I have (what I hope) is a fairly straight forward question:
I'm using the AzureAD (brand new to it) Client Credentials flow. I want to add the (displayName or ApplicationID URI) as a claim in the access_token as I want the human readable client_id for logging.
This started because the subject (sub) is the uuid of the client and is immutable (best I can tell). Sure, no worries, so instead I just want to add another claim to the access_token of the displayName or the Application ID URI of the client. I want to use this for logging purposes. I have clicked through most of the AzureAD docs, stackoverflow, google, etc, but it appears my question is too specific so I can't find it.
I looked through the optional claims, but these seem focused on the user's info (I have no users, this is all service to service).
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Am I overlooking something obvious here?
Thanks!
Here is the claims in the token, I have redacted the claims as much as possible.
POST: https://login.windows.net/00000002-0000-0000-c000-000000000000/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Body: client_id, client_secret, scope
{
"header": {
"alg": "RS256",
"kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
"typ": "JWT",
"x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
},
"payload": {
"aud": "test-audience",
"iss": "https://sts.windows.net/00000002-0000-0000-c000-000000000000/",
"iat": 1614866520,
"nbf": 1614866520,
"exp": 1614870420,
"aio": "<snip>",
"appid": "6644659a-0000-0000-c000-000000000000",
"appidacr": "1",
"idp": "https://sts.windows.net/00000002-0000-0000-c000-000000000000/",
"oid": "<snip>",
"rh": "0.AAAA<snip>",
"roles": [
"test-role",
],
"sub": "01b32d39-0000-0000-c000-000000000000",
"tid": "00000002-0000-0000-c000-000000000000",
"uti": "<snip>",
"ver": "1.0"
}
}
displayName claim is included in the access token by default.
It is app_displayname. And there is another claim named appid which means the client_id of the app registration in the access token by default.
This document has shown the appid claim.
Although it doesn't mention app_displayname claim, you can decode your access token in https://jwt.io to find it.
Related
I am looking into Azure AD SCIM Provisioning and I have a question I am hoping I could get some help on. My use case is as follows
I created a Group in Azure AD and added "John Smith" and "Jane Smith" as members to it.
I went over to my Non-Gallery application added the Group created above to my application and triggered an On-Demand provisioning.
Both "John Smith" and "Jane Smith" were successfully created in my local database.
I removed "John Smith" from my group and triggered an On-Demand provisioning again.
My expectation was that the following PATCH request would be sent by Azure Ad
"Operations": [
{
"op": "Remove",
"path": "members",
"value": "john-smith-id"
}
]
but instead Azure AD sends a PATCH request to /Users with the following body
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "displayName",
"value": "John Smith"
}
]
and another PATCH request to /Groups with the following body
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "externalId",
"value": "some-guid"
}
]
Is this correct? I feel like I am messing something up when removing the member from the Group which isn't triggering the desired PATCH request
After step #4, I would recommend checking if the user has successfully been removed from the group.
Also, make sure that you're using the right rule ID in the on-demand provisioning request. One easy way to do this is to try through the UI and look at the network traffic ctrl+shift+i
The rule ID can be found in the schema.
I am actually testing the call of Graph API from POSTMAN in order to get access to Active Directory information.
I have follow the steps mentionned in this ticket:
How to call azure graph api
When posting the request in order to get my TOKEN ID as explain in the link above, then I get a return error as below :
"error": "unsupported_grant_type",
"error_description": "AADSTS70003: The app requested an unsupported grant type 'client_credential'.\r\nTrace ID: 0cdad91b-0ba8-4310-92d4-f0aff8bb1d00\r\nCorrelation ID: fdf416d6-eb81-4a5c-9577-af9d9f28fab0\r\nTimestamp: 2020-04-28 13:27:04Z",
"error_codes": [
70003
],
"timestamp": "2020-04-28 13:27:04Z",
"trace_id": "0cdad91b-0ba8-4310-92d4-f0aff8bb1d00",
"correlation_id": "fdf416d6-eb81-4a5c-9577-af9d9f28fab0"
Any idea how to solve it and what could be wrong ?
regards
This looks like typo.
Please confirm grant_type is set to client_credentials
I have a client application leveraging Microsoft Graph to get incremental changes for a certain AAD Group.
My BVT caught an issue and when I debugged, I found the Graph request does not return the members#delta collection any longer so the app did not receive any Group Membership changes.
