I have a need to authenticate against Azure Active Directory from a .net Web API. I read Vittorio Bertucci's article: Using ADAL .NET to Authenticate Users via Username/Password, and was wondering if there's any way of getting around the limitation of not being able to do this from a website/confidential client. He describes this as an AAD setting. Is it one that can be turned off?
Any assistance with this would be much appreciated!
This is not common scenario to use the Resource Owner Password Credentials in a web app. The recommend way is that using the Client Credential flow as Shawn Tabrizi suggested.
If you do want to use the Resource Owner Password Credentials flow, you can construct the request yourself as below:
POST: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource={resource}&client_id={clientId}&grant_type=password&username={userName}&password={password}&scope=openid&client_secret={clientSecret}
The Client Credential Flow (App Only Flow) should enable your confidential client to be able to authenticate to a downstream resource without a logged in user. This type of authentication is pure Service to Service Authentication, and will require only a secret for the client app to be presented either in the form of an App Key (symmetric key) or a Certificate Credential (asymmetric key).
However, all forms of access to an AAD Resource will require some form of initial interactive login. In the case of App Only Flows, you will need an Admin to perform an interactive login experience with the Client application, which will then allow subsequent user-less flows.
Check out these sample and let me know if it addresses your question!
https://github.com/azure-samples?utf8=%E2%9C%93&query=daemon
I hope this helps!
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
We have a web app in which we allow users to log into the app using any Open ID provider(e.g. Okta, Google, Facebook etc.). We want to implement the correct Open ID Connect prescribed methodology/workflow to keep the user logged into the site.
The existing implementation, looks at the expiry of the Access Token then if it's close to expiry uses a Refresh Token to get a new Access Token to keep the user logged in. I feel like this is wrong. When a user logs in to the web app, the Identity Token is used to Authenticate the identity of the user using the Authorization Code workflow. The Access Token and Refresh Token are stored on the server side. Periodically, the Refresh Token is used to get new Access Tokens to keep the user logged into the site. I believe this is a security risk because -
Imagine if a user is logged onto his OP account in a browser. He opens up Sky and is directly logged into MP because he’s already logged into MP. He then in a separate tab, logs out of his OP account. He will continue to be logged into MP for days on the basis of this Refresh Token/Access Token mechanism! Isn’t this a security risk?
If feel like the correct way to go about this is to use Session Management using iframes as prescribed here on OIDC -
https://openid.net/specs/openid-connect-session-1_0.html
For more context, when a user logs into our WebApp we pull data from the OP's UserInfo endpoint to create a profile within our WebApp and set permissions/roles within our app based on data sent over from the OP's UserInfo endpoint. We continue doing this periodically. For this purpose, I feel like using the Access Token(and using the Refresh Token to get new Access Token) to access the UserInfo API is correct because it conforms to the OAuth 2.0 concept of protecting/authorizing API/Resource endpoints using Access Tokens.
I want to know if this is indeed the correct way to manage how a user should be logged in when supporting Open ID Connect.
I think the first question is whether you want to bind the lifetime of an OpenID Connect provider Single Sign On session with the session of your application. You just want to authenticate a user using their OpenID Connect service. If I logout of Google, I expect to be logged out of GMail, but not a third-party application that used Google for authentication. Would you like to implement Single Sign Out as well?
But if I wanted to be logged out when you logout of the OpenID Connect provider, I would implement the OpenID Connect Session management. There is one thing good to be aware of when using iframes and cookies - browsers have an option to "Block third-party cookies" (that's how Chrome calls it), it's turned off by default, but as far as I know, it disables the SSO functionality when turned on.
I'm not sure why you request the userinfo endpoint periodically. If you just want to check whether the access token is still valid, you could also use the token introspection endpoint.
For security concerns, I would suggest you to read the OAuth 2.0 for Browser-Based Apps RFC. It recommends using the auth code flow with PKCE instead of the implicit flow. With the implicit flow, access tokens transported in redirect URLs stay in network and browser caches and can be used right away by an attacker. The auth code with PKCE needs a code_verifier (one-time secret) in order to be exchanged for tokens. So I would first check how the providers work with a configuration you choose and if it's even supported.
Assume we have authorization server + resource server, also a mobile app. All applications are developed by same company (e.g all google services + official mobile apps).
In my understanding, mobile app should use Oauth2 resource owner password credentials flow, Am I correct? This is an article supports my understanding. According to Oauth2 spec its seems like not the correct approach. So what would be the correct approach? Is it the authorization code grant flow? In that case how one should cope with redirection? (there are ways but what is the best way of not leaving the app?)
Also I need to use native login screen in mobile app where resource owner need to type username/password. Could that be done via authorization code flow? how?
If I am correct about resource owner credentials flow, how we can implement that in spring without client secret embedding in the app?
Below is the required way of getting token via resource owner password credentials in spring.
curl -X POST --user 'trusted-client:client-secret' -d 'grant_type=password&username=test&password=123' http://localhost:8080/oauth/token
Here we need to have client secret in the app (which is not secure), will this approach work? Assume later on we may have different client, how custom authentication provider distinguish those two? Any answer would be great. Thanks.
I have a working oauth2 application using v1.0 of Azure REST API. I am able to acquire access token via ADAL library for Java and no problem accessing their resources.
However, I wanted to know if there is a way to use this same token in order to let Office365/Outlook users to login on a web browser without entering a password ? Something like https://outlook.office365.com/token=abc..
This will help us to let users SSO on different devices without typing their passwords.
Technically, yes you can. You can try to leverage Microsoft Graph API to achieve your requirement.
Add the permission of Microsoft Graph in your AAD application, refer to https://graph.microsoft.io/en-us/docs/authorization/auth_overview for more info.
Follow OAuth2's Authorization Code Grant Flow to generate an access token, or leveraging your ADAL, please refer to https://graph.microsoft.io/en-us/docs/authorization/app_authorization for details.
Set the access token in the request header the same as you call Azure Rest APIs.
GET https://graph.microsoft.com/v1.0/users/john.doe#contoso.onmicrosoft.com HTTP/1.1
Authorization : Bearer <access_token>
For outlook APIs, you can refer to https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/message for more info.
I've been working whit the SAML extension to connect to an ADFS server. I've hacked the sample application to use my ADFS server and everything went well, but I would like to know if there is a way to connect to an IDP without using the loging page of the IDP. I mean if there is a way to do this process in background for the end-user. I am thinking about doing a query to ADFS or something like to get the users and do authentication from the SP login page, avoiding the need for the user to authenticate in the IDP login page.
The purpose of federated authentication is to delegate it to a centralized server in such a way that the relaying parties/service providers do not have access to user's credentials. Enabling authentication directly in your application would violate this principle and for this reason is not supported by neither Spring SAML nor ADFS.
If you want to authenticate your users directly, use authentication directly against Active Directory instead of ADFS. This will fully support your use-case.