I'm trying to setup client credential flow with a Spring app access a web api (both owned by myself). I've attempted to follow the Azure documentation Microsoft identity platform and the OAuth 2.0 client credentials flow and Quickstart: Configure a client application to access a web API but I'm running into a few problems because the documentation is not clear. Somewhere in my setup, Azure is forcing the user to sign-in, and then other error messages sprout from there. As we know, however, client credential should be machine to machine authorization so I'm not sure why this sign-in flow is happening.
Below is my setup. Any feedback would be helpful getting me up running.
Environment
OS: Ubuntu 20.10
IDE: Visual Studio Code
Library/Libraries:
com.azure.spring:azure-spring-boot-starter-active-directory:3.5.0
org.springframework.boot:spring-boot-starter-oauth2-client
application.yml
azure:
activedirectory:
tenant-id: {my-web-app-tenant-id}
client-id: {my-web-app-client-id}
client-secret: {my-web-app-client-secret}
authorization-clients:
web-api:
scopes:
- api://example-api/Employees.Read.All
- api://example-api/Employees.Write.All
Azure Configuration
You should currently be performing server-to-server interaction, that is, no user involvement. So your server application needs to create an appRole, and then grant the app Role as an application permission to the client application.
First, you need to expose the api of the server application protected by Azure, which can be configured according to the following process:
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Then you need to create the appRole of the server application, and then grant that role as an application permission to the client application.
Next, go to client application>API permissions>Add a permission>My APIs>your api application.
Finally, you need to obtain an access token using the client credential flow where no user is logged in:
Parse the token:
#BillyBolton.
There are several types of your application when using azure-spring-boot-starter-active-directory:
When your application is web application, sign-in flow will appear.
When your application is resource server, no sign-in flow will appear.
Related docs:
https://github.com/Azure/azure-sdk-for-java/tree/azure-spring-boot-starter-active-directory_3.6.0/sdk/spring/azure-spring-boot-starter-active-directory#accessing-a-web-application
https://github.com/Azure/azure-sdk-for-java/tree/azure-spring-boot-starter-active-directory_3.6.0/sdk/spring/azure-spring-boot-starter-active-directory#web-application-accessing-resource-servers
Related samples:
https://github.com/Azure-Samples/azure-spring-boot-samples/tree/azure-spring-boot_3.6/aad
Related
We have a multi-tenant application in Microsoft Azure.
This app is for performing SSO on our platform using SAML.
When we try to login with a user from our tenant, everything works correctly, the certificate that arrive from the request is correct.
But when we try to login with another tenant, the request give us another certificate that is not the one we have configured in our Azure application.
Why when we try to login from another tenant, even though they have authorized us to use our application, does it not return the certificate that we have configured in our application and returns another?
We have placed on our platform the certificate that we have configured in our Microsoft Azure application.
We expect that when we log in with a user from another tenant, the certificate that we have configured in the Azure application will be returned in the response, so that it is the same as the one we we have on our platform.
When I want to use Google's Gmail API within my web application in order to receive and send emails, then must this web application be deployed in the Google Cloud as a precondition and any on-premise hosting will fail? Is this the price one must pay to use it?
Your application's code can be hosted anywhere you want. However, you do need to create a Google Cloud account to create a project, enable the APIs and get the application credentials:
Cloud APIs use application credentials for identifying the calling applications. Credential types include API keys, OAuth 2.0 clients, and service accounts. You can use Google Cloud console to create, retrieve, and manage your application credentials. For more information about application credentials, see Authentication Overview.
Once you have your project's credentials you can just create the code within your current app and use the credentials wherever they are needed. You can refer to one of Google's quickstarts for that.
Sources:
Getting started with Google Cloud APIs
Developing on Google Workspace
Gmail API Overview
I have created a tenant and application to be able to authenticate users via Azure B2C. I have a front-end application in React which uses Msal.js with authorization grant to obtain the access token, which is then used to make requests to a webserver which acts as a resource-server (connected to Azure b2c as well). I have used this answer to make it work -> How to secure Spring Boot REST API with Azure AD B2C?
Apart from that I have few daemon applications which need to connect to the backend as well. They should use client_crendentials grant_type to connect to the backend server (which is a resource-server).
However, the token that is obtain by the daemon app, cannot be used with the backend server (resource server) for some reason. Is there something that I do wrong ? Do you have samples for this scenario ? I've already spent days looking over all the documentation to find where is the problem.
Let's assume we can not get password of the current user, only username and domain if necessary. Is it possible to get a session token or something similar to authenticate with remote service using LDAP authentication?
UPDATE
I am writing a c# app that would get info from a web service written in Python.
Remote web service uses python LDAP module to manage LDAP users and authentication. I'd like to use logged in windows user identity info to log into remote service. I can modify the authentication logic in remote web service if "token based" or similar authentication is possible.
You didn't say what type of application you're using, but the only way to do this is with Windows Authentication. For a web application, the web server (IIS, Apache, etc) would handle the authentication and give you the name of the authenticated user.
In ASP.NET, the implementation also depends on if you're using the .NET Framework or .NET Core.
To give you any more information, you will need to specify what type of application you're working on and on which OS.
Recently I read this article:
http://aws.amazon.com/articles/SDKs/Android/4611615499399490
Now my question is...
Can the Amazon STS (Security Token Service) used as a Token Vending Machine to manage user sessions for a clients of a Web Server (As opposed to Clients of AWS Services)?
Assume I have a Web Application. And this Web Application has Registered Users who are Authenticated with Login Credentials. Now I wish to issue a Session Token to these Users who are Authenticated.
1. User -> Web App -> User Login Page
2. User gives Credentials -> Web App -> Issues a Session Token (with expiry policy)
3. User the Session token -> Web App Resources (Non-AWS Resources proxy-ed by the Web App)
Can I use the Amazons Simple Token Service independently for the above Usecase? Or is Amazon STS only available for access to Amazon Services only?
The reason I wish to use Amazon STS is because they are :
- I don't have to worry about Session Token management
- Proven and Scalable
Please help. I am a little confused about this.
STS will provide temporary credentials (access key, secret key and token) for AWS Services only and should not be used for application authentication (or session management). But you could store those credentials in your session for AWS API access from your app.