I have registered an AzureAD application which is a public client / Native Client.
I am using the standard code generated by Azure in the portal.
the important bits being
static App()
{
_clientApp = PublicClientApplicationBuilder.Create(ClientId)
.WithLogging((level, message, containsPii) =>
{
System.Diagnostics.Debug.WriteLine("*************************");
System.Diagnostics.Debug.WriteLine($"{level}: {message}");
}, LogLevel.Verbose, true, true)
.WithAuthority($"{Instance}{Tenant}")
.WithRedirectUri(RedirectURI)
.Build();
TokenCacheHelper.EnableSerialization(_clientApp.UserTokenCache);
}
and
authResult = await app.AcquireTokenInteractive(scopes)
.WithAccount(accounts.FirstOrDefault())
.WithParentActivityOrWindow(new WindowInteropHelper(this).Handle) // optional, used to center the browser on the window
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync();
The returned error is;
"AADSTS7000218: The request body must contain the following parameter:
'client_assertion' or 'client_secret'.
Following what I for example read here and in most places in AzureAD I have changed the default type to Public client.
I am still getting the same error.
I have enabled logging and I think i have the relevant part below
Info: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) An authorization code was retrieved from the /authorize endpoint.
Info: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) Exchanging the auth code for tokens
Info: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
Info: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) Response status code does not indicate success: 401 (Unauthorized).
Warning: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) Request retry failed.
Info: (False) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) HttpStatusCode: 401: Unauthorized
Error: (True) MSAL 4.13.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 (UnknownClient: 0.0.0.0) MSAL.Desktop.4.13.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
It appears I am getting a authorization code but failing to get the tokens. The error being 401 (Unauthorized).
Can someone please help me to understand this?
There are two steps to fix this issue.
1.Change the default client type to Public client.
2.Add Mobile and desktop applications platform
Related
I am creating this application currently following this tutorial
When I send a message in the chatbot, the onSend function works, however, I get an error with my chatbot's response and I am given this error in the console.
Received response:
{
"error":{
"code":401,
"message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie, or another valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status":"UNAUTHENTICATED"
}
}
Can anyone help?
I have tried to see if my Google cloud APIs and services status is active and checked if my credentials have been revoked in IAM & Admin, still, the same error is returned in my console
"The request failed with an empty response." web service SOAP request error in SOME SYSTEM after moving to azure app service from Azure VM.
Azure log Stack Trace
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at ................
System OS : Microsoft Windows NT
Application : Outlook plugin (WPF)
After we move our web service to Azure app service from VM, we need to modify the endpoint address to be the correct URL in Web.config.
We can find the web service endpoint address as below:
Please check if this endpoint address is correct. It may look like: https://WebAppname.azurewebsites.net/yourWebService.asmx
I'm fairly new IdentityServer4 and I'm trying to configure access control for our different internal APIs. By internal I mean that it's not over the internet. I've chosen IdentityServer4 since it seem to have great flexibility when it comes to different clients and grant types.
Right now I'm trying to get Windows Authentication (against AD) to work. First let me show you how I want it to work, then I will show you what I've tried.
Any user that's logged in to the AD should be able to request a token from the token endpoint. So for any application with integrated Windows authentication it should work automatically.
Here is an example of how I would like if to work in PowerShell. I'm not sure exactly how the body should look like, but you hopefully get the point.
$cred = Get-Credential
$body = #{grant_type='client_credentials';client_id='client'}
Invoke-RestMethod http://localhost:5000/connect/token -Method POST -Credential $cred -Body $body
So I studied the Quickstart examples of IdentityServer4 and I read the docs on Windows Authentication. I took the simplest quickstart example and tried to modify it to work with windows authentication.
The example use WebHost.CreateDefaultBuilder for the server which means that Kestrel should be automatically configured (according to the docs). Then I modify ConfigureServices accordingly:
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients());
services.Configure<IISOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
}
and in the launchSettings.json I set
iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:5000/",
"sslPort": 0
}
}
However, this doesn't work. When I run the server and try to request a token with the above PowerShell script I get the following error log from the IdentityServer:
[10:24:56 Debug] IdentityServer4.Validation.ClientSecretValidator
Start client validation
[10:24:56 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser
Start parsing Basic Authentication secret
[10:24:56 Debug] IdentityServer4.Validation.PostBodySecretParser
Start parsing for secret in post body
[10:24:56 Debug] IdentityServer4.Validation.PostBodySecretParser
client id without secret found
[10:24:56 Debug] IdentityServer4.Validation.SecretParser
Parser found secret: PostBodySecretParser
[10:24:56 Debug] IdentityServer4.Validation.SecretParser
Secret id found: client
[10:24:56 Debug] IdentityServer4.Validation.HashedSharedSecretValidator
Hashed shared secret validator cannot process NoSecret
[10:24:56 Debug] IdentityServer4.Validation.SecretValidator
Secret validators could not validate secret
[10:24:56 Error] IdentityServer4.Validation.ClientSecretValidator
Client secret validation failed for client: client.
