ASP.Net API with OAuth for Google : Access Denied - asp.net-web-api

I've some issues with a ASP.Net API and Google Authentication.
I work with VS 2017 and .net FW 4.6.1.
In this app the login can be made by create a new app user or use a Social network authentication like Google Account.
So I create a Google Project with a Credentials for Web Application and refer my dev env web site and my prod public web site.
In dev mode with Localhost it works perfectly but with my public domain name I get a
error=access_denied
The /signin-google?state=.... request, after choosing a google account, take 1 min and redirect to the home page with the access_denied error.
Do I need to regenerate the call to /api/account/externallogin with the publish website ? (I've already change the redirectURI)
Is the Google Project Name important to access to the API ?
Must the client ID be different between Dev and Prod ?
I've followed this tutorial to implement the authentication in my web site for more details :
http://csharp-video-tutorials.blogspot.com/2016/12/aspnet-web-api-google-authentication.html?_sm_au_=iVVDF8LpPKL6W0sQ
Thanks

Related

Post to Facebook on behalf of my web application users - Laravel

I have created a web application and I would like users to be able to log into their own Facebook account to publish posts on their Facebook profile from my web application.
Every time I connect them to Facebook with authentication, I get back a token that does not retain the requested permissions, especially "write to profile".
I am on Laravel.
I have tested with PHP SDKs, with Socialithe and even with PostMan. I can't find the solution.
Do you know if this is possible? And how?
Thanks

Calling my own API secured by AzureAD V2 from another tenant

I have a DotNet Core WebAPI living in my own Azure AD tenant. This WebAPI is secured via AzureAD V2 (!) BearerToken authentication. This API is called by an Angular SPA authenticated via OIDC (AzureAD v2) using #azure/msal-angular following the tutorial at https://learn.microsoft.com/en-us/graph/tutorials/angular. Everything works fine with users from my own tenant. But when logging in with a user from another tenant I get the following error:
"AADSTS650052: The app needs access to a service
(\\\"https://mytenant.de/AngularDemoApi2\\\") that your organization
\\\"myorganization.de\\\" has not subscribed to or enabled. Contact your
IT Admin to review the configuration of your service
subscriptions.\r\nTrace ID: 9597578e-7e48-49b2-85be--b5a1ee14300\r\n
Correlation ID: 30d4caf2-e3ca-4d7d-84b5-564d428e4e69\r\n
Timestamp: 2019-06-13 15:40:46Z|invalid_client"
I have tried to following some examples to make the WebApplication and the WebAPI multitenant but all the examples seem to be outdated and/or not relevant for V2 of Azure AD. WebApplication and WebAPI have set
"signInAudience": "AzureADandPersonalMicrosoftAccount"
in Manifest. WebAPI has App Uri in the form of
https://mytenant.de/AngularDemoApi2"
I guess that I need to give users from other tenants somehow permission to access the WebAPI in my tenant but I don't know how.
Edit: When I choose to expose the API directly from the app registration of the SPA it works like a charm. But this approach does not seem to be right because each exposed API would have the same audience ("aud" claim, the same audience as the SPA application). In my example above I have a separate app registration - one for the SPA and one for the API. This way each API would have it's own audience and it will also be mentioned in the consent screen.
May be someone could explain how to configure it correctly?
I had the same problem, and for me the solution was to add the client as an "authorized client application" to the WebAPI's app registration in the Azure portal.
This will show up in the service app's manifest as a section in the following form, where appId is the application id of the client app, and permissionIds contains the ids of the scopes requested by the client app, which can be read from the "oauth2Permissions" section of the manifest:
"preAuthorizedApplications": [
{
"appId": "523ca2d4-680b-4ef4-8a8c-3f3486693cf7",
"permissionIds": [
"35e5e006-83c5-4f37-a3bf-c048ee8c8600"
]
}
],
In your case, you might have to first register the Angular SPA as a client application in order to get a client id. This is described in this quickstart.

