I have a React application and a SpringBoot backend that I want to secure with Azure B2C.
I Have successfully created an auth Flow in the frontend with React and B2C and I reach the Access Token. Now In my idea I should pass the access token to SpringBoot, that should call B2C to validate my identity by the access token and get the userInfo and role. But in All Microsoft's Documentation I could't find any example for the validation. All the examples for b2C involve the authentication on a web-server-hosted page, with login in web-server. Anyone that can help my with a link to some documentation or example?
Thank You very much
Related
I'm having a Frontend application built in Reactjs connecting to Azure AD using msal for authentication. After authentication, the user needs to click a button which calls a Django rest API which is also authenticated using Azure AD.
React FE and Django connects to two separate App registrations in Azure AD. Even thought 1) FE is added to Django's App registration as known client 2) Django is exposing the API and the scope is given consent.
When the authenticated FE sends requests to the Django Rest service with Bearer token,
it fails to authenticate the request saying 'invalid token'.
I'm able to authenticate FE and Django rest service separately but authenticated FE is not able to connect to the Django Rest service. Please share your thoughts on what else needs to be checked or any solutions.
Please check if any of these configurations can be worked around
Check if you have given your react app’s URL in the redirect URL in portal and code , so that once the Azure AD validates the user and it’ll return back to your react app with ID Token.Also, enable Access Token and ID Token.
Check if you have created a scope for your web api (in Azure Portal > Your API > Expose an API). Then configure it on your client app on the API Permissions menu tab. Then add it on your scopes collection in code settings.Also, add grant admin consent for that API permission.
Check the manifest of your azure ad app: Below value is probably null or one, should be two: If you are using v2.0 endpoint,
"accessTokenAcceptedVersion": 2,
If you are using v2.0 endpoint, the scope should be api://{server_client_id}/.default.
In the code setting.py for your application, you'll need to provide the authority to which your web app delegates sign-in. (ex: authority: 'https://login.microsoftonline.com/(your tenant id>',)
auth: {
clientId: '232a1406-b27b-4667-b8c2-3a865c42b79c',
authority: 'https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2a757fb',
//
}
When we perform a token validation, Check your jwt token in http://jwt.io
Audience: The token is targeted for the web API.
"aud" value that is being generated for JWT token by azure is also controlled by "accessTokenAcceptedVersion" property in AD application manifest.(see if issuer or iss has v2 to confirm as v2 endpoint )
If you have set the access token accepted version to 2, then the client id and audience needs to be same (i.e. no need to write api:// in audience)
Note that Implicit flow is the only flow supported for SPA. Authorization code flow is intended for webapps, mobile and desktop apps but not for SPA.Please refer this document
References:
See how to configure Azure AD and how to determine the settings for
django-auth-adfs.
You can check this and find your use case scenario.
Check v2-supported-account-types for authentication-flows
Check OAuth2.0 On-Behalf-Of flow
I am using Azure AD access token instead of default openID connect server (keycloak) to protect the backend REST API. Could you please let me know if i need to make any changes for AuidenceValidator class under package security.oauth2.
Application flow:
UI(React JS) will access the Spring boot API by passing access token.
Please take a look at the ms-identity-java-webapi sample. The msal-obo-sample shows how to validate an access token acquired by MSAL using Spring Security. You will be interested specifically in AADClaimsVerifier and SecurityResourceServerConfig
I have set up an Azure Active Directory tenant with direct federation to Google. Next to that I have a .NET core web application using the OIDC code flow for getting both id_tokens and access and refresh tokens. The access token is used to call my API which is working fine.
Now the problem is whenever I use my refresh_token to get a new access_token I receive a new access_token, but no refresh_token. So I can only refresh once.
I only have this issue when authenticating with my Google account using direct federation. When I authenticate using a tenant native account I can refresh unlimited.
We have two multitenant Azure AD app registrations as described here. One for our single page application and one for our API. In our single page application backend we use the OpenIdConnect middleware to authenticate against Azure AD. Note that we are not using the common endpoint, but the tenant specific endpoint because otherwise direct federation does not work. We can reproduce this issue by intercepting the refresh token in the OnTokenResponseReceived event of the OIDC middleware and initiating the refresh flow as stated here (by using Postman for instance). The response is successful, but does only contain an access token, no refresh token.
Is this behavior by design?
I have an existing React application that is using AWS Amplify for backend resources, namely Cognito for authentication. Users authenticate through Cognito to access application resources. I have a new use case where the application will be put into an iframe in another application and I need to accept OAuth2 authentication into my application along with the existing authentication. I have been reading up on OAuth2 and the documentation for Amplify Auth using OAuth2 and I'm a bit confused on how to go about doing this. I'm hoping somebody knows of better documentation or information that can point me in the right direction.
I have a Next.js application that calls AWS functions. I want to add a login functionality to it though using a JWT token. I don't know how to do this. I want to publish the app as a static website so I don't want to have an express server.
I have looked at a whole lot of the solutions which all using a server to handle the JWT stuff. I would like to handle all of the authentication in an AWS Lambda function and then send through a JWT token to the Next.js app. Is this possible?
I would suggest you to have a look at AWS Cognito. Cognito User Pool is user directory with signin, signup, lost password, email verification and MFA flows and API. You can also federate identities from other Identity providers, such as Amazon, Google, Facebook, SAML or any OpenID compatible providers.
To make it easier to provision Cognito and use it in your client-side React App, have a look at the Amplify command line tool and SDK.
Adding Cognito to your project is as easy as : amplify add auth && amplify push
Amplify comes with a builtin user interface to implement the signin and signup flows, but of course you can choose to build your own.
The authentication part of Amplify documentation is available at https://aws-amplify.github.io/docs/js/authentication