I've been setting up Single Sign On with Active Directory for our application according to this instruction:
https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad
However, after redirect to the Microsoft page i get this error:
Cannot read property 'tenant_id' of undefined
In my Auth0 Dashboard under
Monitoring > Logs
i found this error log:
{
"date": "2022-02-28T09:05:51.484Z",
"type": "f",
"description": "Cannot read property 'tenant_id' of undefined",
"connection_id": "",
"client_id": "XXXXXXX",
"client_name": "XXXXXXX (DEV)",
"ip": "195.192.198.XXX",
"user_agent": "Chrome 98.0.4758 / Mac OS X 10.15.7",
"details": {
"body": {},
"qs": {
"client_id": "XXXXXXXX",
"redirect_uri": "http://localhost:3000",
"scope": "openid profile email",
"response_type": "code",
"response_mode": "query",
"state": "WmdOOEpBTUlKTG5mQks1LjJLY3JabEwyUVBJTDZNeTdVZE1TZjNGVDhFUw==",
"nonce": "OG94dlNjbEFyUDJXcnNmeWNEamhSa1IxWHVSV08wcUxZS0tVQ3NwTjRjWA==",
"code_challenge": "8tWkNmx5qUlDVpIUCJy68B1lWwPa6qi1ZpMjq-4WZAc",
"code_challenge_method": "S256",
"auth0Client": "XXXXXXXXXX"
},
"error": {
"message": "Cannot read property 'tenant_id' of undefined",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
"session_id": "7aXIltPAKa0e0vQhqyyAblzIWjmvbiy",
"riskAssessment": {
"confidence": "high",
"version": "1",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "not_found_on_deny_list"
},
"NewDevice": {
"confidence": "high",
"code": "initial_login"
},
"ImpossibleTravel": {
"confidence": "high",
"code": "initial_login"
}
}
}
},
"hostname": "XXXXXXX.eu.auth0.com",
"user_id": "XXXXXXXX",
"user_name": "XXXX#XXXX.com",
"audience": "https://XXXXXXX.eu.auth0.com/userinfo",
"scope": [
"openid",
"profile",
"email"
],
"auth0_client": {
"name": "auth0-react",
"version": "1.9.0"
},
"log_id": "900202202280905566349491050266127672706556666XXXXXXX",
"_id": "900202202280905566349491050266127672706556666XXXXXXX",
"isMobile": false
}
What i've been trying so far:
Created a new Auth0 account and connect the sample React Login application (https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01) provided by Auth0 to the same Active Directory endpoint (works)
Connect our Development Auth0 account to Active Directory using the Auth0 React sample app (doesn't work)
Connect our React development application to the Active Directory Endpoint (throws error as shown above)
Playing around with different Callback URLs. Added some URLs and Routes to the existing http://localhost:3000 (doesn't work)
I think this error was caused by wrong settings in our Auth0 account since creating a new account doesn't show any problems. I also don't see any issues caused by setting up the Active Directory application.
Related
Cannot authenticate user in MS Teams Bot.
Same works in "Test in webchat" properly:
Domain added to Teams manifest properly:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.15/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.15",
"id": "a0d93a07-2f63-4569-a651-cf3761859b28",
"packageName": "com.package.name",
"name": {
"short": "NewTest",
"full": ""
},
"developer": {
"name": "KUKA",
"mpnId": "",
"websiteUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_about.html",
"privacyUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_priv.html",
"termsOfUseUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_terms.html"
},
"description": {
"short": "CS Logistics TEST app",
"full": "test app for CS Logistics"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "conversations",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"bots": [
{
"botId": "99e82921-96c9-4ec1-83ab-bd05382abc96",
"scopes": [
"personal"
],
"isNotificationOnly": false,
"supportsCalling": false,
"supportsVideo": false,
"supportsFiles": true
}
],
"validDomains": [
"token.botframework.com"
],
"webApplicationInfo": {
"id": "1e04e5cd-88e1-4522-984d-2bba5e2d37eb",
"resource": "https://graph.microsoft.com/"
}
}
Also recreated AppService, AzureBot in Azure, and setup new Teams app with new manifest version via Developer Portal.
Installed the Teams app directly just form myself, as a personal app.
