Develop Reference

Azure Front Door routing when secured with Azure b2c

I'm looking at ways to modernise some of our existing web apps without a total rewrite. One idea that's being bandied around is having pluggable modules that can be written in more up to date languages that can be bolted onto the existing webapps.
I tried this out with both an iFrame approach and also using Azure Front Door routing, so that even though I had separate Azure App Services, I managed to get everything to appear as though it was part of the same web app/domain with routing rules.
Unfortunately both these methods failed once I secured the websites using Azure b2c. As an example, I tried to create two bog standard asp.net core mvc apps (deployed in Azure as AppService1 and AppService2). I secured them both using b2c with separate b2c apps. I checked I could log into both apps successfully. Also once I logged into one app, I could go to the other via a different browser tab and didn't need to log in so I knew that SSO was working.
I then tried to embed one app service in the other via an iFrame and got the following error
Refused to display 'https://xxx.b2clogin.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
Didn't pursue this so my next step was to try and use Azure Front Door routing to help me out. I managed to get this working for the top level app service (AppService1) by following this post
Exception: Correlation failed. AAD + Azure Front Door
However, I haven't managed to get the routing to AppService2 working. Here's what I tried
Attempt 1
Added a routing path in front door that used /service2 as 'patterns to match'. AppService2 had the following CallBackPath
"CallbackPath": "/signin-demo"
Used a b2c app which a redirect URL of
https://<frontdoor url>/signin-demo
When I try to go to https://[frontdoor url]/service2 I just get taken to the following URL
https://<frontdoor url>/signin-demo
which doesn't display anything.
Attempt 2
Changed the b2c app to one that used a redirect URL of
https://<frontdoor url>/signin-oidc
which is the callback path of AppService1. Doing so gives the error when going to https://[frontdoor url]/service2
Unable to unprotect the message.State.
So, I'm not sure what to try next. What I'm doing feels like it should be possible but I wonder if anyone could help or work out what I'm doing wrong.
Many thanks

Azure SSO and Laravel login have issue with SAML

I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !

• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.

How to access to google project from ui rather than link get from eclipse console

I have developed a tool for handling google sheet using spring boot with google sheet api. When I run the application from UI ,then eclipse console will show a link for OAuth authentication so that to get data in UI Eclipse console.I need to get back to console and take the link to browser for authentication. So my question is how to authenticate it through UI rather than going to console manually.
I selected react js as UI, and I added GoogleLogin to it
`
This tool is requir a google account to access<GoogleLogin
clientId="my client id"
redirectUri="http://localhost:8888/Callback"
scope="https://www.googleapis.com/auth/spreadsheets"
responseType="code"
accessType="offline"
buttonText="Choose account"
onSuccess=""
onFailure="" ></GoogleLogin>
</div>`
even though react js code worked,i will get the sheet data only after authenticating using link given in console.Please help me to solve this

You may redirect it directly but it would only work in case you are having that url working.
Let suppose, I'm hosting my application on http://localhost:8080/myProject then it would be redirect you to some url, you would be get that using this way.
Generate Credentials.json file while keeping redirect url blank.
Put this file to resources
Run project again
It will give you the response url, Do something for mapping that URL to your needed re-directional url.
Let me know if you need anything more in this.

Google Cloud Run Hosted User Sign-In 'Redirect' Throws Error When Using External Identity Providers

I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?

Okta sign-in widget with PHP does not work

I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?

I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.