration JSON file (appsettings.json) with this info. I downloaded the code after these steps but when I run the sample app it throws the error "Authorization_IdentityNotFound".
Looks like it is able to fetch the token but following code is throwing the error:
var httpClient = new HttpClient();
var apiCaller = new ProtectedApiCallHelper(httpClient);
await apiCaller.CallWebApiAndProcessResultASync($"{config.ApiUrl}v1.0/users", result.AccessToken, Display);
Microsofts page has step to get Admin consent in two ways:
If you are a global administrator, go to API Permissions page select Grant admin consent for Enter_the_Tenant_Name_Here
Standard user
If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
https://login.microsoftonline.com/common/adminconsent?client_id=my apps client id
I have tried both these options. With the first option, I am able to grant the required permissions. But the issue still exists.
With the second option when I go to the suggested URL it fails with error:
"AADSTS500113: No reply address is registered for the application."
I think this should have been a straightforward process but somehow the app is not able to execute and fails with errors:
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
Please let me know if anyone has tried these steps and has managed to resolve this issue.
Note that I can run "https://graph.microsoft.com/v1.0/users" from graph explorer with my outlook.com account and it works perfectly fine.
I tested it, and at first I was running into the same issue,
its because of the common in the appsettings.json
replace the "Tenant": "common"
with "Tenant": "your Tenant ID",
You can get the tenant ID from the overview page of your app registration Directory (tenant) ID. After you do that, make sure you right click the project and click rebuild. because if I just do a normal run it had it cached and did not update it from common.
Related
I am following the steps in this document
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-6.0
I also downloaded their sample application here and set my google client id and client secret in my secrets.json.
https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/security/authentication/social/additional-claims/samples/6.x/ClaimsSample
The application runs fine. But I do not get the same output on the "My Claims" page as they have on their site. Specifically I am missing the access token.
Their results...
My Results...
If I am reading the documentation correctly that access token should be there due to this line
https://github.com/dotnet/AspNetCore.Docs/blob/7ae6a3f3f523c9a0b9d268e2b7ec37b11e7052a4/aspnetcore/security/authentication/social/additional-claims/samples/6.x/ClaimsSample/Program.cs#L19
I should also see a Token.TicketCreated value because of this line
https://github.com/dotnet/AspNetCore.Docs/blob/7ae6a3f3f523c9a0b9d268e2b7ec37b11e7052a4/aspnetcore/security/authentication/social/additional-claims/samples/6.x/ClaimsSample/Program.cs#L31
So why am I not seeing either of those?
The Home Page does show my picture and locale though so at least that part of the sample app is working. Any ideas?
When I am trying to run user flow manually from portal.azure.com by clicking 'Run user flow' at the bottom I can select the application and reply URL.
I have defined two reply URLs:
https://localhost:5001/signin-oidc
https://jwt.ms
I select the first reply URL and below that information the 'Run user flow endpoint' is generated automatically. When I copy this endpoint and try to call from my blazor app it is working correctly. I can log in and change my profile info. Then, I can click continue to reply to my blazor app.
After clicking I want to get back to my app but I have an error:
Error.
An error occurred while processing your request.
Request ID:
00-f13479803a4cdeb7d3e203f0910e3688-a0619e9d48caf391-00
Details OpenIdConnectAuthenticationHandler: message.State is null or
empty.
When I set the reply URL to jwt.ms everything works fine.
How to call Edit Profile User Flow from the blazor app properly?
There are below few workaround may help to achieve the above requirement
Kindly check the signuporsignin.xml b2c userflow policy for correct tenant id and public policy uri in that policy file specifically check the technical profile id and inherent output claims regarding post successful authentication with Azure ad b2c .
Since after successful authentication to the blazor app you are able to login and able to change the profile info in the signinsignup user flow page successfully ,But when returning to the blazor client application you are encountering an error that displays the State parameter is null or empty, which inherently implies that the token access authentication is not passed on or the token has is broken/missing or misinterpreted during the changes of pages.
Thus i would suggest you to please check the program.cs file in the blazor client application code whether it includes the below code snippets or not.
builder.Services.AddMsalAuthentication(options => { builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication); options.ProviderOptions.DefaultAccessTokenScopes.Add("api://https://domain.onmicrosoft.com/cxxxx-1xx-4xxxe-aad0-4xxxxx/API.Access"); });
The above code snippet states that the blazor client application has exposed his api to the blazor server application as a provider.
