Nuxt + Azure AD + Laravel API - laravel

I found Nuxt Azure AD authentication which helps get JWT token from Azure. Nuxt app will fetch data from Laravel API. How to implement API auth validation. Every API has User model so Azure AD response should be validated on API side and assign specific user.
Azure AD response

At present, you have registered an application representing the api in Azure AD, and have exposed the api for the api application. Next, you need to register another client application representing the Nuxt application, and then add the client application to api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the
'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Then, I use the auth code flow to get the user token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token:
Parse the token and you will see that the aud claim is the client id of your api application. At the same time, the token also contains user information.

Related

How to get user details (email and name) using Azure AD auth token?

We have a web app that has authentication on the front-end (React JS) using Microsoft OAuth, but no authentication at the back end side (Spring Boot), meaning everybody can access the APIs. We want to secure the APIs using the "Access token" generated by the UI (front-end). The idea is that UI passes the token to the back-end in every API call. Since each API call would contain the token, the back-end will use this to validate which user this token belongs to. Is there a way to achieve this using MSAL?
Tl;dr: How to obtain user details (email and user name) from Microsoft OAuth generated token using MSAL?
I did try going through this: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview but to no help

Authenticate that a user has logged in with MSAL/Azure AD and serve them a token for my separate API?

I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)
I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?
The username that they use to login with MSAL also exists in my backend, the flow would be something like this;
User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user
It appears golang integration with MSAL is limited, so not sure how possible this is.
Thanks.
What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.
Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.
For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.

SignIn / SignUp with Google auth code via REST

I am working on the backend for our two applications, which require sign-in and sign-up with a google account via REST - SPA app in Vue and Angular app.
I am thinking about this flow:
User from SPA or mobile application will log in google auth server with his credentials
App receive auth code from google
App request for sign-in / sign-up with this code to our auth service
Auth service fetch information about the user from google by this token, and generate jwt token for our SPA / mobile app which return back
Can you tell me if Spring Social module provides some endpoints to handle and generate this tokens via REST or I must implement it by myself? Thank you.

Validate token which sent by front end

I have front end(https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) with azure ad b2c. After user login, azure AD return token for SPA. I call a springboot api with this access token.
How my springboot app can validate acess token and get user information from azure ad b2c with this token.
Thanks!
This sample can meet your requirements.
It uses Azure Active Directory B2C to authenticate users into a single page application (SPA). Then return the access token and id token, and then use the access token to call the Spring Boot application. The backend will verify the access token and return user information.

web api returning HTTP 401 – Unauthorized when using a Bearer Token from Xamarin or UWP client - Azure Active Directory

I have an issue with a web api returning HTTP 401 – Unauthorized when I use a Bearer Token to access it from a xamarin client. Either the iOS or UWP fail.
-This is an application that authenticates with Azure Active Directory to allow a user to login
-Once successfully logged in it gets a token that in turn is added to the web api request header
-The web api has its authentication turn on
The issue with azure settings
https://1drv.ms/v/s!ApPhjsvemKJggpR2ax5w4wRJcY7uXQ
the code
https://github.com/wleon12/XamarinForms-AAD-WebAPI.git
I cant seem to figure out what is wrong, appreciate any input or guidance
It depends how you protect the web API.
Normally, when we protect the web API using Azure AD, we will provide the the Audience and Tenant like this code sample. So that when we send the request with the token, the web API will verify the signature of the token and the value we config.
So for the 401 issue, please check the token you acquired with the value you config for the web API project. To check the Audience, Tenant and other values in the token, you can decode it from this site.

Resources