I've setup my mvc web app to use Azure easy auth. I need to pass the user role to the application code.
I've seen that easy auth already publishes an API, so that I can call /.auth/me and retrieve the user login. I can't find any documentation on this API - does it support other requests that can be used to pass a role?
Alternative would be to use the token store to call the graph API, but as I only need basic info, I wondered if there was a simpler way?
Thanks,
Mark
If you want to know which application role has been assigned for current login user :
you could check the roles claim in ID token :
Update :
Currently , you can't get group claims in azure ad B2C with easy auth , you could find same user voice here .
Related
I would like to communicate with the Active Directory B2C from my backend to manage users. This seems possible here:
https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
However, I don't see how to get a login token (or cookies) for a user so the server can send it back to the front-end to have it logged-in. How is it possible to implement this scenario?
I have seen this link but it refer to OAuth.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy
Thanks!
Azure B2C auth flow cannot generate an access token for Microsoft Graph.
You need to implement AAD auth flow by following Get access without a user or Get access on behalf of a user.
is there a way to make my bot is accessible only by specific users from different organizations ?
I know about Identity provider but it's good for services that need auth on behalf of the user like email service in Graph API but i use Qna Maker and it doesn't have on behalf of the user permission.
This question will be tracked from here.
I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).
Based on the code sample mentioned at URL: https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation , I implemented an application that uses WS-Federation (ASP.Net WS-Federation OWIN middleware) to authenticate users from an Azure AD tenant. Now I am looking for an approach to query the Graph API later in my application to fetch additional claims information required from application point of view.
Here in this scenario, I would like to know whether it is possible to query the Graph API or not. Do I need to update the existing WS-Federation protocol to OpenId Connect.
Can anyone help me to provide their guidance here.
The ideal would be to move to OpenId Connect, which would allow you to take care of both sign in and API in a single setup and flow.
If you want to stick with your current ws-fed setup, you can layer oauth2 on top of your implementation and retrieve the access token you need any time after the sign in. We have a sample showing exactly that, see https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-oauth2-useridentity/
We would like to connect a salesforce user to another salesforce user in another org without any user intervention from a service.
We have tried SAML Bearer Flow (using Remote Access Application) to connect to salesforce to retreive Access Token for one of our product. We are referring to the follwoing article.
http://help.salesforce.com/help/doc/en/remoteaccess_oauth_SAML_bearer_flow.htm
As referred by the SF article for this flow, it uses a previous user authorization to connect and retreive Token. In case the user (for whom Token is requested) has not already authorized the App, SF takes you to the Authorization page first and app will get the access token once app is authorized. This is working fine too. However it has this painful step of users authorizing the app before we can use this flow for the product. It would be good and simplified if this step can be done once for an org and the article does mentions that either User or Admin can authorize the app. However I am not able to find how an Admin can authorize the remote access application.
Does anyone knows and can guide how can an Admin authorize an App or is thre any other way we can achieve our requirement. Any thoughts will be really appreciated.
OAuth1 and OAuth2 require user intervention by design. Anything you do to defeat this would be circumspect and not best practice. You could make it easy on the user, but you will always have the initial "Authorize this app" message.
If you are trying to make it easy for the user to login to either org, then you may want to consider a hub-and-spoke SSO solution. See this doc.
If you are trying to pass information between two Salesforce instances, then you may want to consider Salesforce2Salesforce, or outbound workflow. However, this is done at system context, not user context.
If you want to maintain user context and security, you should consider the new Salesforce Canvas API. Canvas allows you to call an outbound service, and pass credentials to the service so that it can communicate back. There is no reason the foreign service could not be a Salesforce instance.