I am trying to run the Sinatra sample app given in the Azure Active Directory Library for Ruby: https://github.com/AzureAD/azure-activedirectory-library-for-ruby. The sample is here: https://github.com/AzureAD/azure-activedirectory-library-for-ruby/tree/dev/samples/authorization_code_example
The provided README.md file tells me that I need to do this:
Register a web application under your Azure Active Directory account.
Replace CLIENT_ID, CLIENT_SECRET and TENANT with your values.
My problem is that it is not clear how to map any 3 of these values to the various fields available for the Web App that I have setup in Active Directory.
I am guessing that TENANT maps to a URL that will point my app to our ActiveDirectory configuration.
I am guessing that CLIENT_ID maps to the application id of my web app
I am very unsure about the CLIENT_SECRET
I am looking for clarity on these three fields and anything else I need to do to make this sample work.
This seems to work:
CLIENT_ID is the Application ID shown in the settings of the AD App Registration for the configured Web app.
CLIENT_SECRET is a password value a password set in the 'Keys' section of the Web app details.
TENANT should be a registered domain name for the AD tenant.
See: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-operations-overview?f=255&MSPPError=-2147217396#TenantIdentifier
Related
I'm working on a web application that uses OpenId authentication. Let's assume that the application essentially serves to store metadata and its associated files (docx, pdf). The Web Application is for internal use and is not exposed to public network, only users of the organization have access.
Recently, a requirement has arisen to be able to share files with users external to the organization. External users will use a PORTAL (third-party application) which, through a URL generated by the Web Application that points to the PORTAL, will have access to the file. This PORTAL uses OpenId authentication and invokes a Web Application API to retrieve the file.
Initially, the proposed solution was:
Web Application - Send EMAIL to the external user and create a user in Keycloak with Email to authenticate later on the PORTAL (Is this really necessary?! Biggest doubt).
The external user accesses the PORTAL with the URL received and authenticates with the user created by the Web Application on Keycloak.
Once authenticated on PORTAL, a WebApplication API is invoked to obtain the file.
The main question is whether the Web Application should manage the creation/editing/deleting of external users on Keycloak. Does the Web Application need to create users in Keycloak? Is there another way to accomplish this without compromising security?
Thanks in advance.
To share a file with restricted access, there are two approaches:
Open access with signed links: Create a signed URL using a web API and share it with external users. The link can be a static URL with an encrypted key, or a JWT signed token in base64 form generated by the web API. When the portal receives a request, it checks the validity of the token, retrieves the file location from the token, and allows access.
Email-restricted access: If you want to guarantee access only to the person with email xxx#abc.com, you'll need to use a challenge, which is typically a login. You can either create users on the fly after login (if the external users come from a partner with OIDC capability), or pre-create the users if this is not the case.
Note: You cannot rely solely on a URL with an email claim as proof of access, as the link may have been forwarded to someone else.
I'm trying to deploy my application built on the team toolkit scaffolding for multi-tenant. I created a CDN endpoint and updated my state JSON object to reflect the new front-end endpoint. After provisioning, deploying and making the account setting change to multi-tenant. I uploaded my app to our company tenant and I'm getting the following error in my tab configuration where the user is supposed to be able to log in.
OutOfRangeInputOne of the request inputs is out of range. RequestId:47fca9cc-f01e-004a-7a11-e434e9000000 Time:2022-10-19T23:24:05.3740757Z
Is there any workaround to get a team's toolkit app to be multi-tenant supported? I am trying to get this app validated for the teams store.
You can follow the steps here to enable multi-tenant in Teams Toolkit:
Provision your Tab project.
Open .fx\states\state.{envName}.json and note the value ofdomain under fx-resource-front-hosting.
Create Azure CDN and CDN endpoint and point to frontend storage. Note you need to choose endpoint type as Storage static website when creating your CDN.
Open templates\azure\provision\azureStorageTab.bicep file, and find the following two lines:
output endpoint string = 'https://${siteDomain}'
output domain string = siteDomain
and replace with:
output endpoint string = 'https://sample.azureedge.net'
output domain string = 'sample.azureedge.net'
Open templates/appPackage/aad.manifest.json, find signInAudience and set value as AzureADMultipleOrgs
Open .fx/configs/azure.parameter.${env}.json and find the following line:
"m365TenantId": "{{state.fx-resource-aad-app-for-teams.tenantId}}",
and replace with:
"m365TenantId": "common",
Run Provision and Deploy in your project.
