Using two azure AD app registrations for mobile and web - spring

I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?

My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access

Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.

Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.

Related

How to integrate Outlook calendar for MS work account users using Spring Boot?

I want to build a feature where I want to sync users outlook calendar with my app. Any event which users create/reschedule/delete from my app should reflect in users outlook calendars. First step for this however would be getting access token and refresh token for the users by authenticating them. How can I build APIs to authenticate users and get the token for further use.
I have checked there is MS-Graph API, which can be used in my use-case. But I'm unable to find resources regarding how to use this APIs from my spring boot application. Also, this is not regarding the login/signup flow. I have another login flow. I don't want users to login to my app via their outlook email.
To Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform:
Overview:
This sample demonstrates a Java Spring Boot web app that signs in users and obtains an access token for calling Microsoft Graph. It uses the Azure AD Spring Boot Starter client library for Java for authentication, authorization, and token acquisition. It leverages Microsoft Graph SDK for Java to obtain data from Graph.
For more information: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph#enable-your-java-spring-boot-web-app-to-sign-in-users-and-call-microsoft-graph-with-the-microsoft-identity-platform
Hope this helps.

Password Authentication with Vaadin Flow and Firebase

I set up a Spring Boot project using https://start.spring.io including Spring Security and Vaadin. Then I set the Vaadin version to 22.0.4 and followed this tutorial to set up a login page using Vaadin Flow and Spring Security: https://vaadin.com/docs/v22/flow/tutorial/login-and-authentication
This works perfectly and checks login attempts against an InMemoryUserDetailsManager having a dummy user. As you can see in the tutorial, this is configured in the WebSecurity class, which extends VaadinWebSecurityConfigurerAdapter.
Now, I want to authenticate against Firebase users with email address and password instead. Therefore, I set up a Firebase project and added a user. I first thought, that the login can be done using the Firebase Admin SDK, but now I think this is not possible.
How can I authenticate Firebase users with email address and password in my Spring Boot application using Vaadin Flow as a frontend framework?
Firebase has two types of SDKs:
Its regular SDKs are designed to be used in client-side, untrusted environments, such as web front-ends, Android apps, or iOS apps.
Its Admin SDKs are designed to be used in (typically server-side), trusted environments, such as your development machine, a server that you control, or Cloud Functions/Cloud Run.
Only the regular, client-side SDKs have methods to sign the user in. For the Admin SDKs this is not needed, since they already run in a trusted environment and this establish their credentials in some other way (typically through a credentials file that you download from the Firebase/Cloud console).
So there's no way to sign in to Firebase on your server-side code. This also would not make a lot of sense, because a lot of users will likely be accessing the server at once, so who is the current user?
Instead, in Firebase you typically sign the use in client-side through one of the regular SDKs, and then (if needed) you pass the ID token to the server, where your code (through an Admin SDK if available) can decode that ID token and determine what user is making the request.
You can mint your own ID token in the Admin SDK, but the flow remains the same there and you typically use this to implement a custom sign-in provider.

Calling my own API secured by AzureAD V2 from another tenant

I have a DotNet Core WebAPI living in my own Azure AD tenant. This WebAPI is secured via AzureAD V2 (!) BearerToken authentication. This API is called by an Angular SPA authenticated via OIDC (AzureAD v2) using #azure/msal-angular following the tutorial at https://learn.microsoft.com/en-us/graph/tutorials/angular. Everything works fine with users from my own tenant. But when logging in with a user from another tenant I get the following error:
"AADSTS650052: The app needs access to a service
(\\\"https://mytenant.de/AngularDemoApi2\\\") that your organization
\\\"myorganization.de\\\" has not subscribed to or enabled. Contact your
IT Admin to review the configuration of your service
subscriptions.\r\nTrace ID: 9597578e-7e48-49b2-85be--b5a1ee14300\r\n
Correlation ID: 30d4caf2-e3ca-4d7d-84b5-564d428e4e69\r\n
Timestamp: 2019-06-13 15:40:46Z|invalid_client"
I have tried to following some examples to make the WebApplication and the WebAPI multitenant but all the examples seem to be outdated and/or not relevant for V2 of Azure AD. WebApplication and WebAPI have set
"signInAudience": "AzureADandPersonalMicrosoftAccount"
in Manifest. WebAPI has App Uri in the form of
https://mytenant.de/AngularDemoApi2"
I guess that I need to give users from other tenants somehow permission to access the WebAPI in my tenant but I don't know how.
Edit: When I choose to expose the API directly from the app registration of the SPA it works like a charm. But this approach does not seem to be right because each exposed API would have the same audience ("aud" claim, the same audience as the SPA application). In my example above I have a separate app registration - one for the SPA and one for the API. This way each API would have it's own audience and it will also be mentioned in the consent screen.
May be someone could explain how to configure it correctly?
I had the same problem, and for me the solution was to add the client as an "authorized client application" to the WebAPI's app registration in the Azure portal.
This will show up in the service app's manifest as a section in the following form, where appId is the application id of the client app, and permissionIds contains the ids of the scopes requested by the client app, which can be read from the "oauth2Permissions" section of the manifest:
"preAuthorizedApplications": [
{
"appId": "523ca2d4-680b-4ef4-8a8c-3f3486693cf7",
"permissionIds": [
"35e5e006-83c5-4f37-a3bf-c048ee8c8600"
]
}
],
In your case, you might have to first register the Angular SPA as a client application in order to get a client id. This is described in this quickstart.

Mobile sign up with spring social

I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.

ADFS 2016 - ApplicationGroup - single native app - multiple web api endpoints

I'd like to validate the following scenario:
ADFS (win2016) is acting as an Identity Provider in a setup where
a single mobile app is consuming 2 api's
api.contoso.be
otherresource.contoso.be
These three applications are grouped together in a ADFS Application Group:
mobile app as a "Native application"
api.contoso.be and otherresource.contoso.be as "Web API" applications
The mobile app gets an access token when authenticating succesfully against ADFS.
The access token is provided with een aud-claim for "api.contoso.be".
Problem: I'm currently unable to reuse that same access token to access the second api "otherresource.contoso.be".
Question: at this point I'm not 100% sure that ADFS ApplicationGroups are meant to support such a scenario.
If so, I'm probably overlooking something in the ADFS-configuration.
If not, what's a better ADFS setup to support this scenario?

Resources