I'm building a Web application that uses Google Identity Platform to authenticate users.
All users belong to an Azure AD Domain, which is connected to Google Identity Platform through the use of an OIDC Provider, as per documentation.
Code wise, the authentication is performed using Firebase JS SDK (9.6.11).
When the application starts, there is no OIDC Provider to the Azure AD Domain (mydomain.com).
This configuration is created within the web application.
As there is no OIDC Provider to the Azure AD Domain, no user can yet login.
As such, in order to configure the Azure AD settings in the Web application, a temporary user is created in Goggle Identity Platform, so the User can login into the Web application:
Once the user is created, the user **is now able to login, **, using the password set on Google Identity.
Once the Azure AD Settings are configured, the Web application:
DELETES the temporary user from Google Identity,
Creates an OIDC Provider on Google Identity, connected to the configured Azure AD Domain (see image as an example of the OIDC Provider settings that the app would create):
The above provider is used to login users from Azure AD (mydomain.com), using the signInWithRedirect function, as per the documentation.
import { getAuth, signInWithRedirect, getRedirectResult } from "firebase/auth";
const auth = getAuth();
const provider = new OAuthProvider("MyDomainTenantID");
provider.setCustomParameters({
login_hint: user,
});
signInWithRedirect(auth, provider);
getRedirectResult(auth)
.then((result) => {
// User is signed in.
});
After configuring the Azure AD OIDC provider, all the Azure AD users (mydomain.com) are now able to log in into the Web application, EXCEPT the user that was used as the temporary user.
In the above example, myuser#mydomain.com, is not able to Log In into the Web application through the same Azure AD OIDC provider.
Please note, that the user no longer exists on Google Identity, as it was removed, so it can be logged in through the Azure AD OIDC provider, and recreated by the JIT process on a successful login.
Analyzing the Console, the call to https://www.googleapis.com/identitytoolkit/v3/relyingparty/createAuthUri fails with a 400 Error: Firebase: Error (auth/operation-not-allowed)
The POST Request body:
{
"providerId": "MyDomainTenantID",
"continueUri": "https://xxx.firebaseapp.com/__/auth/handler",
"customParameter": {
"login_hint": "myuser#mydomain.com"
},
"tenantId": "GoogleIdentityTenantId"
}
As mentioned, ALL users from the same Azure AD are able to login, EXCEPT the one that was initially used as an Email/Password user.
According to Firebase documentation, the auth/operation-not-allowed error occurs when:
The provided sign-in provider is disabled for your Firebase project. Enable it from the Sign-in Method section of the Firebase console.
BUT, this is not the case:
The OIDC provider connected to Azure AD is enabled
All the users from the Azure AD Domain (except myuser#mydomain.com), can successfully login.
I followed all the guidelines from Firebase, and i can't understand why that specific user is not being able to login.
Related
We have an auth0 App with an Enterprise Connection for Azure AD configured. The Azure AD has Conditional Access policies in place that only allow logins from so-called managed devices. A managed device in Azure AD is a device that is registered in Azure AD for a specific user. To prove to Azure AD that a login request comes from a managed device, the login has to happen via Microsoft Authenticator App.
So this means, in our React Native mobile app, we would like to have to following login flow:
Mobile App => Login => auth0 Login page => Click on "Login with Azure AD" => Microsoft Authenticator App opens => Satisfy all the conditional access policies => User logged in successfully.
Is this supported by the auth0 react native SDK?
Here are two things need to be fulfilled, First, auth0 react native SDK must complying with a Conditional Access policy per this guidance once that's completed and then in the second place, you must have managed device from which you need to access your application so that above scenario would work with Azure AD in place of conditional access.
I have created a Moodle portal. Is it possible to have FIREBASE authentication (for Sign-Up and Sign-In) for MOODLE?
There is no default provider for Moodle sign-in for Firebase, but you can create your own custom provider that mints Firebase tokens based on your verified Moodle credentials.
The flow for this is:
You collect the user's credentials and pass these to your server.
You call the Moodle API to sign the user in.
You then mint a Firebase token from the verified information about this user.
You pass the token back to the client, and sign in to Firebase there.
