I'm using the /.auth/me endpoint to get claims for the users.
I'm obtaining the Bearer token in order to authenticate to the endpoint.
The endpoint itself is on an Azure Function origin, so what I'm calling is https://azure_function_name.azurewebsites.net/.auth/me with the Authorization header set to Bearer (token)
This works but not for all people.
Some people get the following response from the /.auth/me endpoint:
[]
Why the /.auth/me endpoint returns a valid response for some tokens (people) and an empty response for other?
I am using OAuth 2.0 auth code grant(with a user login) to get the access token. And I can get the correct response with endpoint /.auth/me. I have tried both Member or Guest users in my tenant.
You can try to access https://azure_function_name.azurewebsites.net/.auth/me directly. You will get the response after logging in.
The reply url should be https://azure_function_name.azurewebsites.net/.auth/login/aad/callback
Related
I am trying to use AAD delegated permission Bearer tokens for a Visio VSTO addin to create SharePoint Online pages using CSOM. Initially I was able to get this working entering username / password following Modern Authentication with CSOM for Net Standard
However, I would like for the user to select an existing AAD account. When I attempt to use the following code the Bearer token "aud" claim is consistently set to "00000003-0000-0000-c000-000000000000" which is the Graph API. Whilst a ClientContext object is returned I am getting a HTTP 401 Unauthorized error when performing a page lookup.
The code is as follows
//
// Get Client App
//
var ClientApp = (PublicClientApplication)PublicClientApplicationBuilder.Create(<AAD App ID>)
.WithDefaultRedirectUri()
.WithTenantId(<AAD Tenant ID>)
.WithAuthority(AzureCloudInstance.AzurePublic, <AAD Tenant ID>)
.Build();
//
// Prompt for user to select preferred AAD account
// The returned JWT Bearer Token "aud" claim is 00000003-0000-0000-c000-000000000000
//
var Token = ClientApp.AcquireTokenInteractive(scopes)
.WithPrompt(Prompt.SelectAccount)
.WithParentActivityOrWindow(GetActiveWindow())
.ExecuteAsync()
.GetAwaiter()
.GetResult();
//
// Get client Context
//
var ClientContext = AuthenticationManager.GetAzureADAccessTokenAuthenticatedContext(<SharePoint Site URL>, Token.AccessToken);
//
// Using the Client Context to query the Site results in HTTP 401
//
ClientContext.Load(ClientContext.Web, p => p.Title, t => t.Description);
ClientContext.ExecuteQuery();
Looking at the code for the AuthenticationManager class in the above link I can see that the AAD Bearer request is passing the following resource request parameter to the SharePoint online URL:
var body = $"resource={resource}&client_id={clientId}&grant_type=password&username={HttpUtility.UrlEncode(username)}&password={HttpUtility.UrlEncode(password)}";
So it seems that AAD is setting the Bearer token "aud" claim based upon this parameter. However, when I try and add this parameter using 'WithExtraQueryParameters' I am getting the following error: "AADSTS901002: The 'resource' request parameter is not supported"
Ok, I figured out the problem. The scope needs to be prefixed with the resource:
string[] scopes = { "https://<domain>.sharepoint.com/AllSites.Write", "user.read" }
Then retrieve the token
this.Token = await ClientApp.AcquireTokenInteractive(scopes)
.WithPrompt(Prompt.SelectAccount)
.WithParentActivityOrWindow(GetActiveWindow())
.ExecuteAsync();
I'm able using postman to get an access token from Microsoft Identity Server 4.
This the response:
Now i would like to authenticate the token using the introspection endpoint, but the return is 401 unhautorized, maybe is missing some data into the request to introspect endpoint?
To access the token introspection enpoint in Postman, I use:
POST to https://localhost:6001/connect/introspect
Add the Authorization header, with the value "Basic cGF5bWVudDpteWFwaXNlY3JldA==". Where the secret is the apiname/secret. In my case it is payment and myapisecret as password.
Add a body x-www-form-urlencoded, with a key named token and the value is my access token.
That should be all.
Some background info:
I'm working on a two-factor authentication solution for some API by using
Azure AD
encoded api key
I'm able to get a valid access token pogrammatically to be used as authorization bearer token on the header request. Unfortunately, the API expects the 2) encoded api key to be delivered through the authorizaton field, and as such, I'm expected to use the pass AAD auth through a cookie instead.
If I direct chrome to my api and log in normally while capturing the traffic, I see that the cookie AzureAppProxyAccessCookie is set.
If i do a curl GET request with this cookie against my api, the response is successful.
TLDR/Actual question:
How can I obtain a valid AzureAppProxyAccessCookie programmatically when I already am able to obtain a valid JWT token?
I am attempting to convert over from the old Azure AD OpenId Connect to use the new Azure AD v2.0 endpoint as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
When I attempt to request a token via the v2.0 token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token
I get a response that only includes a 'token_id' field, and not a 'token_type', or any other fields. The library I am using to parse the response is nimbus.com library for openid and auth2. The OIDCTokenReponseParser throws an exception because the 'token_type' is missing from the response.
I have looked at the OpenID Connect Protocol specifications, and it says that a request to the token endpoint requires 'token_type', so it seems as though the response from the endpoint is invalid.
Has anyone run into this issue, and if so, how did you deal with it?
UPDATE 3/2/2018
My flow works with the old end point. I redirect the user here:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
The user logs in, and they are redirected to my app, and code is provided via a query parameter.
I turn around and make this request:
https://login.microsoftonline.com/common/oauth2/token?code={code}&grant_type=authorization_code&client_secret={secret}
And I get response that looks like this.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1520018953",
"access_token": "{token}",
"refresh_token": "{token}",
"id_token": "{token}"
}
I try to handle v2.0 version the same way. I redirect the user to:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}
And after they sign in, they are redirected back to my app with the 'code' as a query parameter.
I then send this request:
https://login.microsoftonline.com/common/oauth2/v2.0/token?code={code}&grant_type=authorization_code&client_secret={secret}&redirect_uri={uri}&client_id={id}
But this is the response I get:
{
"id_token":"{token}"
}
The scopes you've requested can all be satisfied with the contents of the ID Token only. In your Auth Request, try including a scope that would indicate that you need an access token (e.g. https://graph.microsoft.com/User.Read), and the response will have the expected token_type and access_token.
I see that the userinfo endpoint is present on AzureAD OpenID Connect .well-known result. I want to access their UserInfo endpoint. I'm aware I will get the error if used with JWT tokens,
error_description="AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint."
How can I retrieve these non-JWT tokens? I saw a stack overflow thread (Cannot access OpenId UserInfo endpoint on Azure (AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint)) that said 'you can acquire a user info specific access token by not specifying any resource in a request to the token endpoint.'
However, I see this:
POST http://login.microsoftonline.com:443/common/oauth2/token HTTP/1.1
Host: login.microsoftonline.com:443
...
{"error":"invalid_resource","error_description":"AADSTS50001: Resource identifier is not provided.}