Multi-Tenant Azure AD authentication with IdentityServer4 - validation

I've configured Identity Server 4 and using Azure AD Authentication. Everything works fine if I use a tenant specific Authority URL in identity server. With that, only a user from that tenant can login. I would like to allow multiple domains to login and would like to validate the issuer in the backend.
To support that I need to use common login endpoint for Azure AD and after I login I get the following error when it redirects to signin-aad endpoint of Identity Server. What configuration should I do so that I can validate the issuer manually?
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/94b73406-72db-4abb-a142-adfdfdfdfdbc/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'.
Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)

If your domains can grow dynamically at runtime then set ValidateIssuer to false in the TokenValidationParameters. If you have predetermined set of domains then add them all to ValidIssuers.

Related

RStudio Connect OAuth2 Authentication with Azure B2C

I am looking to setup OAuth2 authentication in RStudio Connect to authenticae against Azure B2C using OpenID. I have configured the rstudio-connect.gcfg file with the authentication settings mentioned in the documentation as follows.
[Authentication]
Provider = "oauth2"
[OAuth2]
ClientId =
ClientSecret =
OpenIdConnectIssuer = https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/b2c_1_si
RequireUsernameClaim = true
When trying to authenticate, it doesn't look like it even tries to redirect to the B2C login page, and just displays a login error message.
Can anyone advise how to configure the rstudio connect config file and app registration in Azure b2c to get the authentication to work correctly.

How to combine bearer-only and client_credentials in Keycloak?

I have a backend API server which was initially bearer-only mode which is accepting token from FE. Now, there's a need for the server to call another service in the same keycloak realm which grant type is usually client_credentials.
User -> FE server --(bearer only)--> BE server --(client credential)--> Other service
The question is, how to combine bearer-only and client credential in the BE server? Do I have to define 2 clients in the Keycloak realm for the same BE (one is bearer only, the other one is client credentials).
We have solved this with two separate clients in Keycloak
Client #1 (token is generated from SPA client and used for Bearer Auth)
Access Type: Public
Client #2 (for server to server)
Access Type: Confidential
Service Accounts: On
On the Service Account Roles Tab: define which roles that token will get
EDIT:
On the spring side, you just need to reference Client #2 when setting up your keycloak AdapterDeploymentContext in your security config class. That is because any token generated by Client #1 or Client #2 will be a SSO token and your spring backend will point back to the realm for token verification.

JWT and Azure AD to secure Spring Boot Rest API

I have a Spring Boot Rest Api with JWT integration. Currently from Postman, I make a POST request to authenticate endpoint, including username and password, and obtain an access token.
But can Azure AD be used along with JWT, instead of hardcoded user details ?
When you obtain token with username and password, that bases on Resource Owner Password Credentials flow. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows.
I'm not sure what you mean about Azure AD with JWT.
If you would like to obtain access token with a signed-in user(not hardcoded user details), auth code flow is better for you. You could also request an access token in Postman.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/mail.read
&code=<authorization_code from "/authorize" endpoint>
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
If you would like to obtain access token without users, you could use client credentials flow. In the client credentials flow, permissions are granted directly to the application itself by an administrator, so you must use application permissions.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxx
&grant_type=client_credentials

spring boot oauth2.0 and spring security: How to grant permission(authorities) to user login via facebook or slack

I have an auth server built using spring boot oauth2.0 and follows david_syer model.
My auth server does following -
Let user login via third party oauth provider like google or let user create his account on our server using username and password and generate token.
So, when user uses external oauth like google to login then I simply store the token and pass the same(google) token to my UI app for accessing resource api servers. I have an authentication filter that verifies token and allow api access.
When user uses username and password to get token we store user and his permissions and generate a token for him. Now UI uses our auth servers generated token to access resource api servers.
Now my question is
Is this the correct way of using token from external api and using the same to access our resource api server?
And how do I add authorities to user who are signing up using 3rd party oauth provider since I don't add user entry and authorities for them?
So, spring security which loads user and user authorities (loadUserByUsername() from UserDetailsService) will not have any thing if user came from eternal provider.
I have a suggestion for step 2:
After the user uses the google authentication, and gets redirected back to your application page, do the claims transformation on your server and generate your own token issued by the identity server that you have.
The reason is you will be able to provide specific claims and the claims names does not necessarily required to match up.
That way you keep verifying your own token all the time on the client app. So lets say the user uses Facebook instead of Google and even in that scenario as you will assign your own token, you need not to verify the token coming from different third party Identity servers.
That way, your identity server trusts Facebook, Google provided token and your application will trust only your identity server so your app doesn't need to know about what IDP is issuing the token.
And with the approach I suggested above, you will be able to even modify the claims for the user on your own and don't have to depend upon the third party identity server to provide claims.

Custom Manual Oauth2 Authentication at RESTful Service

I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.
My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.
How can I implement custom authentication oauth2 ?
OAuth2.0 spec allows for custom grant types,
So your auth server can create an custom grant type,
for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token
So now when your users wanted to authenticate using Google access token , they will pass like
grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token
Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token
This applies for third party auth severs, so you can create number of custom grant types

Resources