I am using Azure AD B2C and I want a group based user distribution for my application. Lets say I have two subdomains subA.myapp.com and subB.myapp.com. On the other hand, I have two groups subA and subBin Azure B2C. Now a user wants to signin to subA.myapp.com, but is not a member of group subA, I would like to deny the user to sign in.
I know that Azure B2C does not include group info in the access token. So I will actually use Graph API to get the group membership of the user. But I am not quite sure if there is an appropriate event where I could intercept the validation process and manually deny a user to sign-in. Also, I thought I could use one of the *Validator methods of TokenValidationParameters but not sure which one.
I have read Authorize By Group in Azure Active Directory B2C. My problem is different because that problem is trying to protect only some actions based on group memberships, I want to prevent the whole login process to fail based on group membership.
You can use a ValidationTechnicalProfile on a page created by the SelfAssertedAttributeProvider technical profile. Using the validation technical profile, you can first authenticate the user, and then call a Rest API that can look up users group membership and return a successfull/fail response.
If the response is successful, the flow will continue. If it's a failure, an error will be shown to the user.
Related
I have created an App role for my AZURE AD Backend Api and assigned this role to a group. Now I want to authenticate user in my .net core backend application on the basis if user has a group which has this role. I am getting the group ids in the access token but how can I get app roles assigned to these groups.
Please check how you enabled group claims in Azure Portal.
If you check the Emit groups as role claims option like below you cannot see application roles, but you can see group ids.
If the above option is enabled, make sure to uncheck the box.
Note
If you use the option to emit group data as roles, only groups will
appear in the role claim. Any application roles that the user is assigned to won't appear in the role claim.
Also, I would suggest you refer to this Microsoft official documentation below which states that if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles claim to tokens it issues.You can modify the “groupMembershipClaims” field in application manifest if you want to include groups claim in your token like below: -
Add app roles to your application and receive them in the token
For more in detail, please refer below link:
Configure group claims for applications by using Azure Active Directory
I have two application, both are using keycloak to authenticate user of the same realm. I've created two different client, and two different user group. Only users of a specific group can access to corresponding application.
I'm using this custom extension to verify user group after user login. I've created two different user flow based on Browser Flow, one for group, and I've configurated each client to use the relative user flow. This is working fine when a user tries to login.
I'm giving an example to better explain:
I have two group A and B. One user belongs to group A. When the user isn't logged, he can access to application A but he can not access to application B.
What I cannot prevent is user access to application B when he is already logged into application A.
This is happening because Browser Flow has a cookie step that gives authorization of users already logged.
Is there a step to check user group (or other user information) after the cookie step?
I found this solution:
I created a new authentication flow, at first level I've created a sub flow containg the standard Browser Flow and always at first level I've added the execution of group verification.
Both step at first level are marked as required.
My express.js backend has an endpoint which returns a list of what data the user is authorized to view. There are Auth0 roles corresponding to which segments of this data any given user is allowed to read. A user may have any number of these roles. However, when I tried to add role-based permissions to this endpoint, I realized that the Auth0 recommended middleware express-jwt-authz perhaps doesn't do what I intend: it simply authorizes/rejects based on the roles in the JWT. This endpoint only requires a user's session authorization, not the user's roles.
I want the endpoint to change its responses based on which Auth0 roles are associated with a user. The only solution I can think of is adding a row to my own database (which is not connected with Auth0) where I keep track of each user by the JWT sub property, and manage their roles/permissions from my backend. However, this seems like it would split roles between Auth0 and my application's database, and furthermore feels one step closer to rolling my own authentication system, which I do not want right now. Is there a way I can do this with Auth0 and express.js?
I was able to work around this by selecting "Add Permissions in the Access Token" in Auth0 in Applications > APIs > [my API] > Settings. Then I could view the permissions passed into req.user.permissions on my backend, and process them how I wanted there.
I have a single Tenant with four (4) Applications and ten (10) Users defined. I want 3 users to have login access to all four Applications, and 7 users to have login access to only of the 2 applications. However, it appears that anytime I add a user to the Tenant the user receives "login/authentication" rights to all 4 applications.
Before installing and setting-up FusionAuth, I thought I would be able to use the "Groups" feature to create a group called "Group-A" that would "grant" login access to all 4 applications and another group called "Group-B" with "grant" login access to only 2 applications. I would assign the 10 users to either Group-A or Group-B and limit which user could login/authenticate to a particular application.
This capability does not appear to exists. What am I misunderstanding?
FusionAuth supports this model. We call this Registrations and if a user is has a Registration for an Application, they will be allowed to access it. If they don't have a Registration for that Application, they will be logged in, but won't be granted access to the Application.
The specific implementation depends on your integration with FusionAuth:
If you are using the OAuth interface, when FusionAuth redirects back to your application, it will pass along a parameter called userState. This is a hint back to your application as to whether or not the user is registered for it. If the value of this parameter is AuthenticatedNotRegistered, you should not allow access to the application.
Additionally, if you are using the OAuth workflow, when you exchange the authorization code for a token, this token will not include the Application id or any roles that the user has for the Application.
If you are using the /api/login API, then the response will contain a status code of 202 that indicates that the user was authenticated but not registered for the application. Similarly, the JWT that this API returns will also not include the Application id or any roles.
Here are the doc pages for the OAuth and Login API:
https://fusionauth.io/docs/v1/tech/oauth/endpoints#authorization-code-grant-request
https://fusionauth.io/docs/v1/tech/apis/login
I have couple of applications. I will call them application-1 and application-2 in the question. My applications use asp.net core 2.2.
I register user using B2C custom policies like in this example
Azure B2C custom policies . I've added a REST API claim exchange to get user groups from the B2C. Just like this example. I retrieve the user groups in an azure function by calling memberOf in graph api.
When user completes the registration and enters first time in the system,they are redirected to application-1. They don't have any groups assigned to them in B2C. Then in the application-1 they have option to select which group they want to join. Once they select which group they want to join, I update the B2C.
If I use refresh token provided in the documentation located at Microsoft B2C reference OAuth and access id_token from the response I don't find groups in the claims. I decoded the token for which I have used SecurityTokenHandler class.
Also My application-1 has a link to application-2 which is also part of this B2C single sign on. When user clicks the link in application-1 they are redirected into application-2 . But the id_token doesn't find latest group information which user had assigned to themselves in the application-1.
Is there anyway to make sure the id_token carries latest group information in claims?
I'm still trying to understand B2C / Single sign . Please fill free to correct my terminologies if I've used wrong terms.