I have front end(https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) with azure ad b2c. After user login, azure AD return token for SPA. I call a springboot api with this access token.
How my springboot app can validate acess token and get user information from azure ad b2c with this token.
Thanks!
This sample can meet your requirements.
It uses Azure Active Directory B2C to authenticate users into a single page application (SPA). Then return the access token and id token, and then use the access token to call the Spring Boot application. The backend will verify the access token and return user information.
Related
I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)
I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?
The username that they use to login with MSAL also exists in my backend, the flow would be something like this;
User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user
It appears golang integration with MSAL is limited, so not sure how possible this is.
Thanks.
What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.
Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.
For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.
I found Nuxt Azure AD authentication which helps get JWT token from Azure. Nuxt app will fetch data from Laravel API. How to implement API auth validation. Every API has User model so Azure AD response should be validated on API side and assign specific user.
Azure AD response
At present, you have registered an application representing the api in Azure AD, and have exposed the api for the api application. Next, you need to register another client application representing the Nuxt application, and then add the client application to api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the
'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Then, I use the auth code flow to get the user token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token:
Parse the token and you will see that the aud claim is the client id of your api application. At the same time, the token also contains user information.
The access token that the app receives after successful authentication, can we use the same token for invoking GRAPH APIs for /me.
I tried to use the access token that I received in POSTMAN for /me but got an invalid token error. If I explicitly generate the token in POSTMAN, I am able to use it for /me.
What am I doing wrong here?!
I tested it.The access token you get after successful authentication of the app you use should be b2c, while b2c cannot be used to request a graph endpoint. See reference from Azure AD B2C auth code flow.
You can successfully request /me endpoint with the explicitly generated access token in POSTMAN because you are using an access token from Azure AD auth code flow.
We have an Angular SPA and Web API which is hosted in IIS - standalone server.
Our Web API uses user ID and password OAuth token authentication.
One of our client wants to use their Azure AD instead of our application's user id and password.
How to pass their AD token in our /token API call? Is there any easy way to implement this?
We can do this by two ways.
Approach 1# using ADAL.js in SPA
For SSO Clients
Get AD Token using ADAL, then pass it to /token with custom grant_type and decrypt AD token and generate your own token
Apporach 2# using SAML approach
For SSO Clients
Get SAML response, and pass it to /token with custom grant_type and decrypt SAML token with certificate you received from AD SSO then generate your own token
I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.
My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.
How can I implement custom authentication oauth2 ?
OAuth2.0 spec allows for custom grant types,
So your auth server can create an custom grant type,
for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token
So now when your users wanted to authenticate using Google access token , they will pass like
grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token
Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token
This applies for third party auth severs, so you can create number of custom grant types