Further also please check the authentication.razor file for the parameter to be passed on public string
Once the above has been checked and found correct then please ensure that the appsettings.json file on both the client & server applications has the correct respective client Id and the policy name mentioned. Also check the Azure ADb2c app registration for the details in blazor web assembly application.
For more information please refer the below links:-
Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory | MICROSOFT DOCUMENTATION
This error is driving me crazy, had the same issue with a lambda web api, but that worked when uploaded, so that will do for now
This project however will be a NuGet package, and i need to be able to simply upload a file to S3
I have the code in place using the following : "https://docs.aws.amazon.com/AmazonS3/latest/dev/HLuploadFileDotNet.html"
im trying to run this local, but getting the Unable to get IAM security credentials from EC2 Instance Metadata Service." error
within visual studio, i can see the AWS Explorer, and i can create a bucket from here... so i have my user setup... but when i run local... there is no user???
i know its going to be a one line missing value somewhere :(
Thank you #Geeshan for your answer, it gave me some direction on where to look
However, I had my credentials file setup, but the answer to my question was you also need to have a profile setup with the name "default"
Also, now know that you dont need a matching "default" IAM user.
On the AWS IAM User page, you create your users as normal, no need to create a default user. In Visual studio, when you create a new profile, if your profile is named "default", and you enter they key and secret key for one of your IAM user, running your application will use that user (I miss understood this profile name, and was assuming it needs to match your IAM user, so initially i create a "Default" IAM user. which i now know, is not needed)
If you dont want to use the default then, you can choose a user by using "TryGetProfile and TryGetAWSCredentials in your application code (see below)
This is due to missing credentials in your local machine. Setting up the AWS Explorer will not provide the credentials to running your code.
One way to setup the credentials is to use a Credentials File in C:\users\awsuser\.aws\credentials (asuming you are using windows).
The following is an example of a profile in the credentials file.
[default]
aws_access_key_id = {accessKey}
aws_secret_access_key = {secretKey}
Here you can read more about managing credentials for .Net
I am trying to obtain Admin consent for external application.
So I prepared link for an administrator of another company. Here is a link
As you can see:
scope=openid
admin_consent_scope=signature%20impersonation
But when administrator of target organization loggining in - he see the following screen
As you can see - it is requesting only "Obtain user information". But I expected to see permissions as in documetation:
After administrator clicked "Accept" - my app still gets an error consent_required when it generates JWT token.
Ok, had a call with Docusign support. They have a bit outdated specs.
The link should not have admin_consent_scope parameter and all scopes must be in scope parameter. Got it working.
I have a custom UWP application which I have registered in portal.azure.com. The app has been configured to support all account types ("Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)").
In my application I create a IPublicClientApplication like so:
PublicClientApp = PublicClientApplicationBuilder.Create(appId)
.WithAuthority(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount)
.WithLogging((level, message, containsPii) =>
{
ConfigurationHandler.Log.Info($"MSAL: {level} {message} ");
}, LogLevel.Warning, enablePiiLogging: false, enableDefaultPlatformLogging: true)
.WithUseCorporateNetwork(true)
.Build();
And later on I'm trying to acquire an authentication token like so:
authResult = await PublicClientApp.AcquireTokenInteractive(Scopes)
.ExecuteAsync()
.ConfigureAwait(false);
This will open the sign in popup window where user enters their email address and password. The authentication works without issues when I'm using a personal (xyz#outlook.com) account but it doesn't work with work accounts. The window is trying to redirect to the organization sign in page after entering the work email and clicking next. The redirect process begins but always ends up to following error:
"We can't connect to the service you need right now. Check your network connection or try this again later"
I have tried to add WithRedirectUri with value "urn:ietf:wg:oauth:2.0:oob" to the PublicClientApplication creation but it didn't help. That's the only redirect URI I have configured in Azure Portal.
Is there some other setting which I'm not aware of? How can I get rid of this error and get the work accounts working as well?
EDIT: I forgot to mention it's a desktop application.
I can not reproduce your issue on my side. My steps seem the same as yours, anyway, here is the screenshot for your reference. Also, here is an complete guide.
By the way, if you want to integrate authentication on federated domains, you need to enale additional capabilities.
1.Open Package.appxmanifest.
2.Select Capabilities and enable the following settings:
Enterprise Authentication
Private Networks (Client & Server)
Shared User Certificates
This issue was resolved by adding a missing certificate to Trusted Root Certification Authorities in Windows certificate manager.