Can someone guide me or put me in the right direction? I'm new with microservices and Identityserver. I googled it but it's mostly about doing in mvc app that's not my scenario.
I have 3 projects in my .sln file
FrontendHost //Bff frontend dotnet react app
IdentityService //Asp.net mvc app Duende IdentityServer 6 for protecting Apis. Added claims here are openid, profile, email
BackendApi1 //.net6 web api that is protected using Remote Bff Api Endpoint approach.
I've a string Created By field in a model inside BackendApi1 project and in its api controller I wanna assign it with current signed-in user's name.
I tried with
var user = User.Identity.GetUserId();
But didn't get the expected result.
Related
I have two web applications that I've worked on in ASP.net Web API for a client. The two applications are hosted on the same domain, but in different virtual directories.
Each application has a data source with information about authorized users. I've been asked to set up a separate app that will allow a user to log in and issue an OAuth bearer token that can be used to access each web application.
I have the Owin stuff set up in one of my two apps with something of a boilerplate setup and it automagically makes the tokens work for me, but that's only within a single web application.
I have a general idea of how the OAuth tokens work: a user is authenticated and they receive a token that contains a user ID, a time stamp, and a cryptographic signature that says that the token came from my client's server and not somewhere else, and the Web API framework automatically checks that token for me when I decorate my API endpoints with the [Authorize] attribute.
I want to know how I can set this up so that the token is issued by one web app and consumed by another. I know that at a minimum, I need to make the two web apps work with the same key pair for the cryptographic signatures.
Can I please get some direction about how to make this happen?
Using this nodeJS example, I could get the data from a public sheet.
But how do I get the data from a non-public sheet owned by me (my google a/c) ?
Is there some way to send in the username and password as arguments ?
I don't want OAuth way as I want the data to be pulled from the sheet & displayed on a public webpage.
The other option I can think of is to have OAuth2 done once write a script to handle refresh tokens automatically as a cron every hour ?
Since this is a file that you the developer own i would recommend using a service account
If you share the file with the service account it will then have permissions to access it without you needing to go though the oauth2 steps of authorizing your application.
On google cloud console simply create Service account credentials
const {google} = require('googleapis');
const auth = new google.auth.GoogleAuth({
keyFile: '/path/to/your-secret-key.json',
scopes: ['https://www.googleapis.com/auth/spreadsheets'],
});
Then change your auth code slightly. Open the service account key file and look for the service account email address its the only one witha # in it. Share the file with the service account like you would any other user in google drive web app.
Once it has access you shouldn't need to authorize the app again.
I have a video on Google drive API upload file with Nodejs + service account which might help you a bit you just need the authorization code. Everything else you have should work as is.
I have a DotNet Core WebAPI living in my own Azure AD tenant. This WebAPI is secured via AzureAD V2 (!) BearerToken authentication. This API is called by an Angular SPA authenticated via OIDC (AzureAD v2) using #azure/msal-angular following the tutorial at https://learn.microsoft.com/en-us/graph/tutorials/angular. Everything works fine with users from my own tenant. But when logging in with a user from another tenant I get the following error:
"AADSTS650052: The app needs access to a service
(\\\"https://mytenant.de/AngularDemoApi2\\\") that your organization
\\\"myorganization.de\\\" has not subscribed to or enabled. Contact your
IT Admin to review the configuration of your service
subscriptions.\r\nTrace ID: 9597578e-7e48-49b2-85be--b5a1ee14300\r\n
Correlation ID: 30d4caf2-e3ca-4d7d-84b5-564d428e4e69\r\n
Timestamp: 2019-06-13 15:40:46Z|invalid_client"
I have tried to following some examples to make the WebApplication and the WebAPI multitenant but all the examples seem to be outdated and/or not relevant for V2 of Azure AD. WebApplication and WebAPI have set
"signInAudience": "AzureADandPersonalMicrosoftAccount"
in Manifest. WebAPI has App Uri in the form of
https://mytenant.de/AngularDemoApi2"
I guess that I need to give users from other tenants somehow permission to access the WebAPI in my tenant but I don't know how.
