I have an Azure app service X(which has an ASP.NET web api project published to it) that I have configured with Y AAD app thru Advanced Authentication(using Y's client id in it). Now I also have another Z AAD app, which I want to use in OAuth 2.0 flow of POSTMAN.
The problem is when I'm providing Y's client id and resource id as Y's application id URI, I'm getting "Client is requesting token for itself." To avoid this I am replacing resource id with Application(client) id(the GUID) and it works find. Why?
Also, if I use Z's client id and Y's resource id URI, it doesnt work but it works when I use the GUI. So why is the application id URI required, what is the point of it if I can't use it?
I think you may be misunderstanding something. lets be a little more concrete.
lets simplify a bit, you have WebAPI A with App Registration A. and you have a Client App Registration B.
First you set up WebAPI A to do whatever it needs, if it needs access to graph for example, then in API Permissions, you give it that access. then you either set up WebAPI A with an app secret or user flow
Finally you go to expose an API which is where the Application ID URI comes in, this is ONLY to allow Client B to access webAPI A. You only set this in App Reg A, you do not enter anything regarding this into WebAPI App Service. You do not need resource IDs in your web api, unless you are trying to access other apis, like graph for example.
then say you are trying to get Client B to use the webAPI, so in your App Registration B, you add an API Permission -> My APIs -> Select the scope you created just before.
then in Client B, that is where you set resource IDs, because you need to get a token that has access to web API.
I hope that clarifies a bit for you.
also here's a sample of a simple client to webapi flow, it's not 100% identical to yours since you're on an app service, but its essentially the same.
https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi
Related
I have a REST API which uses Azure ADD App registration to allow other apps to call it.
In the Azure Portal, I have registered it as an Enterprise Application and also registered the consumer applications and assigned them Roles appropriately.
The authentication and RBAC works fine.
But the use case that I am working on requires me to identify and log the incoming request calling application's name (The one seen in the portal as 'Display Name', when we view the list of users and groups for an enterprise Application).
As advised in the internet, I am using some Identity related API to read the claims from the request header.
var provider = claimsUser.FindFirst("http://schemas.microsoft.com/identity/claims/identityprovider").Value;
var sid = claimsUser.FindFirst(ClaimTypes.NameIdentifier).Value;
OR
var sid = claimsUser.FindFirst("stable_sid").Value;
But this gives me a GUID value which I couldn't map to any of the consumers of the Enterprise Application.
The clients are all registered in the Azure portal.
In the Portal, I can see the apps in the "Users and Groups" section for the Enterprise application, with their appropriate roles.
In terms of usage, before making the call, the clients generate a bearer token based on the certificate that they get from Azure. The make the call with the bearer token attached to the request header. This bearer token is validated against the Azure AD, in the filters set before every controller..
What I want is to get are the details about this client who has made the call.. As per some repliers, and, to which I agree, the Guid that I get as part of the previous call mentioned above is for the actual user and not the app itself which is making the call.
Can anyone throw some light into it.. some code snippet will be of real help..
I'm not sure what authentication flow you are using, but SID is generally for a user that's logged in, not an application. if your client applications are using client id and secret, the token it returns that you send to the api should include the app registration guid. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#access-control-lists . So the appid and iss should give you the guid of the app registration. using this, you can make a call to graph api, to identify the display name of the app registration. https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http
If your app is a user login app, and you don't want to make a call to graph, the other option you could do as a workaround would be to create app roles and assign users to them but name the app roles with some convention that includes the app's display name. then the name could come through under roles claim.. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
those are some options.. but other than calling graph or kinda working around to inject the name into a different claim of the token I'm not sure of any other method to get the "app registration's display name"
Had a webapi running on v2 endpoint, the intent was to get access through a single call to both graph and the custom webapi, was using the v2 auth code grant flow, the url using as below,
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=14e9111f3e1-d220-415d-9bf4-d089f0b5feff&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A8081%2Fartifactory%2Fwebapp%2Fsaml%2FloginResponse&response_mode=query&scope=api%3A%2F%2F14e9f3e1-d220-415d-9bf4-d089f0b5feff%2Faccess_as_user%20https%3A%2F%2Fgraph.windows.net%2Fuser.read%20openid%20offline_access&state=12345
with the scope as
api://14e9f3e1-d220-415d-9bf4-d089f0b5feff/access_as_user https://graph.windows.net/user.read openid offline_access
However, keep failing with a invalid scope error. If I take out the custom webapi from the resource, everything went through wonderfully.