Azure Active Directory Consent Framework not kicking in for .NET client application

I have a Web API running in an Azure Web App. It is used from a .NET WinForms client application. In the same Azure Web App, there is also an ASP.NET MVC site.
Users authenticate to the site and the .NET client using Azure AD credentials. This should be multi-tenant. The MVC app works fine multi-tenant, but I have trouble getting the client to run multi-tenant.
My understanding from https://learn.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications is that the Consent Framework should kick in automatically if OAuth 2.0 is used. I am using code (below) that is very close to the sample at https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-multitenant-windows-store/.
While I can successfully log in with a user in the tenant where the native app is defined and use the app, I cannot use the app with a user from another tenant. There is no consent asked and I get an AdalException:
AADSTS50001: The application named https://<myurl> was not found in the tenant named <sometenant>.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 3<snip>2
Correlation ID: 2<snip>a
Timestamp: 2017-01-05 01:01:10Z
I have added the ID of the native client app to the list of knownClientApplications in the web app's manifest. I am authenticating against the "common" tenant (https://login.microsoftonline.com/common). The third-party tenant user account signing in is a Global Admin in that tenant.
So, I am clearly overlooking something to enable the Consent Framework but I can't find what it is based on the sample...
Relevant native client code below
Uri RedirectUri = new Uri(sRedirectUri);
// AadInstance is the common tenant
AuthenticationContext authContext = new AuthenticationContext(AadInstance);
try
{
PlatformParameters pp = new PlatformParameters(PromptBehavior.Auto);
// Authenticate to Azure AD
Program.WebApiAuthenticationResult = await authContext.AcquireTokenAsync(WebAppIdUri, ClientID, RedirectUri, pp);
return true;
}
catch (AdalException ex)
{
MessageBox.Show(ex.Message, "Log In Not Successful");
}
Thanks for any insight!
I am trying to reproduce this issue however failed. The scenario that native client app consume the web API which both protect by Azure works well when I login the native app with the multiple tenant account. I tested the code sample from here.
And based on the error message, it seems that the resource is not correct, please ensure it is same as the APP ID URI for the web API app you register on Azure. I could get the same error message when I specify an incorrect resource.

Mixing MVC 5 + WEB API 2 Authentication for Website & Mobile App

I just got Visual Studio 2013 loaded up and want to create a new web/mobile app that uses the same authentication for the website version and the mobile version.
I loaded up both templates (MVC5 w/Indivual Account & WEB API w/Individual Account) to check them out but it looks like I actually want to do a merge of those projects so the MVC5 uses the Web Api 2 OWIN for normal username & password authentication along with Social Media logins via Oauth.
SPA - I did look at this template but I'm not looking for a SPA as my website will need to be SEO friendly plus I know MVC and want to keep using it.
This would seem like an obvious template that developers would like to have in order to support both websites and mobile apps in the same project.
If your target is to share user accounts between the MVC app and the Web Api app, then all you need to do is to have them both point to the same UserStore.
I think this is what you are looking for:
http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/

Microsoft App authentication in MVC 5

I want to authenticate my mvc application by microsoft. I successfully done with Facbook, Google and Twitter, but when i click on Microsoft then the error `We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later`
is coming.
I successfully created an app and paste the Client ID and Client Secret in my mvc application . But I do not know the real problem
What is the return URL that you specified for the given Client ID and Client Secret? If the site is not running under that specific URL (e.g. is running under localhost whilst you are in dev mode), you can get this error message.
In my case I had my gmail account configured as my primary Microsoft Live account once I changed this to my Hotmail account as the primary account and then created a new app with a new name Client ID and Secret it started working for me.
The gmail account worked signing in as a gmail user on my app Identity Provider being Google to give some background this is the account I used as my Microsoft Account. I suspect my Microsoft account using my gmail user name and password confused the MS identity Provider thus resulting in the error. So avoid using a different Identity Providers credentials to authenticate with a different Identity provider if testing this. One account per Identity provider not associated to other Identity providers.
Since the Google account had been my primary for the other Identity Providers when I logged into the App as this I as essentially I suspect therefore already logged in with my Microsoft account.
Step 1:-
Open Application Registration Portal of Microsoft [https://apps.dev.microsoft.com] where you have Registered your Application.
You need to make change in Redirect URIs
For example :-
The URI which is Registered
URL:- http://localhost:8000
Change to make in URI :-
Just Add :- [/signin-microsoft] at end of URL It works
URL:- http://localhost:8000/signin-microsoft
Finally save your setting and try again it will work.
In my case, it failed when I used my personal Outlook account to login.
Once I switched to an Office 365 account, it started working.

Resources