App registration redirect URIs:
Also the app registration works fine for other chatbots in our domain. Why not for this one?
Actually the only thing that needed to be changed was to add this line of code to the error handler adapter to the bot code: base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"]));Add code to handle an access token.
And also to add method OnTeamsSigninVerifyStateAsync to Bot like in sso-quickstart sample.
I referred to this documentation to make a POST request.
Below is the error while making a POST request to create a conditional access policy
{
"message": "There was an internal server error while processing the request. Error ID: 2dbb1530-4ce6-44f5-9c63-08de28d7218a",
"innerError": {
"request-id": "2dbb1530-4ce6-44f5-9c63-08de28d7218a"
}
}
Payload being passed with the request is below:
{
"displayName": "Test Policy",
"state": "enabled",
"conditions": {
"clientAppTypes": ["modern", "browser"],
"applications": {
"includeApplications": ["None"]
},
"users": {
"includeUsers": [
"08290005-23ba-46b4-a377-b381d651a2fb"
]
},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["approvedApplication"]
}
}
I've tried using this endpoint to get a policy:
https://graph.microsoft.com/beta/{tenant_id}/conditionalAccess/policies
Which successfully returns an existing policy. However, the above POST request is not working.
The "approvedApplication" requirement only supports the iOS and Android for device platform condition. See details here.
You need to add "includePlatforms" iOS and android into the json body.
{
"displayName": "Test Policy",
"state": "enabled",
"conditions": {
"clientAppTypes": ["modern", "browser"],
"applications": {
"includeApplications": ["None"]
},
"users": {
"includeUsers": [
"08290005-23ba-46b4-a377-b381d651a2fb"
]
},
"platforms": {
"includePlatforms": [
"iOS", "android"
]
},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["approvedApplication"]
}
}
For using Microsoft Graph in our application, I need a token for a specific user. I retrieve a bearer token form Azure Active Directory, but it is missing a refresh_token. It appears that the offline_access permission is being removed from the scopes.
The body of the request I'm sending to the /token endpoint is:
{
code=*somecode*,
client_id=*my clientid*,
client_secret=*my clientsecret*,
redirect_uri=http://localhost:8080/msgraph/callback,
scope=profile Calendars.Read User.ReadBasic.All email User.Read offline_access Calendars.Read.Shared openid,
grant_type=authorization_code
}
I do not use implicit grants. The endpoint I connect to is V2.
In the App registration, I have added all the permissions from the sent scope.
In the token response, all of the requested scopes are returned, except for offline_access. The refresh_token is left empty but I do not receive any errors.
The manifest from the MSGraph administration is
{
"id": "xxxx",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "xxxxx",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2018-06-07T07:53:26Z",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "xxxxx",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2099-12-31T12:00:00Z",
"keyId": "xxxxx",
"startDate": "2018-06-07T07:58:18.4289954Z",
"value": null,
"createdOn": "2018-06-07T07:58:21.1632167Z",
"hint": "gpi",
"displayName": null
}
],
"preAuthorizedApplications": [],
"publisherDomain": "xxxx.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "http://localhost:8080/msgraph/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "xxxxx",
"resourceAccess": [
{
"id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
"type": "Scope"
},
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
},
{
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"type": "Scope"
},
{
"id": "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42",
"type": "Scope"
},
{
"id": "2b9c4092-424d-4249-948d-b43879977640",
"type": "Scope"
},
{
"id": "570282fd-fa5c-430d-a7fd-fc8dc98a9dca",
"type": "Scope"
},
{
"id": "7b9103a5-4610-446b-9670-80643382c1fa",
"type": "Scope"
},
{
"id": "f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb",
"type": "Scope"
},
{
"id": "88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "b340eb25-3456-403f-be2f-af7a0d370277",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": "http://localhost:8080/",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"guidedSetupCreatedOrUpdated",
"appModelVersion:2",
"accessTokenVersion:1",
"availableToOtherTenants:true",
"supportsConvergence:true"
],
"tokenEncryptionKeyId": null
}
The request body you posted above isn't in application/x-www-form-urlencoded. Since you're getting an access_token, I'm assuming this is just what you're providing to whichever library you're using to make the actual HTTP request. Just in case, the actual request body should look something like this (line breaks for readability):
grant_type=authorization_code&
code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&
client_secret=[PASSWORD]&
scope=[SCOPE]&
redirect_uri=[REDIRECT URI]
The values your sending looking correct to me with one exception, you shouldn't be passing prompt=consent at this stage.
The prompt parameter is used to force the user to consent during the interactive 1st phase of the flow, not when retrieving the token in the 2nd. It shouldn't result in the behavior you're experiencing but "shouldn't" and "doesn't" are often not the same thing.
If, however, you've added offline_access after the user has consented and you're only passing prompt=consent at this stage, it is possible your app has not received consent for offline_access yet. The token response will only provide scopes that have been consented.
If the user hasn't consented to one of the requested scopes, it will simply not provide that permission rather than returning an error. This allows your app to compare the scopes returned to the scopes requested and allow you to determine if you need to request a reconsent.
To understand why this is/how this works, imagine you request both User.Read.All and User.ReadBasic.All. Since User.Read.All requires Admin Consent, it is possible for a user to login to your app before administrative consent has been granted. In that case, your app may fall back to using User.ReadBasic.All as an alternative. The only difference to the user would be the data you show them would be limited (i.e. maybe your app wants to show displayName and birthday but can fall back to only displayName).
I have analyzed the response from Microsoft today and now it contains the refresh_token! It seems that the is some delay since it did'nt work thursday but works now on monday.
The returned scope in the response still doesn't contain offline_access but the refresh_token parameter is now deliverd.
Thanks for your contributions!
I'm trying SCIM 2.0 provisioning with Azure AD
As premise, I have SCIM a server for my product and I'm implementing PATCH endpoints for use with Okta and Microsoft Azure AD.
I'm done testing with Okta, so I'm trying with Azure AD now.
I read this post active-directory-scim-provisioning and the SCIM 2.0 Specification Section 3.5.2.
I set up an enterprise application on our Azure AD with the following mapping
Then, Azure AD sends the following JSON POST request to create users assigned to the application to my server:
POST:
{
"active": true,
"displayName": "$DISPLAY_NAME",
"emails": [
{
"primary": true,
"type": "work",
"value": "$EMAIL"
}
],
"externalId": "$EXTERNAL_ID",
"meta": {
"resourceType": "User"
},
"name": {
"formatted": "$FORMATTED"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "$USER_NAME"
}
I can process the POST request correctly, but I am unable to consume the PATCH request from Azure AD.
PATCH:
{
"Operations": [
{
"op": "Replace",
"path": "name.givenName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
},
{
"op": "Replace",
"path": "name.familyName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}
Is it correct (according to the specification) that the value attribute is of type Array, even if the target is a single-valued attribute? Is the use of the $ref attribute correct in this case?
Or did I misunderstand the specification?
They have fixed it Dec 18 2018 :)
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
They made a mistake on the value implementation for non-complex objects. You can read more about it here https://social.msdn.microsoft.com/Forums/lync/en-US/e2200b69-4333-41ea-9f51-717d316c7751/automatic-user-provisioning-scim-restful-patch-payload-issue?forum=WindowsAzureAD
I have the following manifest.json:
{
"manifest_version": 2,
"name": "Application Name",
"version": "1.0",
"description": "blah blah blah",
"icons": {
"48": "icons/icon-48.png",
"96": "icons/icon-96.png"
},
"permissions": [
"activeTab",
"tabs",
"history",
"storage"
],
"browser_action": {
"default_icon": "icons/icon-32.png",
"default_title": "Title",
"default_popup": "popup/popup.html"
},
"content_scripts": [{
"matches": [
"<all_urls>"
],
"js": [
"content_scripts/script1.js",
"content_scripts/script2.js"
]
}]
}
I have access to the the storage API (browser.storage is defined) in my content scripts, but both the history and tabs APIs (browser.tabs and browser.history) are undefined. Am I missing something in the manifest to get access to these permissions?
One of the few WebExtensions APIs that is available for content scripts is browser.storage. Most WebExtensions APIs can only be accessed when using a background script. Using message passing you can still call those APIs (what you do is basically calling a function in the background script from within the content script). Please see the example on this page: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/runtime/sendMessage
See also Firefox WebExtention API: TypeError: browser.browserAction is undefined for a similar problem.