I'm having issues setting up the Microsoft auth module for Jetbrains Hub. I have created an app within the Azure App registrations portal.
Under the heading "Authorization Service Endpoints" I changed the Authorization and Token endpoints to the ones found within the Azure App registration. Specifically the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) URL.
I am using the following scopes: email offline_access openid profile User.Read
Everything seemed to work fine, I click on the auth module login button and get redirected to my organisation's portal and am asked to login. Once I login however I am redirected back to my Hub environment and the only error I receive is: "Cannot retrieve details from the user profile in the OAuth provider." I have tested this with multiple accounts.
Have I forgotten something?
Following these steps in the documentation should do the trick: https://www.jetbrains.com/help/hub/azure-ad-auth-module.html#common-tenant-setup I've just set it up in my local environment and it works fine. So please check that you've not missed anything and followed the steps. Thanks.
If you've done everything per doc, but the issue still persists, the best solution would be sharing the details with the Jetbrains Hub support directly.
Related
I'm currently trying to connect using GAM with a 3rd party authentication provider that is Auth0. It provides many different types of connecting with them, one of which is by using Oauth2.
I've followed this article in Genexus Wiki that has some examples. The configuration is very straight forward, using the information provided by Auth0 (client secret, client id, endpoints, etc) but after setting up all that, at the moment of trying to login it only shows up with the local login, instead of redirecting to Auth0 Login Page.
Has anybody configured and run succesfully with this Provider, or any other that isn't the Google/Office365 examples from the wiki?
I'm using Genexus 17 U5 with Java Generator
You probably did not fill in the "URL" property correctly, like this image below:
We have it up & running with Office 365.
The config for Office 365 is here:
https://wiki.genexus.com/commwiki/servlet/wiki?39166,Office%20365%20Authentication%20using%20GAM
I had the same problem.
It was solved unchecking "Include Redirect URL" in Authorization tab.
I am trying to set up a .Net Core 3.0 Web API and Angular application using AzureAD for authentication, all seems good except for an error I am getting when the Client tries to call the web API (see below).
I hit the angular application and successfully authenticate with AzureAD, I have followed all the instructions for exposing the API and granting permissions but no joy. I wrote another test application with 2.2 and that worked fine.
Anyone having a similar issue?
Thanks, Mike
“AADSTS65001: The user or administrator has not consented to use the application with ID ‘f1be5414-b865-4fb4-9943-6dfc66c8fdcf’ named ‘MW Front End Auth Test’. Send an interactive authorization request for this user and resource.\r\nTrace ID: 597358a2-5941-4c92-b458-a2ce6e276f00\r\nCorrelation ID: fd242c0f-60f7-4ddd-b951-ec49b93f831f\r\nTimestamp: 2019-11-10 16:36:55Z|consent_required”
The issue is clear, consent required.
You can force user consent through a URL request, the url will look like:
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=consent
If it needs admin consent, use $prompt=admin_consent instead.(need to use admin account to sign in)
I'm working with WSO2 Identity Server 5.3.0 (it's installed on a VM in a server).
So, I would access to my application using WSO2IS login page.
I've already set the Service Provider by Management Console.
I've not set the IdP because I've thought that must be the Resident one.
It's enought like thta? Should I modify some files?
I cannot find the related page on the Documentation.
Hope to be clear.
After doing all, the /authenticationendpoint/login.do doesn't returns the possibility to introduce username and password.
Edit:
#Bee I add here the screenshot
and this is my url:
http://myurl:9763/authenticationendpoint/login.do?response_type=code&scope=openid&client_id=my_clientID&redirect_uri=/myuri/
Here you have multiple options. You can use either basic auth, OpenID Connect, SAML SSO, Federated authentication etc to authenticate to your app. Some useful links are below.
https://docs.wso2.com/display/IS530/Authentication
https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground
https://docs.wso2.com/display/IS530/Writing+a+Web+Service+Client+for+Authentication+and+User+Admin+Services
https://docs.wso2.com/display/IS530/Authenticators+and+Provisioning+Connectors
We have an app in Azure AD that uses the Microsoft Graph API. The app is working successfully using 4 basic permissions: email, profile User.Read User.ReadBasic.All
These permissions let normal users(non-admins) OAuth authenticate into our app.
We are now building a feature for admin users that lets them see their groups. The groups scope requires admin consent as per: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
The sticky point is that if I add the Group.Read.All permission under delegated permissions in Azure AD, this causes normal users to be able to login with the dreaded error "AADSTS90093: Calling principal cannot consent due to lack of permissions".
I have tried manually crafting OAuth authorize urls that explicitly request the scope, but that did not work either. Here is a sample url I used:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
How can I require basic permissions for all users but have admins request additional permissions later on in the application?
Some resources I've already reviewed to no avail:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect-v2/
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-devhowto-multi-tenant-overview.md
The Azure AD V2.0 endpoint already support incremental and dynamic consent. You can register the app to use Azure AD V2.0 authentication endpoint from here.
We can provide two buttons for normal users and admin to login in. Here are the steps using V2.0 endpoint for normal users to login for your reference:
1.sign in and get OAuth Code:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request for the Access token
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
And for the admin to login in, we just add the additional scope with above request. Here are some helpful articles about this topic:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect
v2.0 Protocols - OAuth 2.0 Authorization Code Flow
Background:
We have a WebAPI set up with Azure ACS and ADFS for authentication.
Accessing any WebAPI resource through the browser will redirect unauthenticated users to the ADFS login page through ACS. After successful login, the user will be redirected to return Url as setup in ACS along with security token. This works perfectly fine.
Problem:
We are developing a mobile application using the Ionic framework (http://ionicframework.com/). We want to leverage the same ACS and ADFS for authentication which we are using for WebAPI. In this process we are facing the following issues:
Issue 1:
Accessing any WebAPI resource through a mobile application (Ionic, Cordova, AngularJS) redirects the user to ACS and we get below error.
XMLHttpRequest cannot load https://{domainname}.accesscontrol.windows.net/v2/wsfederation?wa=ws…52fitem&wct=2014-10-10T14%3a24%3a34Z&whr=https%3a%2f%2f{domainname}.com. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
Hence we are not able to authenticate any user through ACS with the mobile app.
Issue 2:
Setting Return URL as empty in ACS throws the below error.
ACS90050: No reply address is configured with the relying party principal.
Steps taken so far:
-> We have enabled CORS on WebAPI.
We filed ticket with Microsoft to see if CORS can be enabled at ACS. We got below reply.
ACS does not provide a CORS solution we did research the possibilities. Unfortunately the answer is still: “No ACS does not provide a CORS solution”. That is, ACS does not give us access to the root for a standard cross-domain solution. Further, providing the token is considered HTTPOnly as manipulating the token with Javascript is inherently dangerous.
There is a sample available that may provide guidance if you wish to pursue this path although it is not recommended because of the security aspect. Download the samples found at:
Windows Azure AD Access Control (ACS) Code Samples:
https://code.msdn.microsoft.com/Windows-Azure-AD-Access-0dcde385
The sample under: C#\Webservice\ACS2WindowsPhoneSample may provide some guidance but we would not be able to assist with modifying the sample.