I am working on a mobile app that currently has the Intune SDK integrated app itself. This Intune SDK forces a user to log in using their company credentials and in response a subject ID and an Azure AD token is set in the app session.
I would like to integrate this app with an Identity Server instance using the client credentials grant, but in addition to the client id and password, I would like to pass along the Intune Azure AD token (and have it validated by the Identity Server) as a better level of security than the client secret (which is compromised by being in the app code).
What would be the best approach here?
Here are my thoughts on options:
Create a custom grant type that accepts client id, client password and the Azure AD token? What's the best way to approach this, if so?
Create an ISecretValidator implementation that checks if a password is an AAD token first, then validates the token if so. Does this introduce security concerns?
Related
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
I am looking to implement Azure AD B2C into my web application for user authentication.
However, I am unsure of the desired practice when you have a separate frontend from backend.
Frontend: React JS web application running on Node.js
Backend: ASP.NET Core 6 API application
Server: Microsoft SQL Server
I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.
What is the best workflow with this?
Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
other
I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.
• I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.
Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -
https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio
We use custom idp (identity server 3) to authenticate users on the system. Now I have a requirement to implement Azure AD authentication. I tried adding Azure AD as an external provider it is working fine on the browser, but on MS teams app, it is not working because the Microsoft teams app opens in an Iframe, on which azure Ad doesn't work.
I implemented Microsoft msal.js library to authenticate using Azure AD. I am able to authenticate and get the token on the frontend. But how can I pass that token to identity server 3 and authenticate user using my own identity server.
Did you have a look at these resources which seem to explain how to implement your setup:
https://learn.microsoft.com/en-us/microsoftteams/sign-in-teams
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication
https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-tab-aad
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/configure-identity-provider
if I understand your requirement correctly then you can try out the below solution:
User is authenticated using Azure Ad when he logs in to Teams App. Now you can send the logged in user's AD information (User Principal Name preferably) to your IS3 and authenticate from your end.
Trying to get a ASP.NET web application to access both a local resource and graph api using a single login.
The environment consists of a on prem adfs as well as a Azure AD instance that is synced and federated against on prem ad.
I have the following working.
Configure the application to use OpenId Connect authentication against Azure AD with a client configured in azure ad. The user authenticates and i receive a authentication code that i can use to get a token to call graph api successfully.
Configure the application to use OpenId Connect authentication against ADFS using a client_id configured in ADFS. The user authenticates and i get a authentication code that i use to get a bearer token to call the local resource.
However i cannot find a way to get access to both the local resource and graph api with a single login. Is this at all possible? Could someone point me in the right direction?
You can use a Delegated token which contains both a valid Client and User.
See the documentation and Stackoverflow thread.
If it is just read-access and not write-access then what you are describing should be possible.
Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api