Unable to get access token using Resource Owner Password Credential flow - asp.net-core

I would like to implement Password Credentials flow in ASP Net Core. The idea is we created a service account (user#{tenant}.onmicrosoft.com) with Global Administrator role where this will read information on users behalf.
I also created app in app registration page and resource owner user flow as mentioned here.
By following the instructions in this document to test my created ROPC, I encountered the error as shown in the screenshot below.
The application is created in the Azure AD B2C -> App Registrations and I don't know why my ROPC is not working.
I really appreciate your response. Thank you.

Make sure you have registered the application as mentioned in the document and the account type should be "Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.".
For Testing Use the below Url and check the screenshot on how to pass the parameters
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token

Related

How can I verify if username and password is correct despite of Multifactor authentication is enabled with Azure AD?

I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:

Angular SPA authentication with Azure AD

Hi I am working on Angular SPA and web API core. I am trying to implement authentication and authorization. I have done as below for now.
Registered one application for my front end application and added required redirect uri and modified manifest file to enable implicit flow. Also assigned some of the roles to it.
Registered one more application for my back end. I added scope in the form api/clientid. Then added client application id which is created in step 1.
User is successfully able to login to application.
Now my JWT token has roles in claim. In my API I have added [Authorize(Roles = "Engineers,Admins")]
So If user has any role Engineers or Admins in the JWT token as claims then they are allowed to access my API's
So far my authorization works fine. But coming to authentication part, currently all users of my azure AD tenant able to do login(User can hit my front end url and add user name and password then It will ask MFA and they will be landed in application home page).
If user is part of any of the roles above then only they can see data in home page because in home page I am calling some of the API's and I have added [Authorize(Roles = "Engineers,Admins")].
If suppose user is not part of above role they are still able to login (login means they are able to add user name and password and MFA) they will be landed in home page but they cannot see any data because api will be accessed only if they are part of Engineers,Admins roles.
My question is If user is not part of Engineers,Admins roles why they are able to login and come to home page. They should be restricted in Login step itself.
I am not really sure I am asking right thing here or I only confused my self between authentication vs authorization.
Currently I am doing authorization based on roles. Same thing I can accomplish using Groups also. In claims I can return groups and create policies and do the authorization. If user is part of the group then I can authorize. I am trying to understand what advantage I will get using roles over the groups.
Currently I have dev, prod and non prod environments. But Azure AD is universal and for there is no environment for azure AD. So Is it a good idea to have separate application registered in azure ad between the environments or can I use same app registered in azure AD between the environments. If I create separate application for each environments what advantage I will get?
I am really trying to understand above concepts and can someone give me some insights on the above things? It will be really helpful to me If someone help me to understand this concepts. Any help would be greatly appreciated. Thank you

How to programmatically log-in to Active-Directory without additional setting on AD?

I need to log-in to Azure Active Directory to display the embedded report on a website using asp.net MVC.
However, the API provided is only valid for only username and password.
For logging-on to the AD, all I need to do is to type-in username (email address) and the log-in portal will redirect me to another log-in page and then type in and username and password.
I wonder is there anyway to do the programmatically log-in without using the application secret?
There are two ways to implement Power BI report embedding using Azure AD authentication:
User Owns Data embedding
App Owns Data embedding
If you don't want user sign-in experience, you can implement App Owns Data authentication in the following ways:
Client secret
Master user credentials (username and password (MFA disabled account))
Please go through this documentation to achieve your goal and also, here is a sample code for it.

Incremental OAuth consent with Microsoft Graph api

We have an app in Azure AD that uses the Microsoft Graph API. The app is working successfully using 4 basic permissions: email, profile User.Read User.ReadBasic.All
These permissions let normal users(non-admins) OAuth authenticate into our app.
We are now building a feature for admin users that lets them see their groups. The groups scope requires admin consent as per: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
The sticky point is that if I add the Group.Read.All permission under delegated permissions in Azure AD, this causes normal users to be able to login with the dreaded error "AADSTS90093: Calling principal cannot consent due to lack of permissions".
I have tried manually crafting OAuth authorize urls that explicitly request the scope, but that did not work either. Here is a sample url I used:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
How can I require basic permissions for all users but have admins request additional permissions later on in the application?
Some resources I've already reviewed to no avail:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect-v2/
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-devhowto-multi-tenant-overview.md
The Azure AD V2.0 endpoint already support incremental and dynamic consent. You can register the app to use Azure AD V2.0 authentication endpoint from here.
We can provide two buttons for normal users and admin to login in. Here are the steps using V2.0 endpoint for normal users to login for your reference:
1.sign in and get OAuth Code:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request for the Access token
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
And for the admin to login in, we just add the additional scope with above request. Here are some helpful articles about this topic:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect
v2.0 Protocols - OAuth 2.0 Authorization Code Flow

Connect to Azure to create an Application registration

I'm trying to write a C# console app that will register an application in Azure Active Directory. It should work just as the web application project creation wizard in VS 2013 when you Change Authentication and select Organizational Accounts in Azure.
Following the fiddler trace, I can see that it authenticates the user using wsfederation and an oauth2 token and then uses the graph.windows.net graph api to configuration the AAD directoryObjects service principal and application.
I have tried to use the sample Graph API app, but it requires the app be registered first so that I have the clientId (application id) and password (key) to send in the Acquire Token request using the Windows Azure AD Authentication Library for .NET.
I've tried using a bunch of the different Azure APIs but they all have my chicken and egg problem, I want to use an unregistered client application to register an application in AAD. I need to avoid Configuring Application Authentication and Authorization for the Graph API so that the user has no manual steps.
Does anyone know how Visual Studio does it, using just the user login with browser prompt or if there is a standard application id and password that can be used to access the graph API, like there is the standard login URL, https://login.windows.net/common? Some C# samples would be greatly appreciated.
This post does the Application creation, but requires a clientId and password, which I don't think I have.
You can't register a new application using the Graph API from an unregistered client. The only reason the VS2013 flow works is because VS2013 is already registered in a special way within Azure AD -- it's a first party application and has unique permissions. In my Fiddler trace, VS2013 uses a client ID of 872cd9fa-d31f-45e0-9eab-6e460a02d1f1. Technically you can use this client ID and the redirect URI of VS2013 to initiate sign-on with Azure AD. This still involves user interaction (the user has to authenticate via browser pop-up) so it doesn't meet your requirement for "no manual steps," but it's somewhat helpful for understanding the protocol flows and how registration works.
The bottom line is that if you want to call the Graph API without user interaction (client credential flow), the client needs to be registered with the proper application permissions.