I have an IdentityServer4 as my Identity server and there are 2 different instances of IdentityServer4 that are connected to it as external IDP. I'm returning tokens with different claims from these 2 IDPs and need to use them in the issued token of the Identity server.
I know that I can take advantage of ProfileService to add some custom claims to my token. but problem is that I don't have access to the issued token from IDPs in ProfileService
Related
I have a cognito User Pool with 1 client that is configured with 2 identity providers, Cognito User Pool and a SAML provider that links an Azure AD instance. The Allowed OAuth Flows is set Implicit grant only. Login via the Cognito User Pool provider is done using the InitiateAuthCommand in the #aws-sdk/client-cognito-identity-provider library. From this an id_token, access_token and refresh token are all returned.
Login via the SAML provider is done by using the template link provided in the cognito developer docs (https://your_Amazon_Cognito_userpool_domain/authorize?
response_type=code&identity_provider=your-SAML-IdP-name&client_id=your-
client-id&redirect_uri=https://your_application_redirect_url). This login works, however only an id_token and access_token are returned (no refresh token).
How can I get cognito to issue a refresh token for users logged in via the SAML provider
Cognito should not return a refresh token for Implicit grant flow. That is the intended behaviour according to the specification:
The authorization server MUST NOT issue a refresh token.
Also using the implicit flow is highly discouraged due to vulnerabilities.
Please consider using Authorization code grant flow along with PKCE. With that you can get the refresh token.
The reason you get the refresh token along with the aws-sdk is, because it should be using a different Auth flow (example: USER_PASSWORD_AUTH) as mentioned in the document.
Our application is an Angular SPA with ASP.Net Core Web API. The identity is provided by Microsoft Identity Platform (Azure AD) and authentication is provided by the same. The authorization is done in Web API basis "Application Roles". These "Application Roles" are held in the Azure AD directory (defined in the Application's manifest and assigned on the tenant domain to users).
The Angular SPA receives the tokens from Azure, as per these instructions. The relevant tokens that are issued are: an AccessToken for my Web API (following these instructions), an AccessToken for calling Graph API (following the same instructions) and an IdToken that includes the "Application Roles" as roles claim (this id token seems to be included automatically once roles have been assigned).
The problem I face is that I need to pass concurrent tokens to my Web API, but with the HTTP interceptor I can only include 1 token in the header request. For example, I need the first AccessToken to proof authentication to the Web API and I need to include the IdToken such that the Web API can perform authorization.
Q: How can I call my Web API with multiple tokens, when these tokens are all issued to the SPA and need to be included in the HTTP call to my Web API?
No matter whether you want to get Microsoft Graph data, the way you used to get Application role is incorrect.
An id token cannot be used to perform authorization for your Web API application. You have to use access token. See this answer to learn about the usage of id token and access token.
So you have to use an access token rather than id token.
In this case, you configure the app roles in the Azure AD app which represents Angular SPA (the front).
In fact, you should configure the app roles in the Azure AD app which represents ASP.Net Core Web API (the backend). Then you can get the "Application Roles" as roles claim in the AccessToken for your Web API.
I have to use Azure Active Directory for authentication to my web application.
In my company it was suggested to use SAML instead of oauth and I am very new to SAML.
Question:
Is the purpose of SAML is only to authenticate or there is any more functionality?
There are documents to use SAML in enterprise application. So,How to implement saml from app registration?
SAML SSO is a form of delegated authentication. The user is authenticated at the identity provider site (eg Azure AD) which sends a SAML assertion containing user identity information to the service provider site. The service provider trusts this information and establishes a local authentication session for the user using the information contained in the SAML assertion. SAML assertions often contain the user's email address but any user identity information may be included. This is the primary use case for SAML and in many instances the only one supported.
Most platforms have SAML libraries etc available. It's strongly recommended you use one of these rather than trying to implement SAML yourself.
My goal is to provide an internet facing application that can be used by both corporate employees and external users. I would have 2 ADFS instances behind an IdentityServer4 instance, one for external users and one for corporate employees.
In general all users(employees or external) should always get an oAuth2 Token to call internet facing APIs, but when there are internal calls between SAML dependent corporate systems, the internal calls should be able to get a SAML2 token or impersonate a corporate corporate user.
No problem with external users, using openid and oAuth2. The main focus is employee login via SAML2.
The setup is as below:
IdentityServer4 sits in the front backed by ADFS
Client applications should connect with IdentityServer4 using OpenId specs (/connect/authorize? end point. I know how to do that
IdentityServer4 should connect to ADFS for external users setup via Ws-Fed. I know how to get till here.
