I would like to test a locally running web api authorized end point with Postman using AAD B2C with Microsoft account as identity provider.
The web api is running well, I can authenticate from client apps (Web App and UWP app), but I am not able to test it with Postman because can't get a token. Without authorization the Postman works well.
I am using the following guideline:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
The Postman's error message:
Postman's settings:
AAD B2C Applications:
AAD B2C Postman App properties:
AAD B2C Postman App API access:
Can you tell me any idea what's missing?
I can repro your issue. Based on your capture, the Auth URL in postman setting(pic 2) , the host you are using is https://login.microsoftonline.com which will cause redirect uri issue while using MSA identity provider.
To solve this issue , you should use this host: https://{your-tenant-name}.b2clogin.com.
Details see this official doc :
When you set up an identity provider for sign-up and sign-in in your
Azure Active Directory B2C (Azure AD B2C) application, you need to
specify a redirect URL. You should no longer reference
login.microsoftonline.com in your applications and APIs. Instead, use
b2clogin.com for all new applications, and migrate existing
applications from login.microsoftonline.com to b2clogin.com.
Hope it helps .
Related
I am currently working on a function app and would like to understand more on the built in authentication using Microsoft as the identity provider. I have created an app registration as per this guide but upon testing the authentication in a browser, I have been redirected to login.microsoftonline.com/common instead of login.microsoftonline.com/. Is that the expected behavior?
For your function app, in the Authentication blade, check what is being displayed for Issuer Url for the Microsoft Authentication provider. If you have configured to authenticate users from your organization's Azure AD, then that will be the tenant ID, and the url should be login.microsoftonline.com/<guid of tenant>. It depends on what you chose for your target audience, refer here.
i have implemented Azure B2C Attentication in Xamarin using Microsoft.Identity.Client nuget package.
after successful login it returning me a Id_Token and if I use this Id token to fetch the web api then the unAuthorid 401 error.Im using this scope
https://{TenatName}.onmicrosoft.com/api/Read.All
You need to create two applications in the Azure AD B2C portal, one representing the client application and the other representing the api application, then use the user to log in to the client application, and use the client application to access the api application.
First, you need to expose the api of the api application:
Next, go to the client application, add the scope exposed by the api application to the client application (you can find your exposed api permissions in My APIs), so that the client can access the api, and then grant the admin consent for the permission.
Finally, I use the ROPC user flow to obtain the token.
Parse the token:
I am trying to set up a .Net Core 3.0 Web API and Angular application using AzureAD for authentication, all seems good except for an error I am getting when the Client tries to call the web API (see below).
I hit the angular application and successfully authenticate with AzureAD, I have followed all the instructions for exposing the API and granting permissions but no joy. I wrote another test application with 2.2 and that worked fine.
Anyone having a similar issue?
Thanks, Mike
“AADSTS65001: The user or administrator has not consented to use the application with ID ‘f1be5414-b865-4fb4-9943-6dfc66c8fdcf’ named ‘MW Front End Auth Test’. Send an interactive authorization request for this user and resource.\r\nTrace ID: 597358a2-5941-4c92-b458-a2ce6e276f00\r\nCorrelation ID: fd242c0f-60f7-4ddd-b951-ec49b93f831f\r\nTimestamp: 2019-11-10 16:36:55Z|consent_required”
The issue is clear, consent required.
You can force user consent through a URL request, the url will look like:
https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<Your-Redirect-URI-Https-Encoded>&nonce=1234&resource=<your-resource-Https-encoded>&prompt=consent
If it needs admin consent, use $prompt=admin_consent instead.(need to use admin account to sign in)
How to build protected Web API with Angular and Azure AD B2C ?
I follow: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/
But I am not sure about using cookie authentication with Web API. Any idea how I should do this ?
Check this post: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/
Should bring AD B2C as Authentication Provider of Azure App Service, so next you work with Easy Auth of Azure App Service that support cookie for login.
Above post also include an example for SPA app already.
Background:
We have a WebAPI set up with Azure ACS and ADFS for authentication.
Accessing any WebAPI resource through the browser will redirect unauthenticated users to the ADFS login page through ACS. After successful login, the user will be redirected to return Url as setup in ACS along with security token. This works perfectly fine.
Problem:
We are developing a mobile application using the Ionic framework (http://ionicframework.com/). We want to leverage the same ACS and ADFS for authentication which we are using for WebAPI. In this process we are facing the following issues:
Issue 1:
Accessing any WebAPI resource through a mobile application (Ionic, Cordova, AngularJS) redirects the user to ACS and we get below error.
XMLHttpRequest cannot load https://{domainname}.accesscontrol.windows.net/v2/wsfederation?wa=ws…52fitem&wct=2014-10-10T14%3a24%3a34Z&whr=https%3a%2f%2f{domainname}.com. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
Hence we are not able to authenticate any user through ACS with the mobile app.
Issue 2:
Setting Return URL as empty in ACS throws the below error.
ACS90050: No reply address is configured with the relying party principal.
Steps taken so far:
-> We have enabled CORS on WebAPI.
We filed ticket with Microsoft to see if CORS can be enabled at ACS. We got below reply.
ACS does not provide a CORS solution we did research the possibilities. Unfortunately the answer is still: “No ACS does not provide a CORS solution”. That is, ACS does not give us access to the root for a standard cross-domain solution. Further, providing the token is considered HTTPOnly as manipulating the token with Javascript is inherently dangerous.
There is a sample available that may provide guidance if you wish to pursue this path although it is not recommended because of the security aspect. Download the samples found at:
Windows Azure AD Access Control (ACS) Code Samples:
https://code.msdn.microsoft.com/Windows-Azure-AD-Access-0dcde385
The sample under: C#\Webservice\ACS2WindowsPhoneSample may provide some guidance but we would not be able to assist with modifying the sample.