Auth0 and ADAL.NET - auth0

I am trying to get an access token from my Auth0 setup, I am using ADAL. I don't understand why it's trying to connect to the following site when I look at fiddler:
https://login.windows.net/common/discovery/instance?api-version=1.0&authorization_endpoint=https://myusername.auth0.com/oauth/oauth2/authorize
Here is my code:
var AuthCtx = new AuthenticationContext("https://MYUSERNAME.auth0.com/oauth/token");
var token = AuthCtx.AcquireTokenAsync("https://api.MYSITE.COM", new ClientCredential("clientid here", "secret here"));
Console.WriteLine(token.Result.AccessToken);
Thank you!

ADAL is a Microsoft library that is developed to connect native devices (non-browser) e.g. desktop & mobile to either Azure AD or ADFS.
You can use it for other Identity providers but it is not supported as a generic OAuth stack.
All the samples either use Azure AD or ADFS.
The endpoint above is the common endpoint for Azure AD.

Related

Trying to use token acquisition with ADFS authenticated app

I am stuck on a problem that i cannot think my way out of and have searched everywhere online for answers to no avail.
Here is the problem:
I usually embed PowerBI reports in asp.net application. I follow the Microsoft tutorial. Where we registered an azureAD app as service principal. And we use the Microsoft.Identity.Web library to authenticate our users as well as authenticate as the app's service principal for accessing PowerBI reports.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
builder.Services.AddScoped(typeof(PowerBiServiceApi));
The problem now is that I am building an app that doesn’t authenticate with the Microsoft.Identity.Web but will actually be authenticating users using individual accounts/ ADFS and federation service.
The problem is that I am unable to do token acquisition by authenticating as the app's service principal.
.AddOpenIdConnect(options =>
{
options.ClientId = "xxxxx-xxxxx-xxx-xxx-xxxxxx";
options.Authority = "https://xxxxxxxxxxx";
options.SignedOutRedirectUri = "https://localhost:xxxx/";
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = OnAuthenticationFailed,
};
})
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
However when I am unable to run this app and embed successfully.
My main question is:
is it possible to authenticate my users with one authentication provider (ADFS federation service via openID or wsFederation )
whilst also doing using Microsoft.Identity to do token acquisition
Thus far I've had success with using OpenIDConnect directly with ADFS and MSAL library to get tokens (also from ADFS) for downstream api's. For entries in ADFS using a client secret (i.e. server apps) I would use the IConfidentialClientApplicationBuilder, whereas native apps would use IPublicClientApplicaationBuilder.
This means I never need nor can use this code:
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd")) .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches();

Azure Function App Authentication Sign In

I am currently working on a function app and would like to understand more on the built in authentication using Microsoft as the identity provider. I have created an app registration as per this guide but upon testing the authentication in a browser, I have been redirected to login.microsoftonline.com/common instead of login.microsoftonline.com/. Is that the expected behavior?
For your function app, in the Authentication blade, check what is being displayed for Issuer Url for the Microsoft Authentication provider. If you have configured to authenticate users from your organization's Azure AD, then that will be the tenant ID, and the url should be login.microsoftonline.com/<guid of tenant>. It depends on what you chose for your target audience, refer here.

Reuse Access Token Throughout ASP.NET Core App (via DI)

I have a ASP.NET Core app that I'm using OIDC (Microsoft Azure AD) to authenticate users to my app. I have added a ton of APIs to the Registered Application in Azure AD including Dynamics. How can I access the access token in my middleware? I created a class for the sole purpose of communicating with Dynamics and would like to reuse the access token generated during authentication to my app. How and where do I get it from? I have tried all the usual suspects such as the following:
var accessToken = _httpContextAccessor.HttpContext.Request.Headers[HeaderNames.Authorization].ToString(); // null
and
var accessToken = _httpContextAccessor.HttpContext.GetTokenAsync("access_token").Result; // null
Any suggestions?
To get access token for calling Dynamics API with the authenticated user context, application should get access token using OBO flow. MSAL.NET has method to do so.
string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);
You can refer this ASP.NET Core Sample and has the similar scenario that you are trying to achive.

AAD B2C authorized Web Api test with Postman fails

I would like to test a locally running web api authorized end point with Postman using AAD B2C with Microsoft account as identity provider.
The web api is running well, I can authenticate from client apps (Web App and UWP app), but I am not able to test it with Postman because can't get a token. Without authorization the Postman works well.
I am using the following guideline:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
The Postman's error message:
Postman's settings:
AAD B2C Applications:
AAD B2C Postman App properties:
AAD B2C Postman App API access:
Can you tell me any idea what's missing?
I can repro your issue. Based on your capture, the Auth URL in postman setting(pic 2) , the host you are using is https://login.microsoftonline.com which will cause redirect uri issue while using MSA identity provider.
To solve this issue , you should use this host: https://{your-tenant-name}.b2clogin.com.
Details see this official doc :
When you set up an identity provider for sign-up and sign-in in your
Azure Active Directory B2C (Azure AD B2C) application, you need to
specify a redirect URL. You should no longer reference
login.microsoftonline.com in your applications and APIs. Instead, use
b2clogin.com for all new applications, and migrate existing
applications from login.microsoftonline.com to b2clogin.com.
Hope it helps .

.Net Core Azure Active Directory Authentication Problems (photos)

I tried to follow this tutorial: https://www.bruttin.com/2017/11/21/azure-api-postman.html
What am I doing wrong? I'm using the default template of .net core web api 2.2 in visual studio 2019 and I want to use Azure AD to authenticate. To test the authentication I am using Postman, but I can't get it to work. The photos below show the steps in order in that I am trying.
AuthURL = "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize"
TokenURL = "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"
Create Project
Choose API
Enter Domain and check "Read Directory Data"
appsettings.js is generated
Default StartUp.cs File
Values Controller user the Authorize Attribute
Generate a Secret in Azure Portal
Fill out token request form in PostMan - Successfully get token.
Attempt to use the token and access is denied.
What am I doing wrong!!!!!
AuthURL = "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize" TokenURL = "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"
One point is you are acquire Azure AD V2.0 tokens , if that is an Azure AD v2.0 Web API , you should append /v2.0 to your Authority when config the web api , see source code of Microsoft Identity Web .
You could click here for code sample about web api which protected by Azure AD V2.0 .
If you are using the Azure AD V1.0 , you should use https://login.microsoftonline.com/[tenant_id]/oauth2 endpoint and use resource not scope when acquiring access token .
Microsoft identity platform (v2.0) overview
Azure Active Directory for developers (v1.0) overview