I am using IdentityServer4 to provide SSO and SLO to several web apps. The user may sign in to the identity server through an external OIDC provider such as Azure AD. The external provider, identity server, and web apps are all configured to use persistent sessions that last for weeks or months at a time.
This setup works fine and the user can sign in as expected. The issue is I have a requirement for all sessions to stay in sync, so when the external provider session expires, the expiration propagates to my identity server and then to my web apps.
This requirement is to ensure that none of the sessions further down the chain outlive their provider's session which would break SLO functionality. For example if my identity server session outlives the Azure AD session it depends on, the user can sign into Azure AD again, but will not be able to SLO from my identity server and web apps through Azure AD since the Azure AD session has changed, and my identity server depends on the now-expired Azure AD session.
I am able to enforce this requirement between my identity server and web apps using a check_session iframe and passive authentication requests with prompt=none. But I cannot figure out how to enforce a similar type of requirement between an external provider and my identity server in a way that will both end my identity server session and notify my web apps.
How can I keep my identity server session in sync with an external identity provider? If this is not possible, what is a correct approach to ensuring SSO and SLO sessions do not get out of sync between the external provider, identity server, and web apps?
The solution for this is federated signout
Federated sign-out is the situation where a user has used an external identity provider to log into IdentityServer, and then the user logs out of that external identity provider via a workflow unknown to IdentityServer. When the user signs out, it will be useful for IdentityServer to be notified so that it can sign the user out of IdentityServer and all of the applications that use IdentityServer.
To implement you need to set RemoteSignOutPath when adding AzureAD as external IDP.
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
options.ClientId = "<Your Application (client) ID>";
options.Authority = "https://login.windows.net/<Directory (tenant) ID>";
options.CallbackPath = "/signin-aad";
options.SignedOutCallbackPath = "/signout-callback-aad";
options.RemoteSignOutPath = "/signout-aad";
});
here is a nice blog explaining it with IdentityServer4 (reference blogs on the bottom are very useful too)
I have an Asp.Net Core IdentityServer4 instance securing an API that is fronted by a Vue.js SPA (using oidc-client). The IS4 server is setup to manage "local" account itself for my companies users, but we also have an external OIDC provider setup for a trusted partner that allows their users to access our site using their single sign-on server (OIDC identity server). The partner's portal has a link to our app, so if they are already authenticated by their own OIDC server, then no additional login prompt is displayed.
Overall, this process works. I can login "locally" (an account that is only on our identity server), or use the external OIDC provider that authenticates the user and goes through the auto-provisioning on our local IS4 server. The Vue app has its tokens and silent refresh is enabled, which keeps the user's credentials updated against our IS4 server.
However, if a user from our partner comes to our app, spends some time there, and then returns to their own portal via a link on our site, it's likely that their access will have timed out and they see their own SSO login again. This is because the silent refresh on our site is only refreshing our local IdentityServer4 credentials.
Is it possible to somehow maintain BOTH "sessions" while the partner user is on our site? Silently refreshing both our IS4 token and their OIDC SSO credentials?
We have an app in Azure AD that uses the Microsoft Graph API. The app is working successfully using 4 basic permissions: email, profile User.Read User.ReadBasic.All
These permissions let normal users(non-admins) OAuth authenticate into our app.
We are now building a feature for admin users that lets them see their groups. The groups scope requires admin consent as per: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
The sticky point is that if I add the Group.Read.All permission under delegated permissions in Azure AD, this causes normal users to be able to login with the dreaded error "AADSTS90093: Calling principal cannot consent due to lack of permissions".
I have tried manually crafting OAuth authorize urls that explicitly request the scope, but that did not work either. Here is a sample url I used:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
How can I require basic permissions for all users but have admins request additional permissions later on in the application?
Some resources I've already reviewed to no avail:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect-v2/
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-devhowto-multi-tenant-overview.md
The Azure AD V2.0 endpoint already support incremental and dynamic consent. You can register the app to use Azure AD V2.0 authentication endpoint from here.
We can provide two buttons for normal users and admin to login in. Here are the steps using V2.0 endpoint for normal users to login for your reference:
1.sign in and get OAuth Code:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request for the Access token
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
And for the admin to login in, we just add the additional scope with above request. Here are some helpful articles about this topic:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect
v2.0 Protocols - OAuth 2.0 Authorization Code Flow