I am building a windows phone 8 app using Azure Active directory for authentication. This would be a multi-tenant application where once the user logs in I would like to read certain basic information from their tenant in AD.
I am planning on using http://azure.microsoft.com/en-us/documentation/articles/mobile-services-how-to-register-active-directory-authentication/ as a starting point and will use a browser control in my app to take the user to the standard azure AD login page.
So here is my question, while I know how to use Azure AD Graph API to find specific information about my own tenant, how do I find out the tenant domain name of the external user so I can use Graph API to find information about their tenant/AD? If I had created the login and password input fields in my own app, I could have easily figured out their domain but since I redirect them to the Azure AD service....I am having a hard time figuring out how I will determine their domain name so I could then do a Graph API query on it?
Thanks for your help!
In your authorize request, use code+id_token response_type. Your client app will receive an id_token - a jwt with user's information including the user's tenant id (tid) that you can use to construct Graph API queries.
Request:
login.windows.net/common/oauth2/authorize?response_type=code+id_token&client_id=f034219b-9048-452a-aa0c-ce7661fcd2a0&resource=<graph api resource id>&redirect_uri=<your redirect uri>&nonce=7a16fa03-c29d-4e6a-aff7-c021b06a9b27
Response:
<redirect_uri>?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGB_K3PrvqLGyrC3bsLKpSYcEMwgiAbLpF6yKUxMRX3P1g3GqXDmmtKUkuVr0HjiWhO5EuW5RExGaucKvRhSes9Fzxm4Mxsoz0_8hbAwdC7zn8e74ENcgWwat6OLpSkYLFvBuJFvhp8k0ng3VIxJm5iMP7iC7DM1XGO5ECnwjz-Iu6MsiTwRG78L8p1x8vudlF-uAyDBkINiGRI-cFv6Q65xoU-uNWuiGBQ7H03OkDVnu29LYjrwGmJvq6yL1wzL2SyBXR8fKmmgqMTqu8jz0I94oTPYYtv-Cnq2hXP8_QpaDjiHHM6v9ymkSYnVNvSlkDgeqhwnqoU29DOEYQLNuAewzbWkIsCQJl9SCmcTtJ8Xsh75HV2KbVMHKAfZ0yLUggCAA&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJmMDM0MjE5Yi05MDQ4LTQ1MmEtYWEwYy1jZTc2NjFmY2QyYTAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82MmUxNzNlOS0zMDFlLTQyM2UtYmNkNC0yOTEyMWVjMWFhMjQvIiwiaWF0IjoxMzk3MDY0NTE3LCJuYmYiOjEzOTcwNjQ1MTcsImV4cCI6MTM5NzA2ODQxNywidmVyIjoiMS4wIiwidGlkIjoiNjJlMTczZTktMzAxZS00MjNlLWJjZDQtMjkxMjFlYzFhYTI0Iiwib2lkIjoiODRlNjg1MmMtYjJlZS00ODMwLTkyMjYtNjYwNzYzOWU2Mzc0IiwidXBuIjoiYmFkYW1zQGR1c2h5YW50Z2lsbC5jb20iLCJ1bmlxdWVfbmFtZSI6ImJhZGFtc0BkdXNoeWFudGdpbGwuY29tIiwic3ViIjoiRGVldTRUTmxPZjMwSVA2YnBBRVJlOTRNNHJ2VHpfeDdFWE5UYkNXeTFTbyIsImZhbWlseV9uYW1lIjoiQWRhbXMiLCJnaXZlbl9uYW1lIjoiQnJhZCIsIm5vbmNlIjoiN2ExNmZhMDMtYzI5ZC00ZTZhLWFmZjctYzAyMWIwNmE5YjI3IiwiY19oYXNoIjoiM01FYmNleUFYUlBtOGVMRE11cEpUZyJ9.L4FcbHGCTROgDT4Hpuc2kczSOh7HooLpUTQVpYve76Ucwyl4pFmb1IDKsES_d0stK6kyr2__Qs3ckMs5lm0SnsMuI3KIK53j3H_KeaswfbD5AYOm7gbEqA4VDcjQRVbEHW4Lyd8ij4b-Xss9O2N6ZbSKRZ-uuM78y5-lmQZ5KsRsdg7B9sLfHsRTjbrT9YryPUotbivUg3ioSZ9g3PYZwb0XiRO9enM9nYjz8rZXINB3ODr7-ccr4_n8AOWwvPunM1rXLxTZTEO3ADDU-anK_2OLH6Ab_6OMKljzigJbciol7DvBXaNZf7guHvDXV6VXTnPim2XhSOp_tcaVRj4yAA&session_state=b41d7528-2c8c-4e76-b17f-0732e8697798
Decoded id_token jwt:
aud: f034219b-9048-452a-aa0c-ce7661fcd2a0
