I am new to Microsoft Graph Framework. I recently developed a web application with Graph API's integration.
The first time browsing to the page on my app, it redirects the user to Microsoft app login page and prompt for credentials. Once authentication successful then I use the authentication token to get the user's emails and do post processing on those emails.
However, I need to write tests to see if the token is being persisted properly and for the subsequent processing on emails. All my tests are automated tests that are run on jenkins which is not set up to run with a browser. And without having the authentication token, I am unable to test the downstream process. Is there a way to get the token through an API without requiring a browser/user intervention?
For automated tests running in Jenkins, you probably want to use an auth flow that doesn't require the user to login. Please see the documentation page on Getting auth tokens without a user for detailed information.
In summary, you can register an app on the App Registration site and add application permissions like User.Read.All. Since the goal is to get tokens that work without a user login, you'll need to grant your app access to run as a service by getting administrator consent. After that one time setup, you can then easily request tokens by POSTing to the token endpoint with your app info and secret.
Perhaps you could use the username/password authentication flow, where your test doesn't go through the normal interactive experience.
You need to create a UserCredential and use that to acquire a token.
UserCredential uc = new UserCredential(user, password);
public Task<AuthenticationResult> AcquireTokenAsync(
string resource, string clientId, UserCredential userCredential);
Related
My I am trying to deploy azure AD to my application because I want to expose some of my APIs to users but I need to make sure only people that are authorized can use the resource.
I have never worked with azure AD before and I am a little lost in all the documentation.
What I need is to be able to recover a token on behalf of the user in order to authenticate them. The application does not have any webpages and I do not want to introduce any. I want to be able to grab the token, authenticate the user, and then release the resource. I expect that the endpoint will be accessed through python, java or postman.
Example of basic flow:
call security function/api in app
validate user cred (or any other type of validation)
return token if authenticated
validate token and return response
5.authentication allows user to call apis
I have just explored the authorization code pattern that azure AD offers but this requires an interactive step from what I was able to test so its no good.
I would like to be able to do something like the example flow
In case my question hasn't clued you in I am very new to this so any help is appreciated
Thanks in advance
I agree with #Gopal you can make use of client credentials flow that does not require user interaction to call an API.
You just need to enter Azure AD client application’s ID, Secret, scope to generate the access token and use that access token to call the API via Postman or in your code.
I created one Asp.net core API in VS studio and used Azure Ad authentication to call the API.
I tried accessing this API via Postman App with different flows that you can try :-
Client Credentials flow:-
GET https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Results :-
API can be accessed by the Access token generated by the client app with its secret and scope.
Alternatively, you can make use of Implicit flow which will ask for user credentials via browser.
Implicit flow :-
Here, Your log in page pops up while asking for access token and you need to enter user credentials to get access token and fetch API.
Get the token and hit the token to fetch the API like below :-
Browser Pop up:-
Access Token:-
Now, copy our API URL from browser and try to access the API :-
Results :-
You can find the code samples below :-
https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#web-api
I have a SaaS application using Vue.JS as frontend and Django Rest Framework as backend. I use JWT tokens for authorizing between frontend and backend.
Now I want to add support for our customers to be able to sign in with their Microsoft accounts. So if the signed in user matches a user in our database, it is logged in to our application.
I've set up Azure B2C and can successfully log in and acquire a token in the Vue.JS application using msal library.
Then I send the token to backend server for verification. I use azure_ad_verify_token to verify the token, but I get an InvalidAuthorizationToken exception.
It seems to be working when the user is added to my organization's AD directory. But I would like to verify the token for any Microsoft user, then match it to users in our database. It would be too much work to manually add our customer's users to our AD directory. If it would be possible to add another organization/domain I guess that would be ok.
There's a lot of documentation regarding this but I always end up in examples for separate applications. Just to clearify flow I try to achieve.
The user clicks on login with microsoft
The user is redirected to Microsofts login page, approves my application for their organization
On requests sent to our backend, the token should be verified against Azure Active Directory using authorization class.
If the user's email exists in our database, the request is successful
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
I'm using keycloak to let my users authenticate with my application. And i am trying to migrate some functionality to a few plugins, e.g. a wordpress plugin. For these plugins i want to use a generic solution so I found the following authentication process from Microsoft (https://learn.microsoft.com/en-us/office/dev/add-ins/develop/auth-external-add-ins#middleman-services) and Adobe ( https://adobexdplatform.com/plugin-docs/tutorials/how-to-integrate-with-OAuth/).
I managed to hack my way around the process to get this working with keycloak. But at this moment I'm a bit concerned about the security risk that go with this process.
The process in steps
the (plugin) client asks to backend server to generate a code to identify the user.
the (plugin) client start polling the backend for an authentication code (no response yet, since the user is not logged in yet).
the plugin opens a browser window or tab with the keycloak loginpage. Everything is the same as the normal process, but this time we add an redirect uri with the code generated in step one, which identifies the user.
once the user is logged in the user gets redirected in the browser to an endpoint where the code from step one is linked to the access token retrieved in this step.
the polling from step 2 now returns the access token to the (plugin) client.
The reason I need to poll for the access token is because I want to make a generic login process for all client.
In short, I want to know what the security risks are, given the steps above. Also I can not seem to find any information of keycloak that they want to implement such feature. Does anyone know if they want to implement this, since many other plugins do offer tis feature to authenticate outside the plugin with a popup window and retrieving the accesstoken by "polling" the server.
Thanks for the help.
I have a system that is using Firebase authentication with Google provider. I have an issue with automating integration tests for API. Tests are represented by a bunch of HTTP requests (Postman collections). I need to do some steps before tests to get a token from Firebase.
Only solution I can see is to add refresh token to the tests and call Refresh token endpoint to get a new token. Not sure how long will the refresh token live. Doesn't look like a good solution. E2E frameworks like Selenium are not an option.
What I want to achieve in the ideal scenario:
The input for the test is username/password for Google account and maybe settings pointing to the correct Firebase project. I need to perform some
magic HTTP requests (without user interaction) to get Firebase token back.
Does anyone knows if that is feasible? If not - how this flows can be automated without Selenium?