I'm trying to use one AAD App-Registration for both, a Web-API and a WPF Client APP. I've managed to configure the App-Registration correctly for my Web-API, but now I want to add a Native-Client APP to the same Registration, where a WEB-Registration is allready set up.
It works for me if I'm using only one of them, so if i register only the Web App it works. The same is true for the Native-Client App.
So I'm wondering if it is possible to combine those two and only use one App-Registration.
This is the error I get when trying to acquire a token with both registrations:
MSAL.NetCore.4.25.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.
You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.
Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Thank you in advance.
Use one AAD App Registration for both is not recommended although it seems to be able to meet your identity authentication needs. But generally we will need to use app roles or some other configurations, it will be very confusing in this case. It's recommended to use 2 app registrations.
The AADSTS7000218 error means you didn't put client_secret.
Related
I'm currently trying to integrate with Azure AD using the admin consent flow.
I've set up an app in our domain, set a few permissions on it and am then navigating to the following link:
https://login.microsoftonline.com/mytestdomain.onmicrosoft.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789012&response_type=code&redirect_uri=http://example.com/responsehandler&resource=12345678-1234-1234-1234-123456789012&prompt=admin_consent&state=12345
(Some of the values here have been swapped out for "example" values)
When I navigate there I get asked to sign in, which I do using a different test domain into which I want to import the app.
After signing in I'm shown a list of all the permissions that the app needs (which appear to be correct), I click accept but then I get the following error:
AADSTS90002: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID.
I'm not sure where this empty GUID is coming from and after some searching I can't find any reference to what might be causing it.
Daniel Camargo's comment above seems to have done the trick.
When I navigated to the login.microsoftonline.com link I was logging in with the user that created the domain.
If I log in with a test admin user that I created it works as I'd want.
I am not convinced that we had exactly the same problem, given that my case was involving a Cordova application, but I will share my scenario anyway:
I created a trial account for my proof of concept and for that I used my personal Microsoft account that I will call mypersonalaccount#outlook.com.
Thus, mypersonalaccount#outlook.com is now part of 2 directories: the outlook.com and my recently created mypersonalaccount.onmicrosoft.com.
When I was trying to authenticate in my Oauth2 application using mypersonalaccount#outlook.com I got that error. My humble guess is that the error is related to some sort of collision between the 2 accounts.
I later created a user1#mypersonalaccount.onmicrosoft.com and a guest account using my gmail account. Everything worked fine with these ones.
Was having the same problem, and the same after 1 week of work by the azure team, was solved.
My problem was being trying to log in to VSTS with AAD accounts.
This sounds like a popular scenario, but I can't find direct answer nowhere...
I want to plot Analytics data in my app's admin area.
This area is used by multiple users of the company, and they have to authenticate to access this area. I plan to use GA service account, but 'browser-key/domain' option seems only available for public api.
Can I use server auth (through node API), get the token, and pass it to user while logging in? Will the token be valid? Can I have multiple valid tokens simultaneously for all the users?
Or maybe there is some other way to do it?
Okay, I've tested it myself and the answer is:
YES, you get universal (max 60min) token with every request - so you can have many of them, and dispose to you client-side apps as needed.
I have now embedApi widget in my Angular.js dashboard for every user, without login.
I have created Web Tab in salesforce with url of my application. When someone opens that tab and my application gets call, How can I make sure where user who opened it is authorized?
I know I can pass {!User.Email} and other variables to my app to identify user. I guess some sites also send {!Api.SessionId} but I can not find any information about how to authorize using Api.SessionId or any other variables that can be passed.
Update
I found https://developer.salesforce.com/page/Single_Sign_On_for_Composite_Apps which is guide to the question I asked. But not able to find jar for given java classes.
You can use the API SessionID and ServerURL to make a request back to Salesforce via the API. Say with the PartnerAPI. This will confirm that the user did indeed come from a valid Salesforce session. You can confirm other details, such as their email address from the active session as well.
Alternatively, you could create a newer connected app using signed requests. Here the request posted to you app will be signed with using a secret that you can decrypt. This ensures the details haven't been faked or tampered with.
Rather than creating a Composite App you can create a Canvas App. This is a type of Connected App. You can find instructions for setting this up at Creating a Connected App. The Signed Request is POSTed to your web app. See Signed Request Authentication
I'm trying to create a Google custom search engine programatically. Therefore I have to sent the GET request as described in this link.
https://developers.google.com/custom-search/docs/api
GET http://www.google.com/cse/api/<USER_ID>/cse/<CSE_ID>
Authorization: GoogleLogin auth=IM6F7Cx2fo0TAiwlhNVdSE8Ov8hw6aHV
Here they mentioned auth token. How can I get this?
From the page you linked Custom Search - autentication
Although the Accounts Authentication API supports multiple authentication methods, Custom Search only supports ClientLogin
Answer: You get the access token back from client login.
What I would like to know is what will happen when client login stops working and if this will work with OAuth2. If it does work with OAuth2 why haven't they added documentation for it. I am sending some feed back on that page, its really outdated.
I had this same question, especially since ClientLogin is now deprecated, so I asked Google support and this was the response:
"Hi,
Greetings from Google for Work Support Team!
As i understand from your message, you are trying to use GSS features programmatically, i would like to update you that GSS supported only client login authentication to access search engine and its features programmatically, but client login is deprecated and it no longer works with GSS.
Oauth 2.0 is also currently not supported with GSS.
We already have a feature request #6043481 to provide support for Oauth 2.0 with GSS. However i don't have an ETA when it will be implemented.
Due to this reason, currently adding promotion programmatically is not possible. I would recommend you to use search engine control panel and respective features manually by opening GSS control panel in browser and update promotion from GSS control panel->Search Feature-> Promotions-> Add as per your requirement.
Please check the same from your end and let me know if you need any further assistance with this."
tl;dr: This is currently not possible.
It looks like they've removed this functionality altogether instead of fixing it so auth is possible. There are no longer docs at https://developers.google.com/custom-search/docs/api , it 404s.
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.