iss: https://sts.windows.net/62e173e9-301e-423e-bcd4-29121ec1aa24/
iat: 1397064517
nbf: 1397064517
exp: 1397068417
ver: 1.0
**tid**: 62e173e9-301e-423e-bcd4-29121ec1aa24
oid: 84e6852c-b2ee-4830-9226-6607639e6374
upn: badams#dushyantgill.com
unique_name: badams#dushyantgill.com
sub: Deeu4TNlOf30IP6bpAERe94M4rvTz_x7EXNTbCWy1So
family_name: Adams
given_name: Brad
nonce: 7a16fa03-c29d-4e6a-aff7-c021b06a9b27
c_hash: 3MEbceyAXRPm8eLDMupJTg
Related
As my app is designed using flutter and all my app endpoints are created using Springboot. So can call direct APIs using Feignclient in Springboot to create my own endpoint to list all the envelopes for one recipient?
Do we have any endpoint to get all the envelopes by using the recipient name or email id? for example XYZ user needs to sign in 2 envelopes then using XYZ can we be able to fetch those 2 envelopes?
Yes, you are very welcome to call the eSignature REST API directly and not use an SDK. Use API version 2.1. About half of the developers who use the API do so directly.
Updated: authentication
To call the eSign REST API, each of your API calls must include authentication via an access token. You can obtain an access token via an OAuth flow.
If your users have DocuSign user accounts, then they should login/authenticate via Implicit grant assuming that you're using Flutter for a mobile app.
If your users don't have DocuSign accounts (they are signers, not senders), then you need to have a backend server that can securely use the JWT grant flow to obtain an access token on behalf of a "system" account such as "finance#example.com"
If you have questions about authentication, please open a new question on StackOverflow.
https://developers.docusign.com/docs/esign-rest-api/reference/envelopes/envelopes/liststatuschanges/
This endpoint has lots of filtering options including:
email={email_address} Limit results to envelopes sent by the account user with this email address.
user_name must be given as well, and both email and user_name must refer to an existing account user.
user_name={user_name} Limit results to envelopes sent by the account user with this user name.
email must be given as well, and both email and user_name must refer to an existing account user.
We have a Xamarin forms mobile app where users are authenticated by AAD v2 endpoint (MSAL - Microsoft.Identity.Client) and an ASP.NET Web API application where the same users are authenticated by AAD v1 endpoint (ADAL - Microsoft.IdentityModel.Clients.ActiveDirectory).
We would like to have REST calls authenticated in the Web API from the mobile app. We've tried passing v2 authentication tokens but get InvalidAuthenticationToken returned to us.
First of all not sure if it is actually possible. This MS presentation from 2017 says that it hasn't been implemented 'yet', but can't find whether it is now possible. Failing that, is there some other way to get this to work?
Thanks
Background
This should be possible. With recent change, there is no longer a difference of v1 or v2 client app, rather the targeted "audiences" (e.g my tenant only, all tenants, Azure AD + MSA) of the APIs they're requesting access to.
