I am trying to setup a Mediawiki on Azure. And need to have OAuth support with Client Credentials Flow so a client application can request access token from Azure AD, and then client uses the requested access token to call Mediawiki API to access wiki resources.
I am wondering what are the steps I can follow in order to have such setup.
Currently I am thinking use Azure Web App to create Mediawiki and turn on Express Auth mode in AAD for this app. Not sure if I still need to configure anything in Mediawiki for validating the access token or any extension needed.
I also saw some tutorials create VM instead of Azure Web App. But I can not find any Client Credentials tutorials for Mediawiki.
[Update section below]
I would like to clearify my question a bit more in case I didn't.
I would like to configure Azure AD (which is an Identity platform) to enable client credential. So my client app can get access token from Azure AD and then client app can use this token to query data directly to Medaiwki API.
Example:
Step 1:
Client send post request to Azure AD endpoint using client crendentials
POST:
https://login.microsoftonline.com/xxxxxx_an_AAD_tenantID_xxxxxxxxxxxx/oauth2/token
Headers:
Content-Type: multipart/form-data;
Body:
{
client_id=<New App Registration Client ID>,
client_secret=<New App Registration Client Secret>,
grant_type=client_credentials
}
Response:
{
"token_type": "Bearer",
"expires_in": "xxx",
"ext_expires_in": "xxx",
"expires_on": "xxx",
"not_before": "xxxx,
"resource": "xxx",
"access_token": <Access_Token>
}
Step 2: using the Access token from step 1 to query Medaiwiki API data
GET:
https://myMediawiki.com/api.php?action=query&meta=siteinfo&siprop=namespaces&format=json
Headers:
Authorization: Bearer <Access_Token>
I am wondering how to configure such Mediawiki. In order to take the access token at Mediawiki.
I understand there are some OAuth extensions. But those extensions seem to act as a whole authorization server. In my case, I would like AAD act as Authorization Server and AAD will create authorized Client App with client_id and Client_secret in step 1.
Some references:
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow
https://dasith.me/2018/12/31/client-credentials-flow-with-azuread/
Related
My Azure Data Factory has private endpoint connection to CosmosDB and authenticates using System Assigned Managed Identity. The goal is to delete document from CosmosDB using https://learn.microsoft.com/en-us/rest/api/cosmos-db/delete-a-document called from web activity.
I created web activity in Data Factory and put the required headers following those documents
https://learn.microsoft.com/en-us/rest/api/cosmos-db/common-cosmosdb-rest-request-headers
https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources?redirectedfrom=MSDN
DELETE web activity:
I am using Azure Cosmos DB RBAC so my authorization header looks like this:
type=aad&ver=1.0&sig=token-from-oauth
To get a token I was following this post
https://medium.com/analytics-vidhya/azure-data-factory-retrieve-token-from-azure-ad-using-oauth-2-0-9a3ed3f55013
but I don't know where can I get the client_secret. I found my ADF in AAD under enterprise application so I guess client_id is application Id but there is no client secret to be found there.
get token web activity:
First obvious question is where can I find this client_secret?
The second one is why is this token needed at all? Why can't it just use managed identity for authenticating the request?
Where can I find this client_secret?
Go to azure active directory -> Inside mange go to app registration(if you not created a app registration create it ) -> Go to registered app -> Certificate & Secretes.
Why is this token needed at all? why can't it just use managed identity for authenticating the request?
Managed identities are a way to simplify the authentication process for applications running in Azure, but they do not apply to all scenarios when calling external APIs that require authentication. In these cases, you need to obtain an access token from Azure AD using a client secret.
I reproduce same thing in my environment. Follow below approach.
URL:https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
Scope : https://cosmos.azure.com/.default
Body: grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=scope : https://cosmos.azure.com/.default
After execution of web1 activity you will get like this bearer token:
Inside Web2 activity provide valid URL as per below syntax:
https://{databaseaccount}.documents.azure.com/dbs/{db-id}/colls/{coll-id}/docs/{doc-id}
Add dynamic content at header part as shown in the image:
Authorization: Bearer #{activity('Web1').output.access_token}
I have developed SPFX application with Azure AD SSO is enabled. It is also connecting to web api using bearer token generated using ADAL OAuth2 implicit flow along with SPFX SSO access token. This is working fine.
I want to test the webapi using Postman. Currently i am copying bearer token from developer tool of browser and send it in header to connect webapi.
I want to automate the above 2 steps, so that i can do automate user testing scenario.
1.Generate AZURE AD SSO access token from C#/postman by passing user credentials. (Postman/React/C#)
2.Generate bearer token using Access Token generated from step-1.(Postman/React/C#).
I want to automate the above steps using Postman/C#/angular/react.
Kindly provide me the detailed steps to achieve the above scenario for testing.
Suresh Rajamani
I have tested in my environment.
Open Postman --> Create a new request --> Go to Authorization --> Select Type as OAuth 2.0 --> Under Configure New Token, fill the details :
Token Name : give the token name
Grant Type : Implicit
Callback URL : redirect uri of your app registration
Auth URL : https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Client ID : Client ID of your app registration
Scope : add scope as per the permissions required. For ex: https://graph.microsoft.com/mail.read, for reading mails
Client Authentication : send as Basic Auth Header
Click on Get New Access Token and login with user credentials and give consent. A new Bearer Token will be generated
Click on Use Token. Now we can make any requests using that token.