Reading further, there is a limitation for webpi that
Web API can receive tokens only from an application that has the same Application ID. You cannot access a Web API from a client that has a different Application ID.
So I am confused, how to archieve the goal to use v2 endpoint to authenticate and get access to both graph and webapi????
--edit
the error message is 'AADSTS65005: The application 'blah' asked for scope 'user.read' that doesn't exist on the resource. Contact the app vendor.'
Today the v2 endpoint cannot issue an access token for a custom API. The feature is in active development, but there's no ETA to share.
Also note: even when the feature will be available, you will not be able to reuse the same access token across multiple resources; you'll be able to consent for multiple resources at once, so that your user is only promoted once, but you will need to request access tokens for each resources separately.
An app registered in the v2 app registration portal, with a webapi platform added, however when requesting the authorisation with api scope using https://login.microsoftonline.com/common/oauth2/v2.0/authorize endpoint, it directly go to the redirect url with error code AADSTS70002%3a+Error+validating+credentials. Instead if I use the graph api, everything works, not sure what did I did wrong!
The one for the webapi scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=openid%20offline_access%20api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user
The one for the graph api:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0b0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
EDIT
This is confusing, now I put the offline and open id to the end but get another error:
AADSTS65005%3a+The+application+'v2app'+asked+for+scope+'openid'+that+doesn't+exist+on+the+resource.+Contact+the+app+vendor.
The URL I requested is:
https://login.microsoftonline.com/e0582222da8-ec2b-4c7a-b98e-2c417627657c/oauth2/v2.0/authorize?client_id=c6599db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user%20openid%20offline_access
And if I google this error, there is one saying:
As of today, the V2 Endpoint does not support API access other than the Microsoft Graph.
So this is not achievable? Then how come the sample works?
EDIT 2
So if I make the requested scope the client ID, it works..
I reproduced your error . but if putting the openid%20offline_access scopes after api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user(api scope) , it works on my side , please try :
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=222db0-0305-4f86-96cc-d283da2f5020&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Ftest&response_mode=query&scope=api%3A%2F%2Fc6599db0-0305-4f86-96cc-d283da2f5020%2Faccess_as_user%20openid%20offline_access
Update
The MSAL error you linked is accessing a Web API from a client that has a different Application ID , that is not supported in v2.0 endpoint . In azure ad v2.0, Web API can receive tokens only from an application that has the same Application ID. That means api://xxxx-xxxx-xxx-xxx (web api url) , the xxxx-xxxx-xxx-xxx part has the same value with your client id of client application . To achive that , you could add two platforms : one web app ,one web api .
I have 2 web apis (A and B) on my b2c. Each one of them publishes their own permissions respectively (scopeA1, scopeA2) and (scopeB1, scopeB2).
On my web application (which already configured and have granted access permission on both apis and the 4 scopes), in order to get authorization code for both apis during authentication, I tried to set my OpenIdConnectAuthenticationOptionsin scope property to include the 4 scopes.
I got an error AADB2C90146: The scope 'scopeA1 scopeA2 scopeB1 scopeB2 openid offline_access' provided in request specifies more than one resource for an access token, which is not supported.
While if I specify only scopes for web api A or B, then it works as per this link
How can I get my web app to use both web apis even with granted permissions for both
Thanks for help
If the two web APIs are separate applications in Azure AD, then you need to request access tokens separately for them.
I'm not familiar with the sample you used as a starting point, but it looks like these lines are where you need to make your change:
// Retrieve the token using the provided scopes
ConfidentialClientApplication app = new ConfidentialClientApplication(authority, Startup.ClientId,
Startup.RedirectUri, credential,
new NaiveSessionCache(userObjectID, this.HttpContext));
AuthenticationResult result = await app.AcquireTokenSilentAsync(scope);
accessToken = result.Token;
You should create an app instance for each of your APIs, and acquire a token for each of them. Then, when you call the APIs somewhere else, use the correct access token in the Bearer authentication header.
