I have created a tenant and application to be able to authenticate users via Azure B2C. I have a front-end application in React which uses Msal.js with authorization grant to obtain the access token, which is then used to make requests to a webserver which acts as a resource-server (connected to Azure b2c as well). I have used this answer to make it work -> How to secure Spring Boot REST API with Azure AD B2C?
Apart from that I have few daemon applications which need to connect to the backend as well. They should use client_crendentials grant_type to connect to the backend server (which is a resource-server).
However, the token that is obtain by the daemon app, cannot be used with the backend server (resource server) for some reason. Is there something that I do wrong ? Do you have samples for this scenario ? I've already spent days looking over all the documentation to find where is the problem.
Related
I'm trying to setup client credential flow with a Spring app access a web api (both owned by myself). I've attempted to follow the Azure documentation Microsoft identity platform and the OAuth 2.0 client credentials flow and Quickstart: Configure a client application to access a web API but I'm running into a few problems because the documentation is not clear. Somewhere in my setup, Azure is forcing the user to sign-in, and then other error messages sprout from there. As we know, however, client credential should be machine to machine authorization so I'm not sure why this sign-in flow is happening.
Below is my setup. Any feedback would be helpful getting me up running.
Environment
OS: Ubuntu 20.10
IDE: Visual Studio Code
Library/Libraries:
com.azure.spring:azure-spring-boot-starter-active-directory:3.5.0
org.springframework.boot:spring-boot-starter-oauth2-client
application.yml
azure:
activedirectory:
tenant-id: {my-web-app-tenant-id}
client-id: {my-web-app-client-id}
client-secret: {my-web-app-client-secret}
authorization-clients:
web-api:
scopes:
- api://example-api/Employees.Read.All
- api://example-api/Employees.Write.All
Azure Configuration
You should currently be performing server-to-server interaction, that is, no user involvement. So your server application needs to create an appRole, and then grant the app Role as an application permission to the client application.
First, you need to expose the api of the server application protected by Azure, which can be configured according to the following process:
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Then you need to create the appRole of the server application, and then grant that role as an application permission to the client application.
Next, go to client application>API permissions>Add a permission>My APIs>your api application.
Finally, you need to obtain an access token using the client credential flow where no user is logged in:
Parse the token:
#BillyBolton.
There are several types of your application when using azure-spring-boot-starter-active-directory:
When your application is web application, sign-in flow will appear.
When your application is resource server, no sign-in flow will appear.
Related docs:
https://github.com/Azure/azure-sdk-for-java/tree/azure-spring-boot-starter-active-directory_3.6.0/sdk/spring/azure-spring-boot-starter-active-directory#accessing-a-web-application
https://github.com/Azure/azure-sdk-for-java/tree/azure-spring-boot-starter-active-directory_3.6.0/sdk/spring/azure-spring-boot-starter-active-directory#web-application-accessing-resource-servers
Related samples:
https://github.com/Azure-Samples/azure-spring-boot-samples/tree/azure-spring-boot_3.6/aad
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
We're getting ready to rewrite an old native windows mobile application that accesses data through a VPN. We'd like the new version (.NET Windows 10 mobile application) to access data through web services that are protected by Okta. What is the best way to do this?
Thanks!
The best way to do this depends on how the web services are protected.
The main thing to keep in mind is that you don't want to store any secrets on the mobile application.
In an ideal world, these web services would be secured with something like OpenID Connect (OIDC), allowing you to authenticate against Okta (the "IDP") to get access to the web services (the "Relying Parties").
However, the real world is messy, where some web services are protected via SAML, OIDC, OAuth, custom headers, etc.
Without knowing more about your setup, my recommendation would be to build against OIDC, using a proxy server (or "API Gateway") as needed to secure your web services using OIDC.
One of my co-workers at Okta has written a sample iOS application in Xamarin that implements OIDC, I suggest taking a look at the ViewController.cs file in that repository.
I am setting up an API for a mobile app (and down the line a website). I want to use oAuth 2.0 for authentication of the mobile client. To optimize my server setup, I wanted to setup an oAuth server (Lumen) separate from the API server (Laravel). Also, my db also lives on its own separate server.
My question is, if using separate servers and a package like lucadegasperi/oauth2-server-laravel do I need to have the package running on both server?
I am assuming this would be the case because the oAuth server will handle all of the authentication to get the access token and refresh access token functions. But then the API server will need to check the access token on protected endpoints.
Am I correct with the above assumptions? I have read so many different people recommending the oAuth server be separate from the API server, but I can't find any tutorials about how the multi-server dynamic works.
BONUS: I am migrating my DB from my API server, so I would assume I would need the oAuth packages migrations to be run from the API server also. Correct?
Recently I read this article:
http://aws.amazon.com/articles/SDKs/Android/4611615499399490
Now my question is...
Can the Amazon STS (Security Token Service) used as a Token Vending Machine to manage user sessions for a clients of a Web Server (As opposed to Clients of AWS Services)?
Assume I have a Web Application. And this Web Application has Registered Users who are Authenticated with Login Credentials. Now I wish to issue a Session Token to these Users who are Authenticated.
1. User -> Web App -> User Login Page
2. User gives Credentials -> Web App -> Issues a Session Token (with expiry policy)
3. User the Session token -> Web App Resources (Non-AWS Resources proxy-ed by the Web App)
Can I use the Amazons Simple Token Service independently for the above Usecase? Or is Amazon STS only available for access to Amazon Services only?
The reason I wish to use Amazon STS is because they are :
- I don't have to worry about Session Token management
- Proven and Scalable
Please help. I am a little confused about this.
STS will provide temporary credentials (access key, secret key and token) for AWS Services only and should not be used for application authentication (or session management). But you could store those credentials in your session for AWS API access from your app.