I need to log-in to Azure Active Directory to display the embedded report on a website using asp.net MVC.
However, the API provided is only valid for only username and password.
For logging-on to the AD, all I need to do is to type-in username (email address) and the log-in portal will redirect me to another log-in page and then type in and username and password.
I wonder is there anyway to do the programmatically log-in without using the application secret?
There are two ways to implement Power BI report embedding using Azure AD authentication:
User Owns Data embedding
App Owns Data embedding
If you don't want user sign-in experience, you can implement App Owns Data authentication in the following ways:
Client secret
Master user credentials (username and password (MFA disabled account))
Please go through this documentation to achieve your goal and also, here is a sample code for it.
Related
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
I want to authenticate a user via Active Directory. Right now I use Novell.Directory.Ldap.NETStandard library for that.
Scenario: The user will type in his e-mail and password. What I have to do now is to connect to AD via LDAP using some service login (username, password) so i can search in AD. I will search for the e-mail, find the user and then validate his credentials.
What I am asking for: I do not want to use a username & password to log a service user into AD. I would like to use the authorization of the user that is running the application to connect and search in AD. I am thinking of something similar to a SQL connection where I can say Integrated Security=True;.
Is there a way to do this in ASP.Net Core?
Solved it! I was using the wrong library.
I'm now using Microsoft's implementation from here: System.DirectoryServices.AccountManagement;
Works great.
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
We are developing an angular 6 App for showing the sensor data and other details.
In this app, we are having the login screen, in that we have only the USERNAME & PASSWORD fields.
once we enter the Username & Password, the request will go to the BACK-END Layer (.net ) controller logic, which in-turn contacts the Adamos / Cumulocity Platform and get the associated tenant and return the authorization token to the front end, which will gets saved in the Local Storage or Session storage.
From the above details, i wanted to know what are the things possible
Can we contact the cumulocity / Adamos from the .net back end layer and find out the associated tenant for the given username & password ?
Can we create & return the custom User Object & with user permission, token for login authorization checkings ?
If we want to store the jwt token, where we have to store the token?
Note:
We know that we can directly contact the Adamos / cumulocity to authorize the user using the tenant, username and password, but don't want the user to enter their tenant, instead directly using the corporate user id & password only, which has been registered in the adamos environment.
Please give us details information, as we are developing an complicated application, so that there won't be any problem with the core design.
Thank you
PCAPA B.
You cannot determine the tenant from a username and a password. Each tenant has their own user domain with their own users. If you have a user in a tenant with global user read permission, you can query the users in the tenant. You can also the query the permissions.
In case you are using OAuth, you do not handle the JWT token, at least in a web application. The token is managed by the browser in a cookie. This is transparent for you and the cookie is not accessible from your (JavaScript) application code. If you use a "fat" client or microservice, you would need to emulate that logic (i.e., passing the cookie around).
I am not sure if that really answers your question. If not, please be a bit more specific.
In my environment I have presently two applications, lets call them portal and sso. Portal is where I manage user accounts and allow people to register. SSO is my implementation of IdentityServer. I want to require users to reset their password after 90 days or after they had their password recovered for them. I can check for this in the AuthenticateLocalAsync function, but the question is how do I redirect them to the portal password reset page? Or is it easier to add a custom page to the IdentityServer to handle password resets of this nature? Are there any examples of this, specifically where the identityserver is not embedded into the application using its login functionality?
Your best option is to create a "reset password" page in the same IdentityServer project, and issue a partial login redirecting to that page every time an user with expired password completes the sign on process successfully.
With this approach you can catch users with expired password before they are effectively logged in, without completely breaking the login flow.
You can find some details in the IdentityServer3 CustomUserService sample, specifically in the "EULA" sample which uses "EulaAtLoginUserService".
I do not think there is a way to directly redirect the user to an external endpoint (e.g. your Portal residing in another domain) during the IdentityServer login flow.