I had the same issue and asked a similar question Extend MSAL to support multiple Web APIs
but i have not had an answer, basically to get around it in the short term i have made both my API's use the same authorization client ID + secret and therefore I can reuse the same scopes accross my APIS
its not what i want but if you want to use Azure AD B2C you need to get used to compromising for a while until the support is there
-- I would also say you are using an older version of MSAL which i am also using, im waiting until the version 1 release before upgrading again.
The github talks about using this format
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Step 1: Add MSAL to your Solution/Project
Right click on your project > Manage packages.
Select include prerelease > search msal.
Select the Microsoft.Identity.Client package > install.
Step 2: Instantiate MSAL and Acquire a Token
Create a new PublicClientApplication instance. Make sure to fill in your
app/client id
PublicClientApplication myApp = new PublicClientApplication(CLIENT_ID);
Acquire a token
AuthenticationResult authenticationResult = await
myApp.AcquireTokenAsync(SCOPES).ConfigureAwait(false);
Step 3: Use the token!
The access token can now be used in an HTTP Bearer request.
I have a native client that calls a service I wrote-- that in turn calls the Graph API (using the original caller's credentials).
This is exactly like the 'onbehalfof' sample found here (my code fails the same way as the sample):
https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof
When logging in as a user from the same tenant as the service (tenant A), everything works fine (just like the onbehalf of sample). When logging in as a user from a different tenant (tenant B), I get an exception on this line in the service:
result = await authContext.AcquireTokenAsync(GraphResourceId, clientCred, userAssertion);
(this is line 153 from TodoListController.cs in the onbehalfof sample).
The exception is this:
AADSTS65001: The user or administrator has not consented to use the
application with ID 'de2fb28b-83f8-419d-9b00-3fbce0a60bf4'. Send an
interactive authorization request for this user and resource.\r\nTrace
ID: 6865c420-674a-4adf-a070-3d9b9c500200\r\nCorrelation ID:
7e088563-d7fe-4131-a05c-cbe04dbb2bbd\r\nTimestamp: 2017-03-29
22:56:58Z
The application id above refers to the service I wrote (which is the same line in the TodoListService in the onbehalfofsample).
I configured everything for multi-tenant authentication. But it's the additional call that my service is making to another service (Graph API) that's causing the problem. What additional configuration do I need to do in the Azure portal to make this work?
In the instructions written for the sample you linked above, they address this issue with the following section:
Configure known client applications
For the middle tier web API to be able to call the downstream web API,
the user must grant the middle tier permission to do so in the form of
consent. Because the middle tier has no interactive UI of its own, you
need to explicitly bind the client app registration in Azure AD with
the registration for the web API, which merges the consent required by
both the client & middle tier into a single dialog. You can do so by
adding the "Client ID" of the client app, to the manifest of the web
API in the knownClientApplications property. Here's how:
Navigate to your 'TodoListService' app registration, and open the manifest editor.
In the manifest, locate the knownClientApplications array property, and add the Client ID of your client application as an element.
Your code should look like the following after you're done:
"knownClientApplications": ["94da0930-763f-45c7-8d26-04d5938baab2"]
Save the TodoListService manifest by clicking the "Save" button.
My assumption is that because you are running into this problem, that you have not done this special configuration.
The other option you have is to explicitly request consent between the middle tier and the AAD Graph API. You can do this by having a tenant administrator 'login' and consent to your middle tier service. All you need to do is generate a login url with the middle tier App ID.
However, I strongly recommend you do it the documented way, since this will provide a better experience for your users.
It's working now. I had to make two changes to get it working.
First, on the service side switch to using "common" as the tenant. I had switched to common on the client but didn't realize you had to do this on the service side as well:
<add key="ida:Tenant" value="common" />
Second, change the GraphUserUrl on the service to the following URL:
<add key="ida:GraphUserUrl" value="https://graph.windows.net/me?api-version=1.6" />
The original URL in the sample didn't work (at least for users in another tenant).
Here's the consent dialog that appears when a user from another tenant logs in:
Consent Dialog
Here's my client manifest...
Client Manifest
...and my service manifest...
Service Manifest