RStudio Connect OAuth2 Authentication with Azure B2C - azure-b2c

I am looking to setup OAuth2 authentication in RStudio Connect to authenticae against Azure B2C using OpenID. I have configured the rstudio-connect.gcfg file with the authentication settings mentioned in the documentation as follows.
[Authentication]
Provider = "oauth2"
[OAuth2]
ClientId =
ClientSecret =
OpenIdConnectIssuer = https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/b2c_1_si
RequireUsernameClaim = true
When trying to authenticate, it doesn't look like it even tries to redirect to the B2C login page, and just displays a login error message.
Can anyone advise how to configure the rstudio connect config file and app registration in Azure b2c to get the authentication to work correctly.

Related

Nuxt + Azure AD + Laravel API

I found Nuxt Azure AD authentication which helps get JWT token from Azure. Nuxt app will fetch data from Laravel API. How to implement API auth validation. Every API has User model so Azure AD response should be validated on API side and assign specific user.
Azure AD response
At present, you have registered an application representing the api in Azure AD, and have exposed the api for the api application. Next, you need to register another client application representing the Nuxt application, and then add the client application to api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the
'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Then, I use the auth code flow to get the user token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token´╝Ü
Parse the token and you will see that the aud claim is the client id of your api application. At the same time, the token also contains user information.

Multi-Tenant Azure AD authentication with IdentityServer4

I've configured Identity Server 4 and using Azure AD Authentication. Everything works fine if I use a tenant specific Authority URL in identity server. With that, only a user from that tenant can login. I would like to allow multiple domains to login and would like to validate the issuer in the backend.
To support that I need to use common login endpoint for Azure AD and after I login I get the following error when it redirects to signin-aad endpoint of Identity Server. What configuration should I do so that I can validate the issuer manually?
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/94b73406-72db-4abb-a142-adfdfdfdfdbc/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'.
Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
If your domains can grow dynamically at runtime then set ValidateIssuer to false in the TokenValidationParameters. If you have predetermined set of domains then add them all to ValidIssuers.

Set up Okta authentication for jupyterhub

I have set up an internal deployment of jupyterhub using the zero-to-jupyterhub guide. I'd like to have it authenticated via Okta, but I don't see okta listed on the authentication documentation page. Has anyone successfully gotten jupyterhub authenticating via Okta?

OKTA - SPA Verify JWT Token & Setup Authorization Server

I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.

Xamarin tutorial, Google OAuth authorization error

Following the Xamarin tutorial Authenticating Users with an Identity Provider instead of the Google login page, I'm getting
Error: redirect_uri_mismatch. The redirect URI in the request,
http://blank.org, does not match the ones authorized for the OAuth
client
In my Google Developers Console, API Manager, Credentials, Web Client 1, Authorized redirect URIs I have included "http://blank.org". Where have I gone wrong?

Resources