I followed below article to add authentication to my azure bot. Everything works fine, except below step:
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=javascript#azure-ad-v1
Register your Azure AD application with your bot, step g, to add Resource URL
In my case, I need to grant bot permission to access both powerbi and sharepoint API, according to the document they are in two different domain, https://analysis.windows.net/powerbi/ and https://mytanent.sharepoint.com
But this field in bot setting page can only accept one URL.
Anyone can help on this?
Thanks.
It is recommended that you use AADv2, which requires no resource URL. If you use AADv1 then you can probably still use https://graph.microsoft.com/ as your resource URL, but if that doesn't work then you might try just using your app registration's client ID as the resource URL. The place where you'll want to configure Power BI and SharePoint permissions is described in Create your Azure AD application 6c:
Related
I'm working on a Laravel site where users could connect their Google account and manage their Google calendars directly from within the site. I found https://github.com/spatie/laravel-google-calendar but I'm not sure that it really meets my needs.
That package doesn't seem to follow the authentication flow (OAuth 2) I'm used to with other APIs. It uses service accounts and stores credentials in JSON files where I usually save access and refresh tokens in my users table.
So am I missing something or is that package not made for that kind of site ?
I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !
• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.
I've put together this sample to integrate a bot in Microsoft Teams:
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth
Good news is, it works just fine out of the box with an Azure AD Connection as OAuth2 sign-in.
We use Amazon Cognito User Pools, and in order to call queries and other things, I need to be signed in, for obvious reasons. Therefore, I've tried configuring another connection, this time with a Generic OAuth2 Provider since Cognito is not in the list.
These are my connection settings for the Generic Provider
I've hidden the actual IDs for obvious reasons, but the core URLs are present, as stated in the Cognito docs.
I've also added "token.botframework.com" and "*.amazoncognito.com" in the validDomains list of the manifest.
Now, when I click on the sign in card button, the popup opens, but I'm getting a redirect_mismatch error in the URL, like so
I have looked up the reason for this error and it is stated that the redirection URL must match the atleast one of the callback URLs in the Cognito App Client corresponding to the provided ID.
However, in the sample's code for the bot, I can't seem to see where you specify such callback URL when dealing when the OAuth Prompt directly.
Any wizards in here have ideas about this? I would greatly appreciate any and all help.
Thanks!
EDIT
As requested, here's the settings page for the app client
Given that it's a MS Teams app, I have ngrok tunnels setup for traffic, so I put both URLs in there just to be sure... localhost:3000 is actually where the ngrok.io tunnel points to.
And here is proof that our Hosted UI, when opened from the User Pool, actually shows up, and at a redirect_uri of localhost:3000/
(Posting my comment above as an answer, since it seems to have solved the issue.)
When using the built-in auth support in Azure Bot Service, it fully handles the auth redirects. So your registered redirect URL ("callback URL" in Amazon Cognito?) should be https://token.botframework.com/.auth/web/redirect. This should have been your redirect URL when you tried it with AAD too, as indicated in the Bot Framework documentation for adding authentication to a bot.
I'm in throws of moving our security architecture from ASP.NET Core Identity to Azure AD V2 with MSAL.js. We used a lot of Roles with the ASP.NET Core Identity implementation and the information was managed in the database using the web application. The pattern I'm abandoning is similar to this one.
https://www.dotnetcurry.com/aspnet-core/role-based-security
Azure AD with MSAL is working. The tokens are being created and passed and the local Web API Endpoints decorated with the generic [Authorize] attribute are being honored as you would expect. Web API Endpoints decorated with [Authorize(Roles= "Fee, Foo, Fi, Fum")] are throwing a 401 unauthorized error.
I'm not sure where to go from here. Do I write a CustomAuthorize attribute override for Web API and go back to the database and grab the roles. (probably match the DB defined roles to the user based on email address)
OR
Is there a way to implement roles natively with Azure AD V2?
I'm not sure whats the best course of action from here. Documentation and Code samples seem limited. It would sure be nice to just throw a AD User in a Group and have the Group be respected as a Role in the Web API. On the other hand, It's nice to have Role delegation handled within the confines of the Web Application.
Any advice, experience or interest would be greatly appreciated.
Answer
Follow up to my question. #Marc , You're correct, after looking at the token the Roles are not present. Adding Roles to the token seems pretty straight forward. You need to Patch the graph schema to include them, Configure the roles and assign them to users as needed thru AAD.
Or that's how it looks at first glance. After digging a deeper, it requires a P1 or P2 Enterprise license which only costs an additional 6$ per month per user. This will literally double the cost of hosting email in the cloud for us.
Alternatively I wrote a CustomAuthAttribute for WebAPI and tied User & Roles together on the server backend. Roles can still be managed via the web application and users can still login using Active Directory Credentials.
I recall that the id token returned in implicit flow (the one you use with JS) does not include app roles (or groups). I cannot find any docs confirming that but see others who got around the issue (so the issue must be there) by using Graph to get the roles (or groups).
You can capture the token you receive from AAD and view it using https://jwt.ms to see whether roles are included in it.
I am trying to use OAuth2 (Azure Active Directory) to authenticate against a web api that I wrote, which is secured by Azure Active Directory. I know my security is setup correctly because I wrote a different app to consume the API, and it works.
When I try to setup the PowerApps custom connector, I keep getting a 401 Unauthorized error. I believe that it is because I don't have my settings correct. However, I cannot figure out what the fields in the PowerApps security page are supposed to map to.
Here is a screen shot of the page in powerapps. Please advise...
Thanks,
The client id and client secrecy is that the property the client app you register in the app.
And the resource URL is the app id URI of the app which represents the web API. And you can decode it from the token which works for previews request.
More detail about authentication for the PowerApps for Azure Active Directory, you can refer the link below:
Use Azure Active Directory with a custom connector in PowerApps