I've written a blob-triggered function app that communicates with a backend REST API that requires a tenant id parameter as it supports multi-tenancy. The function app will be deployed to multiple tenants since, from my understanding, a blob trigger function app cannot listen to more than one container. If that's not the case, that would solve my problem differently. However, assuming that is not the case, I need to dynamically retrieve the tenant id that the function app is running in. I'd appreciate some guidance. TIA.
Related
I'm testing Azure Graph API.
and I'm trying to find an API that allows me to retrieve only users that are assigned to a specific app I created.
In app registration page, I gave a user.read.all permission, but the get user API gives me all users that are in the AD and not only that are assigned to the app I created. Should I change the permissions? or to access an another API?
Does anybody know what to do?
Thanks
Additionally, This object id should be based on service principal and not the application registration here.
You can retrieve the object Id from Azure AD->Enterprise Applications->Your app->object ID.
You need to have at least Application.Read.All and Directory.AccessAsUser.All for delegated permissions or Application.Read.All for application permission based on user or application context.
For specific details, you can add $select parameter to show only the displayName of the users assigned to the app.
https://graph.microsoft.com/v1.0/servicePrincipals/{object Id}/appRoleAssignedTo?$select=principalDisplayName
As a workaround you can use the below graph API to get the list of users.
https://graph.microsoft.com/v1.0/servicePrincipals/{ObjectID}/appRoleAssignedTo
Note: The above graph API gives the Object Types User and Service
Principle as well
As discussed in the MS Q &A Platform This endpoint currently does not support filters based on appRoleId. In fact, except that the id parameter can be filtered, the three parameters appRoleId, principalId, and resourceId do not support filtering. Similar issues have been raised before.
Is there a way to fetch the client id and client secret of a Salesforce connected app from backend (through any apex code or anything) without using the UI? I am actually working on Salesforce API automation so need to fetch these in runtime and store in string variables to use them in the API request headers.
You could use Metadata API to retrieve details of connected app(s). Sample XML you'd get is at the bottom of https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_connectedapp.htm
I don't think there's a pure Apex solution, you might have some luck with this Apex wrapper for the callouts: https://github.com/financialforcedev/apex-mdapi
If you're after automation you might want to look into creating connected apps on the fly? https://help.salesforce.com/articleView?id=remoteaccess_oidc_dynamic_client_reg_flow.htm&type=5
I'm using Firebase to authenticate the users on my application but, since the app is very early stage, I would like to restrict the login (or registration) to only users that have a specific code.
It looks like there's no option like this and I was wondering if there's any solution that doesn't involve a back-end.
Right now I'm using a specific code in the database that the user has to enter while logging in. If that code is not correct you can't login. The problem is the function (obviously) is executed on the front-end so a person with the right knowledge could easily modify the code and still access without token.
Is there a more robust solution?
if you truly want no back end, you can see my answer at the bottom here How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users? , which involves taking advantage of the fact that every firebase project is also a Google cloud platform project and GCP allows for private functions.
however, there is an easier way: just wrap your cloud function logic with an if clause that checks for any of a number of things before actually executing the function
assuming, for instance, you're on the web platform, when someone invokes an HTTPS callable function from the front, it will be sent with data and context objects.
you could check for context.auth.email to restrict to specific users. or you could check for data.mySecretKey and since the check is occurring in your cloud function, no one could inspect your code to find the key.
Sorry for may be simple question. I not experienced with server-based apps developing.
I study Azure recently and create simple mobile application that connect to azure database. Its make some trivial operations on tables like add items and make SQL select queries. Now I want add authorisation to app and restrict some operations with tables in db based on it. What is best way to do it? I think it's a good idea to write backend on azure server with authorisation-based rules but I don't find out about it from Azure documentation. For example what I want to achieve:
Not authorisation mobile app user restricted to make any modifying operations and can select only predefined columns.
Authorisation user can make add/update operations on some tables based on user info(uid/login etc...).
If I create database rules on frontend(mobile app) side its not difficult to write another app that have possibility to make anything with database in bypass of my app. Isn't it?
If I create database rules on frontend(mobile app) side its not difficult to write another app that have possibility to make anything with database in bypass of my app. Isn't it?
This is very true; security shouldn't be (just) in the frontend. Make sure your backend is set up in such a way it checks the access rules each time someone tries to do something in the backend.
Now, as far as your question goes: please implement an API that connects to your database. With each and every client directly connecting to your database, you will lose all control. If you implement an API in front, you can do stuff like caching and asynchronous processing if you need to.
When implementing the API, you can have the GET methods be unsecured, while POST, PUT and DELETE use a (for instance) JWT token retrieved from Azure Active Directory. This repo and the presentation it links to might give you some reference.
I am working on a project that allows a user to create a user to create app keys or secrets so that specific services can be used by external clients. A user can create multiple secrets that they can choose to use across multiple clients.
For this I am planning to create a decoupled auth server that will use identityserver4.
What really holding me back is that I am not sure whether or not I should create an API layer at the auth server. The reason I am considering API at auth server is so that I can create sort of an admin portal client that will give the users a front-end for creating, renewing, and accessing their app keys/secrets. Even the admin portal is going to be a de-coupled angular application.
There are two things that are holding me back at the moment:
I am not sure if it's a good or safe idea to serve this data via
an api layer. From what I understand, identityserver will not be able to provide functionality that allows me to access a list of a user's clients through an endpoint but please correct me if I'm wrong and there's a better way to approach this.
I know we can easily create new clients and persist it into the database with identityserver4 and I am planning to use ClientCredentials grant types for user clients, but is there a link at the database and identity level between a user and a client? Or will I need to create that functionality by myself?
So far I've looked but I have not bee able to find examples that are similar to my situation with identityserver4
Sorry for the noob question, I am just getting into identityserver and web security in general so many of these concepts are still very new to me.
For number 1, I would say yes you can create an API layer to server data. If you check the IdenttiyServer4 AdminUI, Rock Solid has also use the admin API behind the UI. But you must consider encryption, TLS and other security mechanism to keep this safe.
AFIK for number 2, there are no links at identity level between a user and a client. You have to create that by yourselves.
Basically, you need a system that supports Multitenancy. I have achieved that by adding a TenantId field in the AspNetIdentity user table. And also added the tenant Id to claim list.
Please do not hesitate to correct me if i am wrong.