I am trying to access "https://graph.microsoft.com/v1.0/me/messages" API by JAVA SDK provided by Microsoft.
I am using the below code.
final AuthorizationCodeCredential authCodeCredential = new AuthorizationCodeCredentialBuilder()
.clientId("b****08f-*****-4d49-****-cba7d9a****c")
.clientSecret("8***7Q~GW0N******Y_N*****Zi******")
.authorizationCode("0.AVUAoIQSV...")
.redirectUrl("http://localhost/auth-responses")
.build();
Now it is giving me error like "The tenant for tenant guid '571284a0---****-a94eea6c6b3f' does not exist."
I tried the Same thing by postman, here I tried to get token by below end point.
"https://login.microsoftonline.com/common/oauth2/token"
after getting the token I am using it in "https://graph.microsoft.com/v1.0/me/messages" as Bearer Token. Still, I am getting the same issue.
But the token I am receiving in every case is not same as graph explorer Access Token
If I copy Graph Explorer Access Token and use it in postman then it gives me the desired result.
I am using a personal account for all of this process which ends with "#outlook.com".
I want to know why I am getting different access tokens than graph explorer access tokens and why that access token is not able to access the endpoints.
I have tested in my environment.
The access token generated from the Graph Explorer will be different from the access token generated from the Postman. This is because, the access token generated from graph explorer uses only the user credentials. The access token generated from postman uses client id and the client secret along with user credentials.
If the app registration supports Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox), then only you can use personal account to generate the access token and use it to call the request for https://graph.microsoft.com/v1.0/me/messages only if the app registration have Microsoft Graph mail.read delegated permissions.
Paste the below URL in the browser. The code will be generated. Copy the code.
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id=app-client-id
&response_type=code
&response_mode=query
&scope=mail.read
Make the below POST request in the postman to generate the access token :
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Headers :
Content-Type: application/x-www-form-urlencoded
Body :
client_id: App Client ID
grant_type: authorization_code
scope: user.read%20mail.read
code: Code received in the first step
client_secret: Client Secret Generated in the App
Copy the Access token and make the below get request in the postman to read the messages :
GET https://graph.microsoft.com/v1.0/me/messages
Headers:
Authorization : Bearer access-token
I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)
Is is possible to obtain an AAD token in Postman by letting the user to Sign In using the standard AAD sign in form?
I know how to obtain token using the request to AAD (grant_type = client_credentials) but such a token does not have a UPN (user identity).
I would like to somehow type in my credentials in Postman and get the token. So it is a manual interaction, the user(me) needs to manually sign in - the same way how ie. Visual Studio verifies your identity.
Postman now offers the ability to "Authorize using browser." You'll need to make changes to your AAD application to support it in addition to configuring Postman.
Configure your AAD application
Add a redirect URI to your AAD application for Postman to receive the authorization code. In the AAD Portal, navigate to your app registration, then to the "Authentication" tab, then add https://oauth.pstmn.io/v1/callback as a new redirect URI. This URI was provided by Postman when you check the ✅ Authorize using browser box (below) and is also documented on their website.
Configure Postman
You can set this up under "Authorization" for a single request, a folder of requests, or a Collection. Open the "Authorization" tab and select OAuth 2.0. Under the "Configure New Token" section, enter the following information:
Token Name: anything you want. I chose the name of the AAD application.
Grant Type: Authorization Code (With PKCE)
Callback URL: check the ✅ Authorize using browser box
Auth URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 authorization endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
Access token URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 token endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Client ID: copy this from the AAD portal under Overview. It's also commonly referred to as an "Application ID" and is a GUID.
Client Secret: leave blank (not used by this grant type)
Code Challenge Method: SHA-256
Code Verifier: leave blank or provide your own
Scope: the scopes you're requesting in your token, separated by spaces
State: leave blank or provide a value such as a random GUID.
Client Authentication: Send as Basic Auth Header (not used by this grant type)
Refer to Postman's documentation on OAuth 2.0 options for more information.
Get a token
Click Get New Access Token to open the auth flow in your machine's default web browser. After authentication, it should redirect back to the Postman application and a new token will be created with the name you provided earlier for "Token Name." Select "Use Token" in the top-right corner of the popup to copy it into your current token. If the token expires and your requests start failing authorization (probably a 401 or 403 error), you can revisit this tab and get a new access token.
Occasionally, you may want to visit Current Token > Access Token > Manage Tokens > Delete > Expired tokens, otherwise you'll be inundated with nearly-identical tokens.
Postman cannot popup the sign in page as it only does HTTP requests. As you stated, it can do confidential client flows.
What you could do is hand-construct an auth request, sign in, and grab the auth code. Then take that auth code and drop it into the Postman authorization form, and let it hit the Azure AD token endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/token
The Azure AD protocol referene will be super helpful for you.
I think if you're wanting to quickly generate Access Tokens your best bet is to pick a framework/language and build a lightweight app that gets and logs tokens. Azure AD has a Python Flask sample for the v2 endpoint that takes 5 minutes to setup and could be converted to printing out access tokens. If you want to use v1, you can checkout the list of samples at the Azure AD developer guide.