I've implemented authentication based on the OpenID Connect sample found here. In development environment I'd like to add user impersonation which also works with on behalf of authentication. I want downstream APIs like the Graph API or other services like Azure Analysis Services to use the impersonated user too.
Where can I read up on how to implement this? Is this even possible?
Where can I read up on how to implement this? Is this even possible?
It is possible to implement this using OAuth 2.0 On-Behalf-Of (OBO) flow.
Detailed documentation from Microsoft is available here:
Service to service calls using delegated user identity in the On-Behalf-Of flow
The OAuth 2.0 On-Behalf-Of (OBO) flow serves the use case where an
application invokes a service/web API, which in turn needs to call
another service/web API. The idea is to propagate the delegated user
identity and permissions through the request chain. For the
middle-tier service to make authenticated requests to the downstream
service, it needs to secure an access token from Azure Active
Directory (Azure AD), on behalf of the user.
Your current sample that you've already implemented has taken care of the green part in picture above. Following the instructions in shared link for OBO you need to implement the remaining part. "Web API B" will be the downstream API like Graph API or others that you will call using delegated user identity from the first Web API (i.e. Web API A in your already implemented sample).
Related
As a design requirement, I need:
create a reactjs application where users will single sign-on using msal.
Once authenticated, the application will access several http azure functions endpoints that will be developed in C# and whose access authorization must be based on application roles.
I'm still in my infancy with MSAL and would like to know where I can find a tutorial that helps me with all this.
I understand that I somehow need:
Authenticate the user and acquire an access token.
Having this token, somehow forward it to the endpoints.
On the endpoints, read the token that was forwarded and check if the user has authorization or not.
Thank you very much
I am currently building an api along side our external app developers. I have read that the Authorization Flow with PKCE is definitely what we need for this set up however I am looking for some more detailed advice.
Our existing api uses the implicit flow and the app sends credentials + secret etc to the /Token endpoint in the api this then looks up the passed in data and compares with our users table. If that passes an Access Token is returned to the app.
With this new flow I have the following questions.....
Do I have to use Okta Portal/Dashboard and set up the api there?
Do all app users have to be stored in Okta dashboard? We usually manage our own users table where we add users from a custom tool. However I am presuming when using Okta our custom tool would need to call Okta api endpoint and register the user from there and then get and store the users Okta ID in our own table. **Does anyone have an example of how I do this from a C# Wpf application?
Do I then need to request the Redirect URL's from the App developer and set them up as a Native App in Okta dashboard. Presuming I need to give them some set values to hold their end to allow them to call Okta at authorization.
OpenID????? do I need this if so how and where does this get implemented?
I have read through so many tutorials but just havent quite found the exact fit yet.
Many thanks
You will need to access Okta admin console to register a client application. Once done, you can use Okta OIDC API's: https://developer.okta.com/docs/reference/api/oidc/.
You can use Okta SDK's to simplify the development process. Ex: https://github.com/okta/okta-oidc-ios
If Okta is going to be the authorization server, users and their credentials will need to exist in Okta
When you create a native App in Okta admin console, you will need to provide the redirect URI's that will be whitelisted
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. When you create a native application in Okta, will be a OIDC application.
I've seen a million different answers and none of them work.
Can someone please give me a link that works for:
I have a web api, I've registered it on Azure. I have Azure Active Directory configured.
I have a tenantId, a clientId, a client Secret, and every other variable I should need.
I can log a user into my system through AD via an MVC controller, how can I do the same with web api?
I basically need to generate the AD token so I can continue to use the API outside of my MVC controllers.
It must be the same token, because I need to access microsoft graph from the client side of the API.
HELP!
It’s up to the client to get a token and pass it to your API. You don’t specify what the client is (I.e. web, iOS, Android) but since you’re using Azure AD you could just use the appropriate ADAL library provided by Microsoft to do this.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I can log a user into my system through AD via an MVC controller, how
can I do the same with web api?
If you are interested in server-to-server interactions without direct interaction from the user side, you may have a look at OAuth 2.0 Client Credentials Grant Flow for AZAD.
The attached article contains simple examples of implementation. I think for your case, example with a daemon/console app (just replace it w/ Web API) is what you need. Download the example, replace configurations (Instance, TenantId, ClientId, and ClientSecret) in appsettings.json w/ yours, and try to play around with it.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I am trying to capture a SAML token that my ADFS login gives me. I need to capture the SAML by browsing to the ADFS login page, Let the user login and then when login is successful return the SAML back to the application. The application tehn calls a WCF service passing the SAML token in the header. I have a Url like :
https://adfs.mydomain/adfs/ls/IdpInitiatedSignOn.aspx?RedirectToIdentityProvider=http://adfs.mydomain/adfs/services/trust&loginToRP=https://bcjbsj.com/client-api/api/saml
I need to get this working wither in a windows application or console application. If this is not possible I can create a ASP .NET application also for testing. I have gone though many links but not able to find anything that helps.
I may be missing something here. Quite new to authentication. Any help or pointers would be helpful.
This is easily accomplished using a technique (occasionally) called JavascriptNotify. The basic idea is to display a WebBrowser control that you extend via javascript to allow callbacks to your app code once authentication is complete. You need to provide either centrally or packaged with your app an SP-STS that presents the home realm discovery page and the final jsnotify page. The rest of the UI is handled by the trusted STS's. You can optionally use Azure ACS to fill this role.
See Authenticating Users from Passive IPs in Rich Client Apps – via ACS or Access Control Service: Transitioning between Active and Passive Scenarios for what the call sequence looks like.
To understand how to add the required window.external methods, see Invoke C# code from JavaScript in a Document in a WebBrowser. Thinktecture has an example client in WPF implementing javascriptnotify with JST.
As #Thuan mentions, the other option would be to abandon WS-Federation passive authentication in favor of WS-Trust active authentication. The downside in this approach is that it is far less flexible, and you must implement the client-side UI yourself. Having written apps that implemented both WS-Trust and WS-Fed RP's, I highly recommend WS-Fed passive authentication even for desktop apps.
That endpoint is used for passive login (aka via browser) scenarios. For Windows application or console, WS-Trust is a more appropriate approach. In short, your application uses WS-Trust protocol to call ADFS to get a token that can be used to access a WCF service. Such a WCF service is called claim-based service or claim-aware service. This question has a bunch of good links: WCF, Claims, ADFS 3.0