I have a local server exposing an api that let clients to interface with some azure APIs such as azure ressource manager .
The authentication is done using the Microsoft.IdentityModel.Clients.ActiveDirectory nugget package. I get a token and use that token to make requests to those APIs.
The problem is that this token expires after after a certain period and the clients can no more access azure APIs services through the local server.
Is there a way or best practice that allows the local server to automatically reauthenticate or acquire a new token.
The goal is to automate this such as connectivity with azure api is available all the time for consumption through the local server.
Any help or guidance will be very appreciated.
As far as I know, there is no way to automatically reauthenticate or acquire a new token when the previous token expires. When the token expires, you could use refresh_token to get a new token. Or you could Configurable token lifetimes, the maximum for the access_token lifetime is 1 day. For the details about configuring token lifetime, you could refer to here.
Related
I'm developing a .NET application that can send emails on behalf of the user using the Graph API.
Users are prompted to authorize the application; The acquired access token is then used to call the Graph API. The refresh token is used to issue a new access token when the old one expires, as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Couple of questions / observations:
Assume user John authorizes the app to send emails on his behalf. If an administrator removes the app from the azure portal, the access/refresh tokens issued when John authorized the app will still work.
if the access token is still active, it can be used to call the graph api;
if the access token is expired, the refresh token can still be used to request a new access token
Is this behavior intended?
After reading https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-revoke-access and https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0 it seems that simply removing the app from the user doesn't revoke the tokens.
Assume user John authorizes the app to send emails on his behalf. If John goes to https://myapplications.microsoft.com and removes the app he won't be able to use the refresh token to get a new access token, which is expected.
However, I've noticed that if John reauthorizes the application to perform actions on his behalf, the application won't show up on https://myapplications.microsoft.com anymore. This behavior seems a bit inconsistent. What's the proper way for a user to revoke access to an application?
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
If you need to revoke authorization during the lifetime of the access token, please see: here and here.
Here's the scenario:
A game has its own login UI, which authenticates the player to the server using processes that have nothing whatsoever to do with Azure authentication. Actually using Azure authentication will not fly, as this requires sticking a browser into the game to redirect the user through a web authentication flow. This is not happening, because it breaks immersion and severely degrades the player's experience.
The game client needs to download resources from Azure Blob Storage. These resources are protected by a token.
The server should be able to create these tokens (for itself, not "on behalf of" any specific user) and send them to the game client, to users that are authenticated to its satisfaction (without Azure authentication for the user!)
I've spent an hour now, searching all throughout the rabbit hole that is Microsoft's documentation on the subject, and I can't for the life of me figure out how to get an access token without the process for authenticating the user forcibly poking its nose into the workflow.
Does anyone know what the proper workflow is for the server app to get a token on behalf of itself using its own client ID/client secret, without the identities of any users being involved anywhere in the process? I don't find it believable that such an important workflow wouldn't exist; I just can't figure out what it is or how to do it. Any help would be appreciated.
According to my understanding, you want to download things form Azure blob storage with Azure AD auth and you do not want to process the Azure AD auth with users, If so, I suggest you use service principal to process Azure AD auth then download files from Azure blob with the token.
For example
create a service principal and assign Storage Blob Data Contributor for the sp.
az login
az account set --subscription "<your subscription id>"
# it will assign Storage Blob Data Contributor to the sp at subscription level
az ad sp create-for-rbac -n "mysample" --role Storage Blob Data Contributor
Get access token
POST https://login.microsoftonline.com/<your tannat id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<your sp appId>
&client_secret=<you sp password>
&resource=https://storage.azure.com/
Download file with the token
Get <you blob url>
x-ms-version: 2017-11-09
Authorization: Bearer <access_token>
Besides, as #Gaurav said, if you deploy your project on Azure VM, you can enable Managed Identity for Vm then use the identity to access Azure storage. For more details, please refer to the document
I have a .net core web API server that I connect to from a mobile application. The server creates an invoice on Xero and sends the user an email etc...
I have been using oAuth 1 with no issues, but now need to switch to oAuth 2. As there is no front end-user on the API server, can this still be accomplished?
All the documentation I read, seems to need a manual login to grant authorization and get an access token?
I was using the XeroApi settings in my appsettings.json file with a pfx certificate and a private app.
I am using the C# SDK
Thanks in advance :-)
You'll need a user from the Xero organisation to go through the OAuth2.0 flow at least once to retrieve an access token. If you request the offline_access scope during this flow, you'll receive a refresh token as well; this will enable you to refresh the access token from your web server on an ongoing basis, without user intervention.
So yep, you'll need a manual login at least once, but as long as you request & retain the refresh token from that initial flow, once should be enough.
I have a Xamarin.Forms iOS and UWP application based on a .NET standard 2.0 library. I am able to allow the user to a) login with Facebook b) use the received Facebook token to authenticate with an AWS Cognito federated identity pool without any problems leading to a Cognito access token to work with AWS resources for one hour. The logic I follow is to create a new CognitoAWSCredentials instance; call its addLogin method to specify Facebook and the Facebook address token and finally to call the GetIdentityId() method to receive the necessary credentials.
As expected and documented, this access token works for one hour and then I start receiving AmazonCognitoIdentityException.
I have read through the Amazon documentation but did not locate which method or API endpoint to call after (lets say) 55 minutes to refresh this token. Additionally, I also do not see from debug instance inspection any reference to a refresh token or a refresh method.
Guidance to the correct way to refresh the AWS Cognito access token is greatly appreciated.
I am using C# Web API and the Microsoft OWIN OAuth Namespace to grant a user an access token when they have successfully authenticated. When they authenticate, I also set up some caching of user related information.
I'm trying to determine a way to determine when a user's access token will expire, so that I can invalidate and clear the server side cache for that user.
What is the accepted way to do this using token authentication?
You can create a cron job for database as a turn to clean database.
Cron job for linux base.
Scheduled Task for windows.