I deployed a web app in azure with authorization/authentication being set-up.
Once you logged in the web app you would be able to get the token using:
https:{webappname}.azurewebsites.com/.auth/me
then i tried to get the token and used it in postman using AUTHORIZATION header and it worked i was able to access the site with postman using that token. Now my concerns in after i logged out using:
https:{webappname}.azurewebsites.com/.auth/logout
I can still access the site using the token that i got recently. can someone explain why is this happening.
Thanks :D
That's happening because logout isn't necessarily invalidating the token.
In order to do something at your end, you could try to maintain a custom list on server for such invalid tokens.
Please look at these two SO posts discussing in a lot more detail.
azure mobile service active directory authentication X-ZUMO-AUTH
token valid in postman after logout
Invalidating JSON Web Tokens
Related
We currently have a website that is setup to use SSO through Azure AD. it is configured to with SAML.
Yet, we have third application that needs to connect to this website using specific email and password.
This application can do any default connection that POSTMAN can do.
What I do notice is that web all cookies are removed from the browser. the website allows me to enter
the email address and password.
I am trying to configure POSTMAN to test login to this website. And using the POSTMAN configuration i will be able to configure the application.
Any Guidance is greatly appreciated. Thank you!
I have try configuring post using HTTPS POST BASIC Authentication. Not sure if this correct manner as I am not postman expert nor have attempted such authentication method before.
Our expectation is the POSTMAN could login into the website and create a cookie that has an active session.
Postman is not a browser so it doesn't "log in". The authentication in Postman is related to webservice calls. So imagine you have an online shop and you expose your API to a third party (let's say a sponsor or partner). For example you let another site (the partner/sponsor) add items for your common client from his site (instead of him having to logout of that site then login to your site, it's easier and your partnership makes both sites profitable, let's say for our example - so their site would be more like a sort of forwarder - when the user adds an item on the partner's site, they actually add it in the cart on your site).
In our example, they would call your API (for example, adding an item in the cart). The question is, how do they do that? How do you stop abuse from a malicious user? Simple: you add authentication. So what your (theoretical) shop's partner does is use some auth method (as you said, Basic Auth) to call the endpoint that results into adding an item into the cart for purchase.
But this auth is not what the client uses to log in to your partner or your site. It's an internal auth, like a sort of a "technical" user. And what you would do in Postman is simulate that call and the Postman login would be to allow it to call endpoints.
If, on the other hand, you have a separate login call that this is all it does, logging in, then yes, you can use Postman to login, BUT, keep in mind that the login auth info would not AND SHOULD NOT be the same as the API call login info. So you would still use an auth to allow the API call and a (hopefully different) auth for the actual login url as params.
In other words, Postman auth in any POST or GET call is just a way to tell the remote server they can trust you because you identify yourself. A login window like the Microsoft one is one for user accounts which is something totally different.
I have set up an AAD SSO enabled website A that gets an access token once the user logs in. Now, the user has the option to navigate to website B, but on a new browser that doesn't have access to the session of the browser that website A was opened.
Is there a way for website B (.NET MVC Azure hosted Web App) to be setup to accept the access token (for example: through headers) to authenticate the user and establish a newly AAD SSO logged in user on the new browser? (Users can't re-enter their credentials)
In my opinion, access tokens enable clients to securely call protected APIs, so it should be stored in backend. More often we use refresh token and access token at the same time to prevent the access token expiring.
On the other hand, if I have entered the credentials in one browser, then the identity platform knew the request came from me because some information would stored in my cookie of the website, but if I used another browser to visit IDP, it was impossible to let IDP know the request came from me, because I can't share cookie infomation with different browsers.
I find 2 videos on introducing SSO, I think they will help, here is the link.
Hope it will do some help.
We have react site, that is generating jwt token and talking to API using adal.
Now we need to upload files to the SharePoint library.
If this possible using adal? how? any sample please?
Currently we have created demo app using msal it generates access token and Id token,
Id token works for API and access token works for MSGraph API, BUT login happens using popup.
When I changes popup to Redirect, so after login it keep redirecting site.
refer known Issue
I am stuck redirect is creating issue and if I try SuncWeek-react-aad-msal
everything is good, BUT Token working for API but NOT GraphAPI, I tried putting scope https://graph.microsoft.com/Sites.Manage.All and added access in Azure app registration also, but NO LUCK
any help is much appreciated
TA.
For requesting access token with specific for Microsoft graph using MSAL library, you can just give scopes like Site.Manage.all, You may refer samples here for various platform.
Does the msal library prevent token replay attacks?
How does it stop someone from taking the access token from the redirect URL and using it in another application?
I'm not sure if Azure AD handles the protection or Microsoft Authentication Library (MSAL) Microsoft
How does it stop someone from taking the access token from the redirect URL and using it in another application?
MSAL can't really do anything about something accessing the URL.
That's the browser's duty.
Same-origin policy requires that only script on a page with the same origin can access the URL of an iframe.
So even if I put an iframe on my website that did hidden login for one of your apps, I wouldn't be able to get the token if the redirect URL is on a different hostname from mine.
So let's say your app has one reply URL configured: https://yoursite.com/aad-callback.
If I wanted to take the token, my site would need to be hosted on yoursite.com.
There is no way for me to ask AAD to return the token to another URL.
Another choice would be to intercept it in flight to your app.
But that would require man-in-the-middling the TLS connection.
If someone can do that, you have bigger problems.
Replay attacks are prevented by using nonces, a new value is set in each authentication request: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/3fb9ce5a16ea462336eee62b496dfae8611f0fbc/lib/msal-core/src/AuthenticationRequestParameters.ts#L39
I have tried following several ADAL (Azure AD Authentication Library) examples to get my WPF application to call an Azure secured Web API. Everything appears to work fine. I receive the login prompt, it accepts my credentials, I'm able to acquire a token. I attach the token to my request but the request always returns the HTML for the Azure login page as if I'm not authenticated.
Has anyone else experienced this type of issue? Are there certain things I should be checking for?
I think you are securing your API using a redirect based protocol instead of the oauth bearer. For a discussion on the differences between the two see http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/.
The canonical WPF sample is in https://github.com/AzureADSamples/NativeClient-DotNet. See how the web API is secured.