Edit: When I choose to expose the API directly from the app registration of the SPA it works like a charm. But this approach does not seem to be right because each exposed API would have the same audience ("aud" claim, the same audience as the SPA application). In my example above I have a separate app registration - one for the SPA and one for the API. This way each API would have it's own audience and it will also be mentioned in the consent screen.
May be someone could explain how to configure it correctly?
I had the same problem, and for me the solution was to add the client as an "authorized client application" to the WebAPI's app registration in the Azure portal.
This will show up in the service app's manifest as a section in the following form, where appId is the application id of the client app, and permissionIds contains the ids of the scopes requested by the client app, which can be read from the "oauth2Permissions" section of the manifest:
"preAuthorizedApplications": [
{
"appId": "523ca2d4-680b-4ef4-8a8c-3f3486693cf7",
"permissionIds": [
"35e5e006-83c5-4f37-a3bf-c048ee8c8600"
]
}
],
In your case, you might have to first register the Angular SPA as a client application in order to get a client id. This is described in this quickstart.
The site i am currently working on has been build in grails 3. The previous developers have build the majority of the front end in gsp, The end goal is to use react on the front end and just use grails as a rest api.
I am currently tasked with creating a new edition for the site and it will be the first component in react that needs authentication credentials to interact with users data.
this needs to be done before the rest of the site is transitioned here and there too react.
is there a way that i can gain access to a user's information that has signed in using gsp pages in react?
So i need to somehow securely pass the users information that is currently signed in on the non react site to the new react section without them having to sign in again. is this possible?
The best option is your grails backend issue a JWT token. This token identifies the user and can be used to securely access your API. Then you can have an API endpoint that returns detailed user information, if you need.
I have a Web API running in an Azure Web App. It is used from a .NET WinForms client application. In the same Azure Web App, there is also an ASP.NET MVC site.
Users authenticate to the site and the .NET client using Azure AD credentials. This should be multi-tenant. The MVC app works fine multi-tenant, but I have trouble getting the client to run multi-tenant.
My understanding from https://learn.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications is that the Consent Framework should kick in automatically if OAuth 2.0 is used. I am using code (below) that is very close to the sample at https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-multitenant-windows-store/.
While I can successfully log in with a user in the tenant where the native app is defined and use the app, I cannot use the app with a user from another tenant. There is no consent asked and I get an AdalException:
AADSTS50001: The application named https://<myurl> was not found in the tenant named <sometenant>.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 3<snip>2
Correlation ID: 2<snip>a
Timestamp: 2017-01-05 01:01:10Z
I have added the ID of the native client app to the list of knownClientApplications in the web app's manifest. I am authenticating against the "common" tenant (https://login.microsoftonline.com/common). The third-party tenant user account signing in is a Global Admin in that tenant.
So, I am clearly overlooking something to enable the Consent Framework but I can't find what it is based on the sample...
Relevant native client code below
Uri RedirectUri = new Uri(sRedirectUri);
// AadInstance is the common tenant
AuthenticationContext authContext = new AuthenticationContext(AadInstance);
try
{
PlatformParameters pp = new PlatformParameters(PromptBehavior.Auto);
// Authenticate to Azure AD
Program.WebApiAuthenticationResult = await authContext.AcquireTokenAsync(WebAppIdUri, ClientID, RedirectUri, pp);
return true;
}
catch (AdalException ex)
{
MessageBox.Show(ex.Message, "Log In Not Successful");
}
Thanks for any insight!
I am trying to reproduce this issue however failed. The scenario that native client app consume the web API which both protect by Azure works well when I login the native app with the multiple tenant account. I tested the code sample from here.
And based on the error message, it seems that the resource is not correct, please ensure it is same as the APP ID URI for the web API app you register on Azure. I could get the same error message when I specify an incorrect resource.