Request:
https://graph.microsoft.com/v1.0/groups/delta?$expand=members&$select=id,displayName,mailNickName,onPremisesSecurityIdentifier,groupTypes,securityEnabled&$filter=id eq '9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx'
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,displayName,mailNickname,onPremisesSecurityIdentifier,groupTypes,securityEnabled,members())",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=duo2tEVrL.............................-Ay-zlyuo2tEVrLOUh0PUTdXM",
"value": [
{
"displayName": "TestGroup-OneUser",
"mailNickname": "9a234b7e8ad-3",
"securityEnabled": true,
"id": "9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxx",
"members#delta": [
{
"#odata.type": "#microsoft.graph.user",
"id": "18e2a00c-xxxx-xxxx-a9a9-xxxxxxxxxxxxx"
}
]
}
]
}
Any idea what has changed?
You should add members to $select, change the request like this:
https://graph.microsoft.com/v1.0/groups/delta?$select=id,displayName,members&$filter=id eq '1068699c-044b-4846-b45a-4137e06a7ca2'
I developed my IdentityServer using the netcoreapp1.1 framework, IdentityServer4 version 1.52, with a console client the connection works fine, but with an MVC client netcoreapp2.0, within the records shows me:
error: IdentityServer4.Validation.AuthorizeRequestValidator [0] Redirect_uri inválido: http://localhost:5001/signin-oidc --code omitted-- error: IdentityServer4.Endpoints.AuthorizeEndpoint [0] Request validation error
I did the steps that are in api acces hybrid but I still have the same problem, for the client that I am working in the mvc-hybrid for an asp.net core 2 application without success, something that stands out is that the AllowedRedirectUris parameter is empty.
fail: IdentityServer4.Validation.AuthorizeRequestValidator[0] Invalid redirect_uri: http://localhost:5001/signin-oidc { "ClientId": "client-hugo", "RedirectUri": "http://localhost:5001/signin-oidc", "AllowedRedirectUris": [], "SubjectId": "anonymous", "RequestedScopes": "", "Raw": { "client_id": "client-hugo", "redirect_uri": "http://localhost:5001/signin-oidc", "response_type": "code id_token", "scope": "openid profile email api-alumnos offline_access", "response_mode": "form_post", "nonce": "636412201009966900.ZDNmYjdmZWMtNWNlMS00ZDQyLWIxMjMtNWIzYTM4M2FhZmRhMmMxZGE2ZDUtM2M0MS00ZThiLTk4M2ItNDk2NGQ5YmZlODFj", "state": "CfDJ8J0brcCMivFPtUfbYRpOjISliA92IArZsJS1dmagQ9jYdvpmVj2ABROstPNhJyCWx8q4SntL6PXRubMgGqeUfdqWF0mNRAYifGy8OuEPZSQT295vWVfyN5gGhuvB6jQ043D14yUPLwkhS29IYfMoiliLQGatygTVnGMVJ7Bo-aV7FJcpHit-9b3RHRyaHiE0tToZdP8NxJInJ4vthIlXw1rgLjOmSqPxeN9KDfLgWrpki7XoBLkmV2K7px_GWp0ebaitkxnXTzDPg82M-nRJWfYLAXJ1nGvoZLD3GIXqFV22hDm0wmygbmRaMKezwZmHY12qr2pwa1N22aifJTZFzPY", "x-client-SKU": "ID_NET", "x-client-ver": "2.1.4.0" } } fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0] Request validation failed
What do you recommend me to do?
If you are using identity server 4, check your ClientRedirectUris table, check if your client has permission to redirect to your url. if not add new entry.
following figure shows the table:
Make sure your mvc client is running on http://localhost:5001
I was forced to change the url from http://localhost:5001/clientA to http://localhost:5001 in the hosting.json file. Otherwise I needed to use the UsePathBase middleware which mess up the redirect URL since it always adds the path to each incoming request.
I am writing an app in WPF (Windows 10 desktop) that should
include a component where the user can download message headers
and messages from G-Mail.
I am trying to use MailKit to interface with G-Mail via a secure
connection (without having to turn on "allow less-secure apps"
for G-Mail) and download messages with POP3. I am a bit confused
as to the proper procedure.
FYI: I know next to nothing about OAuth and TLS, so KISS please.
I have created and downloaded a JSON file for OAuth 2.0 from Google.
I have visited the FAQ for MailKit, and the following section
seems relevant, but I'm not sure as to what I should plug in
to the interface.
(Please see the code below.)
For "password", would that be the password for the account?
I'm not sure as to what to give for
"your-developer-id#developer.gserviceaccount.com".
