As part of POC, I want my existing web api, programmatically - to verify the signature of JWT access tokens to validate the authenticity of the token issued by demo AAD so that it can be trusted by my webapi app., to do the verification I need to have .cer/public certificate of my demo AAD.
How to get .cer file of AAD to do signature verification?
Related
Current situation: symfony application with authentication via azure AD B2C.
How is it possible to make an authorize check to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize via ajax to verify if a customer has an active session on azure AD, i only need to retrieve the azure oid from the token.
Now i redirect the user to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_sign_in&client_id=CLIENTID&none=defaultNonce&redirect_uri=REDIRECTURI&scope=openid&response_type=id_token&prompt=login&response_mode=form_post&ui_locales=en but i want to get rid of that.
You can use MSAL method ssosilent(), which opens the auth endpoint via hidden iframe. That succeeds only if there is a valid session cookie at AAD B2C. Note this only works if your app and AAD B2C are on the same root domain name.
I am trying to call a Rest API in a B2C Technical Profile. That is described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
The Rest API is protected by Azure AD, and I need to first obtain a bearer token from Azure AD and use the Bearer Authentication Type in the Technical Profile to access the Rest API.
I want to use a certificate and not a secret to obtain a bearer token from Azure AD. To do so, I have to create a JWT Assertion signed by the certificate. That process is described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
I understand that much. What I am not sure about is if B2C has any functionality for which I can build and sign a JWT Assertion to use in a request to Azure AD? I've looked through the claims transformations that are available and am not finding anything. Am I forced to use Client ID and Secret instead?
Please note that, to generate JWT token with certificate you must create a self-signed certificate like below:
New-SelfSignedCertificate
-KeyExportPolicy Exportable
-Subject "CN=yourappname.yourtenant.onmicrosoft.com"
-KeyAlgorithm RSA
-KeyLength 2048
-KeyUsage DigitalSignature
-NotAfter (Get-Date).AddMonths(12)
-CertStoreLocation "Cert:\CurrentUser\My"
On Windows computer, select Manage user certificates and download the certificate:
Please note that, client_id is required to authentication Azure Ad b2c.
To upload the certificate, go to Azure Ad b2c and select API connectors and upload certificate and create a Password for it like below:
Make sure to configure REST API profile to use HTTP basic authentication by following this MsDoc.
To generate the token without client_secret, please try the below parameters:
And try generating the token and if you want to do it programmatically, then update your appsettings file like below:
“B2CTenant”: “Tenant_ID”,
“B2CPolicy”: “Policy_name”,
“B2CClientId”: “client_id”,
“B2CRedirectUri”: “redirecturi",
“B2CSignUpUrl”: “Signup_url",
“SigningCertAlgorithm”: “RS256”,
“SigningCertThumbprint”: “Thumbprint”,
“LinkExpiresAfterMinutes”: 10
Reference:
Secure APIs used as API connectors in Azure AD B2C - Azure AD B2C
We have :
Our own IDP --> Duende Identity Server (5.0)
MVC Client that users log into after they are authenticated by our IDP (above)
External Client that wants to have SSO to our MVC Client so will send is a SAML Assertion (IDP initiated SAML ) we user ITfoxtec as a SAML processing library
Once we verify and validate the SAML Assertion and the user, how do we sign in the user to our IDP (Duende Identity Server)
context.SignInAsync(new IdentityServerUser, Auth props);
will this create a new Token and session for the external client user on our IDP
If we re-direct the new user to our MVC application will it be able to tell that the user is indeed Authenticated.
Do we need to specify an Authentication scheme when signing in the user to our Duende IDP ?
context.SignInAsync(AuthenticationScheme scheme, IdentityServerUser user);
Is this correct?
One key requirement is we need to have an Access token that the MVC Client App used for many other needs (Access to other features)
I am trying to have an IdP initiated sign on with a B2C Local account to Salesforce. Under my current configuration when I navigate to my IDP to login, I receive the following error: "AADB2C90250: SAML IDP initiated SSO is not enabled for this policy."
I have ensured that <Item Key="IdpInitiatedProfileEnabled">true</Item> under the technicalprofile in my custom policy. I'm not sure what other configuration to check and am looking for suggestions.
I'm using Azure AD B2C as IDP and Salesforce as IDP. Originally it was created for SP.
For PartyEntity I'm using the same endpoint for SalesForce. Do I need a different end point or can I use the same one? Here's an example of my configuration.
I have a new setup for IDP initiated and have referenced that policy below.