IdentityServer4 should connect to internal ADFS for corporate employees over SAML2. It would be nice to be able to switch between the two ADFS' instances based on user's email address. Just like on Azure you get a message: we are taking you to your employer's login page, if user entered a known corporate email domain. This switch should happen via IdentityServer UI though, probably mimicking Home Realm Discovery feature.
IdentityServer4 should issue oAuth tokens in either case.
6 When connecting to corporate ADFS via SAML2, IdentityServer4 should receive a signed, encrypted SAML2 token response and it should then issue regular oAuth token for external APIs
Some external APIs might want to call internal corporate SAML based APIs, (*only for corporate users) There must be a way to impersonate the user, get his SAML token and pass to corporate APIs.
If all of that makes sense,
- how can I achieve step 5,6 and 7?
- Is there a middleware that can exchange SAML2 token with ADFS?
- Is it just possible to pass this SAML2 token directly to internal SAML
supporting systems?
I have never used SAML2 token before so I am a little lost as to how does it look like, is it something like an access token or is it something to be built using the assertions in ADFS response?
I know I asked a lot of questions but everything is related. I am exploring SustainSys but haven't been able to find way to plug it in to do what I want to do.
I am switching my application from Azure Active Directory authentication to authentication with Identity Server (using Azure AD as external auth). The authentication and authorization part is implemented and my web API successfully validates token and give me what I'm asking.
Our application also uses external APIs, such as Graph API and SharePoint Online which require Azure AD token. E.g. when I go to https://graph.microsoft.com/v1.0/me from my JS application with token that I get back from Identity Server, Graph API response is
401
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "ce7651bb-5dc4-49e9-90ff-02df440ed4ad",
"date": "2017-08-11T08:53:12"
}
}
}
I expected that because Identity Server is giving me his token, and not passing the existing token that is provided by Azure AD. I copied all the claims from Azure AD token into identity server token, but no changes.
What would be the right approach to enable my application to continue using APIs which require Azure AD token?
EDIT:
What I'm hoping for is this.
Click login button on Js (or any other client app)
Redirect to Identity Server login screen
Click on Azure AD external auth
Redirect to Microsoft login page and enter your credentials there
Redirect to Identity server app
a. I started Fiddler and see that "Microsoft" redirect to {IdentityServerAppUrl}/signin-aad (I suppose this is because I configured CallbackPath property on OpenID Connect options). This request carry a cookie idsrv.external. I'm not sure but I think inside is access token from Azure AD. I don't know how to decode this. I tried with base64, but it is not working.
b. When this request is finished redirect is made to {IdentityServerAppUrl}/account/ExternalLoginCallback. In this action method I check with debugger all fields and data in request but I can't find token from AAD. I'm hoping to get token and put it in additional calims.
Identity Server app redirect to JS client app with its own token and additional claim that contains Azure AD token that is valid on graph API and SharePoint.
First I would like to locate Action method or middleware that handle {IdentityServerAppUrl}/signin-aad?
Second, is there any way to get token from Azure AD or any other external provider inside {IdentityServerAppUrl}/account/ExternalLoginCallback Action method?
Be aware that I'm new to this kind of stuff and maybe I'm totally wrong with this thinking.
I manage to do Azure AD authentication without Identity Server, but know we have request to have multiple external providers and I'm hoping to handle all authentication in one app. If one day I get request to have additional external provider I need to add to just in one place.
You need to retrieve an access token from AAD for the Graph API - how that exactly works, check the Microsoft documentation.
Once you have that access token, you can return it as a claim in either the IdentityServer identity or access token (depending if you want to make it available to your front or back-end).
You can also try that first in a simple MVC app to remove the moving partsy - and once you have the AD part working, move your code to the app using the identityserver middleware.
I am also looking for an answer to this question. However, I think it should work a bit differently. IdentityServer gives you a JWT that you can use to authorize to the recources that make up your app. E.g.: yourAPI-1 and yourAPI-2. With the JWT you can pass on the identity. Microsoft Graph is an external resource. Therefore we would need the access token form the Graph API as a claim or external resource, same way as you'd receive an access token for an internal resource.
I would guess that there should be a way of forwarding whatever information you get from the identity provider (Azure AD) to IdentityServer for your client (JS app) to pick up. I am facing the same problem here.
There is another thread about this topic that caught my attention which I will look into. It requires to build your IdentityServer from the source with a few modifications: ASP.NET Identity (with IdentityServer4) get external resource oauth access token
I will let you know what the outcome is and push it to a git repo that you can use if it works: