I have developed SPFX application with Azure AD SSO is enabled. It is also connecting to web api using bearer token generated using ADAL OAuth2 implicit flow along with SPFX SSO access token. This is working fine.
I want to test the webapi using Postman. Currently i am copying bearer token from developer tool of browser and send it in header to connect webapi.
I want to automate the above 2 steps, so that i can do automate user testing scenario.
1.Generate AZURE AD SSO access token from C#/postman by passing user credentials. (Postman/React/C#)
2.Generate bearer token using Access Token generated from step-1.(Postman/React/C#).
I want to automate the above steps using Postman/C#/angular/react.
Kindly provide me the detailed steps to achieve the above scenario for testing.
Suresh Rajamani
I have tested in my environment.
Open Postman --> Create a new request --> Go to Authorization --> Select Type as OAuth 2.0 --> Under Configure New Token, fill the details :
Token Name : give the token name
Grant Type : Implicit
Callback URL : redirect uri of your app registration
Auth URL : https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Client ID : Client ID of your app registration
Scope : add scope as per the permissions required. For ex: https://graph.microsoft.com/mail.read, for reading mails
Client Authentication : send as Basic Auth Header
Click on Get New Access Token and login with user credentials and give consent. A new Bearer Token will be generated
Click on Use Token. Now we can make any requests using that token.
Related
I have a Web API that used basic authorization to access the Web API from front end. So we used to pass Authorization header from Frontend Application that contains user login and password in encrypted form and sent to WEB API, where we read authorization header and fetch user login details(UserName, Password) and validate user credentials from Active directory.
Now we are implementing Azure AD integration and we are not able to send user password in Authorization header. So API fails to validate user credentials and it break the flow. Also I am getting httpcontext.current.user as null.see below code
public class UserdataController : ApiController
{
private readonly KMMContext db = new KMMContext(HttpContext.Current?.User?.Identity?.Name ?? "");
You'll need to use MSAL.
A good starting point is here https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview
Some examples can also be found here. This one is for a javascript/nodejs client since it was not mentioned which frontend framework was used.
https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2
Basically your WebAPI will now be receiving a JWT token instead of the user credentials.
When accessing /.auth/me, one app has the access_token in the correct JWT format, but in the other app it's not in JWT format.
This is the valid JWT one: eyJ0eXAiOiJKV1QiLCJu...eyJhdWQiOiJodHRwczov...B84ciSKwF2oOre5n
This is the non-JWT one: PAQABAAAAAAD--DLA3VO7QrddgJg7WevrTLy
The configuration for both apps appear to be identical.
Any idea how to fix the second app to also show JWT access token?
Usually when the authentication flow configuration has not included resource
as one of the parameter, the access token does not have form of a (
JSON Web Token)JWT token token format.
Please try to include resource with your application Id Uri or
resource that your application requires . To find the App ID URI, in
the Azure portal, click Azure Active Directory, click App
registrations, click the service application, and then click Settings
and Properties.
Also set the clientId and client secret in the request.
In other cases just to access the app service you could use id_token or Bearer as response_type in authorization header as Authorization:Bearer "{your-id-token}".
Reference:Oauth 2.0 grant credentials ,Access token request | Microsoft Docs
You can make use of azure resource explorer to edit the properties of the app service auth to include the resource if not already included. See resource provider and types
To get an access token, please try to set the resource using the Azure Resource Explorer.
Navigate to the Resource Explorer from the App Service.
Go to config > authsettings and click on Edit.
Update the additionalLoginParams with ["resource=<Name/ID of the resource>"] and click on PUT.
For example:
“additionalLoginParams”: [
“resource=https://graph.microsoft.com ”
]
Then by saving changes and refreshing the App Service, try again and check that the value for the access token is in the form of a JWT token or not.
Is is possible to obtain an AAD token in Postman by letting the user to Sign In using the standard AAD sign in form?
I know how to obtain token using the request to AAD (grant_type = client_credentials) but such a token does not have a UPN (user identity).
I would like to somehow type in my credentials in Postman and get the token. So it is a manual interaction, the user(me) needs to manually sign in - the same way how ie. Visual Studio verifies your identity.
Postman now offers the ability to "Authorize using browser." You'll need to make changes to your AAD application to support it in addition to configuring Postman.
Configure your AAD application
Add a redirect URI to your AAD application for Postman to receive the authorization code. In the AAD Portal, navigate to your app registration, then to the "Authentication" tab, then add https://oauth.pstmn.io/v1/callback as a new redirect URI. This URI was provided by Postman when you check the ✅ Authorize using browser box (below) and is also documented on their website.
Configure Postman
You can set this up under "Authorization" for a single request, a folder of requests, or a Collection. Open the "Authorization" tab and select OAuth 2.0. Under the "Configure New Token" section, enter the following information:
Token Name: anything you want. I chose the name of the AAD application.
Grant Type: Authorization Code (With PKCE)
Callback URL: check the ✅ Authorize using browser box
Auth URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 authorization endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
Access token URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 token endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Client ID: copy this from the AAD portal under Overview. It's also commonly referred to as an "Application ID" and is a GUID.
Client Secret: leave blank (not used by this grant type)
Code Challenge Method: SHA-256
Code Verifier: leave blank or provide your own
Scope: the scopes you're requesting in your token, separated by spaces
State: leave blank or provide a value such as a random GUID.
Client Authentication: Send as Basic Auth Header (not used by this grant type)
Refer to Postman's documentation on OAuth 2.0 options for more information.
Get a token
Click Get New Access Token to open the auth flow in your machine's default web browser. After authentication, it should redirect back to the Postman application and a new token will be created with the name you provided earlier for "Token Name." Select "Use Token" in the top-right corner of the popup to copy it into your current token. If the token expires and your requests start failing authorization (probably a 401 or 403 error), you can revisit this tab and get a new access token.
Occasionally, you may want to visit Current Token > Access Token > Manage Tokens > Delete > Expired tokens, otherwise you'll be inundated with nearly-identical tokens.
Postman cannot popup the sign in page as it only does HTTP requests. As you stated, it can do confidential client flows.
What you could do is hand-construct an auth request, sign in, and grab the auth code. Then take that auth code and drop it into the Postman authorization form, and let it hit the Azure AD token endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/token
The Azure AD protocol referene will be super helpful for you.
I think if you're wanting to quickly generate Access Tokens your best bet is to pick a framework/language and build a lightweight app that gets and logs tokens. Azure AD has a Python Flask sample for the v2 endpoint that takes 5 minutes to setup and could be converted to printing out access tokens. If you want to use v1, you can checkout the list of samples at the Azure AD developer guide.
We have a successful implementation of SSO with Okta as the IdP and an external PHP site as a SP. We are currently utilizing the Okta Sign On Widget which sends our PHP SP a SAML2 Token.
Question is, can we now change from the widget to the API and still get the SAML 2 token on successful login via the API?
So, Since posting this I figured out that - 'yes you can'. I don't know if this is the cleanest/best way but it works and here is how to do it in case anyone else gets stuck looking into this issue...
Already having SAML2 communication working between Okta as IdP and
PHP site as SP.
Create an API access token in Okta.
Use the access token to post a request for a one-time use token from
the API for a specific user you want to login as:
http://developer.okta.com/docs/api/resources/sessions.html
Redirect the user with the retrieved one-time session token to your
App's embed link with the one-time session token:
http://developer.okta.com/docs/examples/session_cookie.html#retrieving-a-session-cookie-by-visiting-an-application-embed-link
This will log the user into Okta to get a proper session we can then
use to send to our PHP end-point to get the SAML2 token we want but
while utilizing the full customization benefits of the API.
I'm trying to implement two factor authentication via spring oauth2.
Details:
Server side - REST
UI - angular
Oauth2 settings:
few in memory clients, one for ui
"grant_type" is password
token default (bearer)
path to token default (/oauth/token)
How do I see it:
1) I'm getting token via user/client details with role PRE_AUTH
2) Listen success authentication and send sms to authenticated user
3) Based on token and code from sms, generate new token or enhance old with 2FA role.
So, I have problem with 3-rd item.
I can't get access to oauth/token with Authentication bearer...
Could I enhance token and what about refresh_token will it enhance too?
Where I should add filter for generate/enhance token?
Maybe you have other ideas how to implement it? I would be glad to hear them.