[10:24:56 Verbose] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking result: IdentityServer4.Endpoints.Results.TokenErrorResult
I feel a bit clueless and like I'm missing something here (like setting up the client correctly?). I would greatly appreciate any help here!
The logs says it - you are missing the client secret.
But you have a bigger missing here. You are trying to use client credentials grant type. From what I understood from your explanations, you want to authenticate with the current Windows user, am I right?
If so - your approach is wrong. Client credentials grant type is for client (understand app) authenticating. In other words - it will authenticate the app itself (no matter is it your powershell script, console app or whatever else), but not the user that is using it.
For example if we (me and you) execute the same script on different machines, under different user credentials, we will still receive the same claims in the access token, because we are authenticated as the client.
Check the token endpoint documentation for more options.
If you want to get a token, based on the user and password, you need to use the password grant type.
Hope that this helps and gives you some clues.
I've been trying to configure Sonar with Active Directory for a while with no luck so I was really excited to see the new LDAP 1.5 plug-in. Unfortunately it's still not working for me but it's so close! The lookup is successful but then something fails:
DEBUG web[w.s.NegotiateSecurityFilter] logged in user: CORP\My.UserName (S-1-5-21-1305660829-1405082133-723345943-15257)
DEBUG web[w.s.NegotiateSecurityFilter] roles: CORP\My.UserName, CORP\Domain Users, Everyone, BUILTIN\Administrators, BUILTIN\Users, NT AUTHORITY\NETWORK, NT AUTHORITY\Authenticated Users, NT AUTHORITY\This Organization, [etc.]
INFO web[w.s.NegotiateSecurityFilter] successfully logged in user: CORP\My.UserName
DEBUG web[o.s.p.l.w.s.s.SsoAuthenticationFilter] Validating authenticated user
DEBUG web[http] GET /sessions/new?return_to=%2F | time=1527ms
ERROR web[rails] Error from external users provider: exception Java::Com4j::ComException: 80040e37 (Unknown error) : A referral was returned from the server.
DEBUG web[http] GET /ldap/validate | time=1738ms
This was with the Negotiate protocol but I got the same error using the default NTLM protocol as well. Running Sonar 5.2.
The 1.5.1 update fixed this issue for me.
https://jira.sonarsource.com/browse/LDAP-49
After reading the following article:
http://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx
I tried to implement an OpenID Connect/Oauth code flow per the documentation at:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-appmodel-v2-overview/
I'm using mod_auth_openidc as my Relying Party (that I have working with both Google and my own OpenID Provider.
I've registered my app at https://apps.dev.microsoft.com, and gone through all the steps. I get the login screen at microsoft, then the permissions screen and when it redirects back to my site and hits mod_auth_openidc, I get an error that says:
Error:
The OpenID Connect Provider returned an error: Error in handling response type.
In my Apache Error logs I get:
oidc_proto_validate_code_response: requested flow is "code" but no "access_token" parameter found in the code response, referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&scope=openid&client_id=xxx&state=yyy&redirect_uri=https%3A%2F%2Fdst-dev.mydomain.com%2Foauth2callback&nonce=zzz
and
oidc_proto_resolve_code_and_validate_response: code response validation failed,
What I'm trying to figure out is where the problem lies. Is there an issue with what Microsoft is sending mod_auth_openidc, or is there a bug or configuration issue on the mod_auth_openidc side?
The example at MS webpages uses a different response mode and response type in the authentication request:
&response_mode=form_post&response_type=code+id_token
both are supported by mod_auth_openidc so you could apply something similar by including:
OIDCResponseType id_token
OIDCResponseMode form_post
in the Apache configuration or using the associated primitives in the .conf file for Microsoft when using multiple providers.