I have couple of applications. I will call them application-1 and application-2 in the question. My applications use asp.net core 2.2.
I register user using B2C custom policies like in this example
Azure B2C custom policies . I've added a REST API claim exchange to get user groups from the B2C. Just like this example. I retrieve the user groups in an azure function by calling memberOf in graph api.
When user completes the registration and enters first time in the system,they are redirected to application-1. They don't have any groups assigned to them in B2C. Then in the application-1 they have option to select which group they want to join. Once they select which group they want to join, I update the B2C.
If I use refresh token provided in the documentation located at Microsoft B2C reference OAuth and access id_token from the response I don't find groups in the claims. I decoded the token for which I have used SecurityTokenHandler class.
Also My application-1 has a link to application-2 which is also part of this B2C single sign on. When user clicks the link in application-1 they are redirected into application-2 . But the id_token doesn't find latest group information which user had assigned to themselves in the application-1.
Is there anyway to make sure the id_token carries latest group information in claims?
I'm still trying to understand B2C / Single sign . Please fill free to correct my terminologies if I've used wrong terms.
Related
My express.js backend has an endpoint which returns a list of what data the user is authorized to view. There are Auth0 roles corresponding to which segments of this data any given user is allowed to read. A user may have any number of these roles. However, when I tried to add role-based permissions to this endpoint, I realized that the Auth0 recommended middleware express-jwt-authz perhaps doesn't do what I intend: it simply authorizes/rejects based on the roles in the JWT. This endpoint only requires a user's session authorization, not the user's roles.
I want the endpoint to change its responses based on which Auth0 roles are associated with a user. The only solution I can think of is adding a row to my own database (which is not connected with Auth0) where I keep track of each user by the JWT sub property, and manage their roles/permissions from my backend. However, this seems like it would split roles between Auth0 and my application's database, and furthermore feels one step closer to rolling my own authentication system, which I do not want right now. Is there a way I can do this with Auth0 and express.js?
I was able to work around this by selecting "Add Permissions in the Access Token" in Auth0 in Applications > APIs > [my API] > Settings. Then I could view the permissions passed into req.user.permissions on my backend, and process them how I wanted there.
How can I add claims after token validation? (i.e. in a controller)
In my app users authenticate with Azure B2C, but I want roles (or claim authorization) to be based on what a user selects after they log in...
I know I can add claims inside OnTokenValidated, but I want to do this after the user goes to a page and makes a selection.
As far as I know, it's impossible. The asp.net core authentication will generate the claim based on the token. If you add the claims in the controller but not update the token, that means the claim will not add into the token.
Next time, when the user login in, the claim is as same as the previous one. The token will not be modified.
Since you are using Azure B2C, that means we couldn't modify the token on the server.
I'm creating users in AzureAD using graph api.
I want to enable multi-factor-authentication either while creating users using MS Graph API or else is there any other way to enable Multi-Factor-Authentication using MS Graph API.
Currently this is not available in Microsoft Graph API. I found a vote in azure feedback https://feedback.azure.com/forums/34192--general-feedback/suggestions/32683693-add-mfa-status-to-user-entity-info-returned-by-gra
If MFA authentication needs to be enforced, maybe an alternative would be to have a conditional access policy requiring MFA for a group of users (e.g. the baseline MFA for admins) and check that the user is a member of that group using Graph API.
I made it this way:
Blazor wasm client, informing the user about the process and providing information about Microsoft Authenticator install, how-to, etc.
Azure Function Rest Api, able to check a user "mfa status" and able to add a user to a specific group. Both are simply "give me status" and "give me mfa", no parameters. Everything is controlled by the token provided to Azure Function controller.
Both use authentication, meaning that the user authenticates via AAD, and this identity is presented to both api.
If the user is not already added to the group, the user gets the option to "order mfa". In the backend, the user is simply added to the group.
The group is set in Azures "conditional access".
I did not want to do this through Graph API, because then I had to give the users some "other possibilities" that i feel they not should have.
If you are using Graph Client in your back end C# project then you can Enable/Disable/Enforce Users MFA using Powershell.
Scroll down to “Change state using Powershell”
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Cognito is a powerful tool yet it's so hard to utilize it .
Trying to implement my business logic I ended up in some dead ends and I need some help.
My client app is an admin panel where a new admin can register providing a company.
Now there are 2 applications (Contests, Reviews) based on these companies .
So from the adminPanel the admin can create events for both apps through 2 different rest apis
The concept is 1 admin is related to 1 or more companies.I have to map that relationship somehow with Cognito .
Because cognito does pretty much well authentication but not authorization.
In every request not only I have to validate the user by the access token but I also have to see if the user is authorized to do the action based on the company.
For example if a user want to create a Contest event for his company.
I will make a request to Contest Api and I have to authorize that the admin is related to this company
Company entities are used from both apis so I have to expose them in a new api called companies.(If any api wants information about companies it should call the get company/{id})
My consideration is that in order to authorize a user in my apis I have to:
1) validate the access_token .
2) communicate with Cognito to get user informations.
3) call companies api to check if user is authorized to execute actions for this campaign.
So I kind of feeling that it becomes too complex and I need 2 services to authenticate and authorize each request(cognito + company api).
Is there any other way to implement cognito authorization logic without having to use a second api ?
P.S I have already check cognito triggers but they don't cover my needs .For example pre token generation trigger can add claims but it will add them in identity_token not access_token .Also my claims has to be an array of company_ids that an admin is related but claims supports strings and numbers only
I am using Azure AD B2C and I want a group based user distribution for my application. Lets say I have two subdomains subA.myapp.com and subB.myapp.com. On the other hand, I have two groups subA and subBin Azure B2C. Now a user wants to signin to subA.myapp.com, but is not a member of group subA, I would like to deny the user to sign in.
I know that Azure B2C does not include group info in the access token. So I will actually use Graph API to get the group membership of the user. But I am not quite sure if there is an appropriate event where I could intercept the validation process and manually deny a user to sign-in. Also, I thought I could use one of the *Validator methods of TokenValidationParameters but not sure which one.
I have read Authorize By Group in Azure Active Directory B2C. My problem is different because that problem is trying to protect only some actions based on group memberships, I want to prevent the whole login process to fail based on group membership.
You can use a ValidationTechnicalProfile on a page created by the SelfAssertedAttributeProvider technical profile. Using the validation technical profile, you can first authenticate the user, and then call a Rest API that can look up users group membership and return a successfull/fail response.
If the response is successful, the flow will continue. If it's a failure, an error will be shown to the user.