I am running the Hello-World-Tab-With-Backend example from TeamsFx. As expected when debugging it launches the Front end and back end services but I noticed that its also launching an Auth service (see image below). Can someone help me understand what the Auth service is doing? Does this also need to be deployed when I deploy my app to production? The README does not provide any information on this.
Simple Auth (Auth Service you motioned) is a backend service helping Teams tab app access first/third party services from client side. TeamsFx SDK calls the Simple Auth Service to get Access Token in Tab apps. You can find the source code and ReadMe of Simple Auth here.
When local debugging, toolkit will launch a local session to host the Simple Auth Service.
When provisioning from Teams Toolkit, toolkit will provision a Web app on Azure and deploy the source code, thus you don't need to care about the deploying.
Related
I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.
I've some issues with a ASP.Net API and Google Authentication.
I work with VS 2017 and .net FW 4.6.1.
In this app the login can be made by create a new app user or use a Social network authentication like Google Account.
So I create a Google Project with a Credentials for Web Application and refer my dev env web site and my prod public web site.
In dev mode with Localhost it works perfectly but with my public domain name I get a
error=access_denied
The /signin-google?state=.... request, after choosing a google account, take 1 min and redirect to the home page with the access_denied error.
Do I need to regenerate the call to /api/account/externallogin with the publish website ? (I've already change the redirectURI)
Is the Google Project Name important to access to the API ?
Must the client ID be different between Dev and Prod ?
I've followed this tutorial to implement the authentication in my web site for more details :
http://csharp-video-tutorials.blogspot.com/2016/12/aspnet-web-api-google-authentication.html?_sm_au_=iVVDF8LpPKL6W0sQ
Thanks
My requirement is to develop an application that should
create static html files
create a new site (with the static html files in #1) in Azure App Service or Hosting server.
i.e for #2,I need to automate the Publish activity that's done from Visual Studio to take it to the public server. So say on a Button click, the app should use the required details like credentials, app service\hosting provider details... and create a new site there.
My Query
Is this possible?
If so please do share it with me or send me some pointers on it.
Else let me know how I can implement this.
You could create azure app service using rest api with this link.
Also, you could deploy webapp to azure app service with ZIP or WAR file. Please refer to this one.
The required details like credentials, app service\hosting provider details you need to manually fill down to achieve deploy webapp function.
I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.
We have a Windows 7 Task Tray application that needs to access services in our Google App Engine application, and we are having difficulty making the OAuth connection between them work. For some reason our OAuth libraries that work with the Twitter and Tumblr OAuth implementations do not seem to work in this scenario with Google. Google is returning a 400 bad request response to the last step in the OAuth authorization sequence.
To debug the problem I am trying to use Google's OAuth 1.0 Playground page (http://googlecodesamples.com/oauth_playground/index.php). But I can't figure out what should be entered for the "scope" in step 1. If I enter the name of our GAE server the sequence will fail with the error message "Invalid scope". Clearly, choosing one of the provided scopes (the Google API services) is not an option for us.
Can anybody tell me how the OAuth scope designation should be set when accessing Google App Engine hosted services?
just for reference look at this blog,looks helpful in your case
http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/
I think this Google Official Docs explains best how to set up an endpoint to your own appengine application. You question isn't very specific, but take note of the following that is being written in this document:
The scope of an authorization, how much the consumer is allowed to access, is for all of a single app. App Engine only supports whole-app scopes, and does not support more granular scope requests. When Google Accounts prompts the user to authorize a consumer, the prompt explains that the consumer is requesting permission to access the full app.
And did you set up OAuth on your domain?
The consumer performs OAuth actions using a set of standard web service endpoints. These endpoints use reserved paths on your app's domain. For example, if your app uses a Google Apps domain of www.example.com, the endpoints for the OAuth protocol begin as follows:
https://www.example.com/_ah/OAuth...