<Item Key="PartnerEntity">https://<MY_SALES_FORCE_ACCOUNT>.my.salesforce.com/.well-known/samlidp/<API_POLICY>.xml</Item>
<Item Key="IssuerUri">https://<MY_DOMAIN>.b2clogin.com/<MY_DOMAIN>.onmicrosoft.com/<POLICY_NAME></Item>
Any other clues on this error would be helpful. Thanks.
• Please check whether a SAML response signature is created properly or not and the certificate created to sign the SAML messages is proper or not with samlp:Response message element in the SAML message or not.
• If you don't already have a policy key, create one. Then configure the SamlMessageSigning metadata item in the SAML Token Issuer technical profile. StorageReferenceId must reference the policy key name.
• Make sure the technical profile and application use the same signature algorithm and the algorithm supports your certificate.
• Make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.
• Make sure you specify the certificate to be used to sign the SAML assertions sections of the SAML response. Also, check the SamlAssertionSigning metadata item in the SAML Token Issuer technical profile where StorageReferenceId must reference the policy key name.
• Make sure encryption is enabled in the Azure AD B2C policy and the public key must exist in the SAML application's metadata endpoint with the KeyDescriptor use value set to Encryption.
• Also, make a note that scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce is not supported and IdP initiated flow is supported only for local account authentication in Azure AD B2C.
Please check the below links for more information and the sample code for IdP initiated SAML single sign on: -
https://github.com/azure-ad-b2c/saml-sp/tree/master/policy/SAML-SP-Initiated
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
Sign-in with Microsoft identity provider fails, works with others
I have an Azure AD B2C tenant with a SingIn and SignUp policy that I hope to use
for user management with an Angular2 SPA.
The policy is configured for three identity providers:
Google
Microsoft
Email Signup
When I use the Run Now button in the Azure portal to run this policy, I get the default Sign In dialog, and I can sign in with either Google or Email signin. (By that I mean I get re-directed to my app's redirect page as I expect.) However, when I try to sign in using the Microsoft
provider, I end up at an error page with the following address:
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6NDcyMmQyNjItOTk1Yi00YTJlLWFmNWUtODkwNDgyODlhMzM0IiwiVElEIjoiM2Y2ZDVmNjAtMDdiNC00ZDA3LWEyZDItN2U3YWQwOWRhOGQ5In0
I see that the problem is related to an invalid redirect_uri. But I thought the redirect_uri was an application-level setting shared by ALL identity provders that I have configured. Why does my redirect_uri setting work for Google and Email signup, but not for Microsoft?
You have to configure your Microsoft application with the right redirect URL.
As stated in the documentation:
Enter https://login.microsoftonline.com/te/{tenant}/oauth2/authresp in the Redirect URIs field. Replace {tenant} with your tenant's name (for example, contosob2c.onmicrosoft.com).
Why you have to do this: (courtesy of Chris Padgett)
The redirect URI that is configured in the Azure AD B2C Portal represents the reply address for your client application. This is so Azure AD B2C can return an ID token to your client application. The redirect URI that is configured in the Application Registration Portal represents the reply address for your Azure AD B2C tenant. This is so the Microsoft Account identity provider can return a security token to your Azure AD B2C tenant.
So, your app is federating authentication to Azure AD B2C.
B2C then further federates to the Microsoft Account identity provider.
So when a user a logs in with a Microsoft account, they are sent back to B2C with a token, which B2C validates.
If all is okay, they are signed in to B2C, and sent back to your app.
So you see that from the point of view of the MSA identity provider, B2C is the client.
So the redirect URL there must point to B2C.
As the document stated, you should Enter https://login.microsoftonline.com/te/{tenant}/oauth2/authresp in the Redirect URIs field.
But I thought the redirect_uri was an application-level setting shared
by ALL identity provders that I have configured. Why does my
redirect_uri setting work for Google and Email signup, but not for
Microsoft?
You're right, the redirect_uri is an applicaiton-level sttings. It should be same in all IDPs redirect URIs. But this Redirec URI is set by Azure. NOT your applicaiton. It means that your can use other IDPs to login to your app with AAD B2C, NOT login to your applicaiton directly. So, the redirect_uris must be https://login.microsoftonline.com/te/{tenant}/oauth2/authresp, not the redirect_uri in your application itself.
URI doesn't equal URL. The redirect URI is just a unique identifier to which Azure AD will redirect the user-agent in an OAuth 2.0 request. It's not redirect URL, Azure AD authentication endpoint https://login.microsoftonline.com/ use redirect URIs to check where it should be responsed. Aslo, it can be same as the URL as the endpoint. Here should be the same I guess.
Summary, you need use the unique redirect URI https://login.microsoftonline.com/te/{tenant}/oauth2/authrespfor all IDPs , not just Microsoft account.
Hope this helps!