.........................................................
https://github.com/jstedfast/MailKit/blob/master/FAQ.md#ProtocolLog
.........................................................
From the Q & A:
How can I log in to a GMail account using OAuth 2.0?
The first thing you need to do is follow Google's instructions for
obtaining OAuth 2.0 credentials for your application.
Once you've done that, the easiest way to obtain an access token is to
use Google's Google.Apis.Auth library:
var certificate = new X509Certificate2 (#"C:\path\to\certificate.p12", "password",
X509KeyStorageFlags.Exportable);
var credential = new ServiceAccountCredential (new ServiceAccountCredential
.Initializer ("your-developer-id#developer.gserviceaccount.com") {
// Note: other scopes can be found here: [links]
Scopes = new[] { "https mail google com " },
User = "username#gmail.com"
}.FromCertificate (certificate));
bool result = await credential.RequestAccessTokenAsync (CancellationToken.None);
// Note: result will be true if the access token was received successfully
// Now that you have an access token (credential.Token.AccessToken), you can
// use it with MailKit as if it were the password:
using (var client = new ImapClient ()) {
client.Connect ("imap.gmail.com", 993, true);
// use the access token as the password string
client.Authenticate ("username#gmail.com", credential.Token.AccessToken);
}
My next question: Would the user be able to access their own account(s)
with my app without having to follow the same procedure?
IOW: Will the credentials that I've downloaded work for any account?
... or allow access only to the account from which the credentials
were created?
If the credentials are only good for my own account, then I'll have to
do something else.
Would Google Sign-In be a better approach?
I've downloaded the example code for .NET from Google:
https://github.com/googlesamples/oauth-apps-for-windows
I've built and ran ran "OAuthConsoleApp", as well as "OAuthDesktopApp".
It would seem that I am getting a secure connection from those,
as I have gotten the following output:
.........................................................
redirect URI: http 127.0.0.1:64003
Listening..
Authorization code: qwerty ...
Exchanging code for tokens...
Send the request ...
GetRequestStream ...
await stream.WriteAsync ...
Get the response ...
responseText ...
{
"access_token": "qwerty ...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "qwerty ...",
"id_token": "qwerty ..."
}
Making API Call to Userinfo...
+++ userinfoResponseText : {
"sub": "117108120545711995673",
"name": "My Name",
"given_name": "My",
"family_name": "Name",
"picture": "qwerty ...",
"locale": "en"
}
.....................................................
I see that I have an "access_token" in the response and I thought
that I could plug that in to the "client.Authenticate" method for
MailKit as the password (as mentioned in the docs for MailKit):
string access_token = tokenEndpointDecoded["access_token"];
client.Connect ("pop.gmail.com", 995, SecureSocketOptions.SslOnConnect);
client.Authenticate ("username#gmail.com", access_token);
It threw an exception:
.....................................................
"POP3 server did not respond with a +OK response to the AUTH command."
at MailKit.Net.Pop3.Pop3Client.Authenticate(Encoding encoding,
ICredentials credentials, CancellationToken cancellationToken)
at MailKit.MailService.Authenticate(String userName, String
password, CancellationToken cancellationToken)
at
NS_MailKit_01.Pop3.cls_mailKit_Pop3_01.connect_and_authenticate(Object
p3_client, String p_access_token)
in :\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\Mail_Kit_01\MailKit_01.cs:line
465
at
LIB1_01_G_Mail_Auth.cls_G_mail_authorization.str_token_NTRF.invoke_access_token(String
p_access_token)
in K:\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\OAuth\oauth-apps-for-windows\OAuthConsoleApp\LIB1_01_G_Mail_Auth\G_Mail_Auth_01.cs:
line 95
at
LIB1_01_G_Mail_Auth.cls_G_mail_authorization.d__13.MoveNext()
in K:\Software_Develpoment_Sys_03_K\MIME_EMail\TEST_02\OAuth\oauth-apps-for-windows\OAuthConsoleApp\LIB1_01_G_Mail_Auth\G_Mail_Auth_01.cs:line
343
.....................................................
Does anyone know how I could get a "credential" object from
the Google interface that I could use with MailKit?
Any help would be appreciated.
Thanks!
For "password", would that be the password for the account?
No. It would be the password for your PKCS12 file containing your X.509 Certificate and your private key.
I'm not sure as to what to give for "your-developer-id#developer.gserviceaccount.com".
You need to register yourself and your application with Google's Developer program which will give you a developer id to use. You need to follow their directions.