Quick example
Setting that aside, there is still a notion of token version. The version of the token, however, is that of the API, not the client app. For example,
Client A: targets Azure AD only (formally would map to a v1 app)
Client B: targets Azure AD + MSA (formally would map to a v2 app)
API: accepts Azure AD + MSA (formally would map to a v2 app)
In this case, the access tokens issues to Client A and Client B will be a format understood by the API- v2.0 tokens.
Conclusion
In your case, you can register each client based on the type of users you want to allow access, but ultimately your API will represent the token type issued.
I need help integrating Azure AD B2C and Google APIs. Briefly, I created a tenant on Azure AD B2C, policies and a Native App. Users can register to my app and sign in without any problems. Now I need to use Google APIs to access the logged-in account's information and manage some information (Google MyBusiness data). How can I achieve that. Is that possible ?
Furthermore, even if that is not connected to Azure AD B2C, how can I request to the user to accept that my app to view MyBusiness data?
UPDATE: I understand that I need to authorize my app to https://www.googleapis.com/auth/plus.business.manage Google scopes. Is it possible to request that scope during Google SignIn application authorization process?
Thanks everyone.
As part of the authentication exchange between Azure AD B2C and Google (as well as other identity providers), an access token is issued by Google for use by (and only by) Azure AD B2C, where this access token is used by Azure AD B2C to access the authorized information for the authenticated end-user.
Currently, Azure AD B2C does not pass this access token through to the relying party application (i.e. your native client application), therefore applications can't access the information for the end-user.
UPDATE on 20 June 2019
Using a custom policy, you can pass the access token from the external identity provider through Azure AD B2C to your relying party application.
From the official Azure AD B2C FAQ:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Can I configure scopes to gather more information about consumers from various social identity providers?
No, but this feature is on our roadmap. The default scopes used for our supported set of social identity providers are:
Facebook: email
Google+: email
Microsoft account: openid email profile
Amazon: profile
LinkedIn: r_emailaddress, r_basicprofile
I am trying to make a mobile app in React-Native and Server in Spring-Boot which have a OAuth2 implemented API endpoints.
My question is how can I integrate Social Logins into my React-Native app which in save a user in my user table. apart from Social login I am using naive register/login flow which require username/password to provide access token from OAuth2 Server. How can I do the same with Just Social Login without prompting user any password or other extra information.
any general solution for this will help regardless of tech I am using.
Thanks
Usually when using social networks to login/sign up you'll get a token returned in your app which you can send via your REST API and on your backend it can then retrieve the users information from the social platform used depending on the granted scopes(e-mail, username, etc...) and store the retrieved values in the database.
Thats basically how it works in general, but if you want to have more information you probably still need to share some more info about your tech used.
Hopefully that helped you out ;)
I have 2 applications, the old application is using Oauth2 to access the Google Analytics API. All current users have granted access to an email from my domain.
The second application is using credentials with Service account authentication.
The problem is that the email for the Service account keys is using a different domain:
"client_email": "xxx-service#xxx.iam.gserviceaccount.com",
I need it to use my old email from my domain that already have permissions from clients.
How can I do that, I already downloaded the json file for the Service account keys.
There is a diffrence between Oauth2 and service accounts.
Lets start with the old app using Oauth2. When a user starts using the application they are displayed the authentication form which asks them to grant application X access to their data. Assuming they accept it application X can now read there data. Application X is given a Refresh token which can be used to access the data at a later date.
In the background the developer of Application X registered their application on Google Developer console and was given a client id and client secret. When the user authenticated to the application the Refresh token is created using the client id and client secret. You can not take a different client id and client secret and use it with the refresh token from another application they are not interchangeable.
Service accounts are different in that they are preauthorized. If you take that service account email address you have and add it as a user on the Google analytics website admin section. The service account will have access to read the information just like any other user.
Clarifications / answers.
You can not pick the service account email address these are generated by Google.
You can't use a service account to access data granted to an application though Oauth2. they are not interchangeable.
If you have access to the users data using Oauth2 you should be using your refresh tokens to access their data you do not need a service account.