I am developing a Teams App which have Tab and Search Message extension as a capability. The app should support multitenant scenarios, where the app will be deployed on different tenant and should be able to do some operation using Graph api. Hence I am calling a On-Behalf-user token. My request fails for these scenarios. When I tried to make Tab App registration to support Multitenant, I receive below error:
and when I am querying for Graph Token, I get CORS Issue:
Let me know what should be my next step.
Please take a look at this Github Issue.
Main reason of this failure is that Azure AD requires verified domain as Application ID Uri for Multi-tenant apps.
Please have a look at this doc, to understand Why changing to multi-tenant can fail?
Key point from doc are
Can sometimes fail due to Application ID URI (App ID URI) name collisions.
For a multi-tenant application, Application ID URI must be globally unique so Azure AD can find the app across all tenants
Short description:
Im using laravel application which already has system for logging in with microsoft account. That system works, but this is the first time im working on it, and i can not establish locally that users can sign in with their microsoft account into the application. Because system in the application works, and i get error when logging in, the issue must be in my configuration at Azure portal.
My configuration is as following:
I have created tenant and registered app in it. My SAML config is as following:
Entity ID: https://login.microsoftonline.com/tenant-id/saml2
Reply URL (Assertion Consumer Service URL): https://sts.windows.net/tenant-id/
In my .env i have set following values:
AZURE_AD_CALLBACK_URL=/login/microsoft/callback
AZURE_AD_CLIENT_ID=id-of-the-application-in-tenant
AZURE_AD_CLIENT_SECRET=tenant-secret-key
SAML2_AZURE_SAML_ENABLED=true
SAML2_AZURE_IDP_SSO_URL="https://login.microsoftonline.com/tenant-id/saml2"
SAML2_AZURE_IDP_ENTITYID="https://sts.windows.net/tenant-id/"
SAML2_AZURE_IDP_x509="tenant-id"
SAML2_AZURE_SP_ENTITYID="https://some-app.com/"
I get following error after entering my credentials:
AADSTS700016: Application with identifier 'https://someapp/' was not found in the directory 'tenant-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I have added user to the application, which i use to test login, so this error is totally confusing for me.
I dont know if i provided all neccessary info, but if some missing i will provide them.
I hope someone knows what is wrong with the configuration
The tenant id is a GUID. Have you used this or are you using the "tenant-id" string?
Also, the ACS is an endpoint in your application - not an Azure URL.
Background
I have a Web API registered in Azure AD and secured using WindowsAzureActiveDirectoryBearerAuthentication (OAuth2 bearer token). This is a B2B-type scenario where there are no interactive users - the applications calling the API are daemon-like background apps. As such, I don't need any consent experience - I just want trusted applications to be able to call the API, and other applications - even if they present a valid OAuth token - to be denied.
What I've tried
This sample seemed to describe my scenario almost exactly. However, the way it determines if a caller is a trusted app or not is by comparing the clientID presented via a claim by the caller to a hard-coded value. Obviously you could store the list of trusted clientIDs externally instead of hardcoding, but it seems like I should be able to accomplish this via configuration in the AAD portal so that a) I don't have to maintain a list of clientIDs, and b) I don't have to write my own authorization logic.
It seems like I should be able to define a permission for my API, grant that permission to each calling app in AAD (or a one-time admin consent), and then in my API just check for the presence of that permission in the scp claim.
From looking at the portal it seems like this is what Application Permissions are intended for:
I can create a permission just fine via the application manifest. Unfortunately, I can't figure out how to specify that it's an Application Permission, not a Delegated Permission! I tried changing the type from User to Admin as described on MSDN, but that seemed to have no effect.
"oauth2Permissions": [
{
...
"type": "Admin",
...
}
Question
Am I correct that Application Permissions are the best solution for my scenario? If so, how do I configure it? Or, as I fear, is this yet another feature that is On The Roadmap™ but not currently functional?
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the client app - the access token that the client app will receive using the client credentials OAuth flow will contain a roles claim with value 'trusted'. Other apps in the tenant will also be able to get an access token for your resource app - but they wont have the 'trusted' roles claim. See this blog post for details: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Finally, the above way to assign an application permission to a client app only works when both the resource and client application are declared in the same directory - if however these apps are multi-tenant and a customer will install these apps separately - a global admin from customer's directory will need to consent to the client app - which will result in the application permission getting assigned to the instance of client app in the customer's tenant. (my blog post covers this too)
Hope this helps.
ps: if you're stuck - feel free to ping me on the contact page of http://www.dushyantgill.com/blog