Setting PowerApps CustomConnector to OAuth2/AzureAD - asp.net-web-api

I am trying to use OAuth2 (Azure Active Directory) to authenticate against a web api that I wrote, which is secured by Azure Active Directory. I know my security is setup correctly because I wrote a different app to consume the API, and it works.
When I try to setup the PowerApps custom connector, I keep getting a 401 Unauthorized error. I believe that it is because I don't have my settings correct. However, I cannot figure out what the fields in the PowerApps security page are supposed to map to.
Here is a screen shot of the page in powerapps. Please advise...
Thanks,

The client id and client secrecy is that the property the client app you register in the app.
And the resource URL is the app id URI of the app which represents the web API. And you can decode it from the token which works for previews request.
More detail about authentication for the PowerApps for Azure Active Directory, you can refer the link below:
Use Azure Active Directory with a custom connector in PowerApps

Related

Microsoft Teams Toolkit - Support for Multitenant Teams App

I am developing a Teams App which have Tab and Search Message extension as a capability. The app should support multitenant scenarios, where the app will be deployed on different tenant and should be able to do some operation using Graph api. Hence I am calling a On-Behalf-user token. My request fails for these scenarios. When I tried to make Tab App registration to support Multitenant, I receive below error:
and when I am querying for Graph Token, I get CORS Issue:
Let me know what should be my next step.
Please take a look at this Github Issue.
Main reason of this failure is that Azure AD requires verified domain as Application ID Uri for Multi-tenant apps.
Please have a look at this doc, to understand Why changing to multi-tenant can fail?
Key point from doc are
Can sometimes fail due to Application ID URI (App ID URI) name collisions.
For a multi-tenant application, Application ID URI must be globally unique so Azure AD can find the app across all tenants

How to use multiple resource url in botframework oauth?

I followed below article to add authentication to my azure bot. Everything works fine, except below step:
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=javascript#azure-ad-v1
Register your Azure AD application with your bot, step g, to add Resource URL
In my case, I need to grant bot permission to access both powerbi and sharepoint API, according to the document they are in two different domain, https://analysis.windows.net/powerbi/ and https://mytanent.sharepoint.com
But this field in bot setting page can only accept one URL.
Anyone can help on this?
Thanks.
It is recommended that you use AADv2, which requires no resource URL. If you use AADv1 then you can probably still use https://graph.microsoft.com/ as your resource URL, but if that doesn't work then you might try just using your app registration's client ID as the resource URL. The place where you'll want to configure Power BI and SharePoint permissions is described in Create your Azure AD application 6c:

Using two azure AD app registrations for mobile and web

I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.

OneLogin SAML assertion - does it authenticate the user for the app specified

I am trying to build an app in Laravel that uses the OneLogin API to provide a seamless integration with their data.
Part of the users' data is displayed in an embedded Tableau view (hosted on Tableau Online).
I have successfully added the Tableau app in OneLogin.
I have also
setup the SAML authentication - working
Laravel app can get a token and assertion via API from OneLogin
My understanding is that the SAML assertion is supposed to authenticate the user whose details were sent as part of the assertion, however, after receiving the assertion and redirecting to the view with the embedded Tableau view, the user is prompted to log in.
This kind of defeats the purpose of the assertion.
User prompted to log in:
Application storage:
Am I missing (misusing) the purpose of the assertion?
Should the assertion be added to the session?
How can I authenticate the user once without having them providing credentials for all the services used in the app?
I think you missed to enable iframe embedding.
When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualizations.
Reference: https://onlinehelp.tableau.com/current/online/en-us/saml_config_onelogin.htm#enable-iframe-embedding

Use API on a nw.js application

I'm trying to consume YouTube Data API v3 from a desktop Node.js application built with nw.js, but I'm getting an access denied error even though I have enabled the API on Google Console and created a Client ID (for native application).
Can you help me?
I don't think you can use the API from local files since:
Applications that use JavaScript to access the YouTube Data API must
specify authorized JavaScript origins. The origins identify the
domains from which your application can send API requests.
(source)
As a workaround, you can open a web page hosted on your server, and as long as the page is on an authorized domain it should work.

Resources