I am trying to access this Service to Service
Service-to-service authentication with client secret and certificate (trying with both) but no one working for me.
I am trying to create directory on Data lake store but that given code is not working.
It's not even giving any error so i can identify it.
I have followed all the steps mentioned in this page but not able to create directory on data lake store.
I have also tried File upload code but that is also not working.
End user Authentication is working fine.
So please suggest how can i achieve it.
Thanks!
Rajni
Related
I have a Data Factory pipeline that calls a Logic App. The URL provided by the logic app designer includes a signature in the URL. In the Data Factory pipeline I have a Web activity that uses POST method to call the Logic App. This works, the app is called.
I would either prefer to separate this signature from the URL and store it in Azure Key Vault, or use authentication. Authentication options in Data Factory include; Basic, Managed Identity or Client Certificate. I tried to follow this article to enable authentication via Azure Active Directory OAuth but do not currently see how this would work with Azure Data Factory.
I know it is possible to enable API Management Gateway to enable more sophisticated authentication to APIs including Logic Apps but am not currently convinced that I should need to do this.
The other thing I noticed in the Logic App interface is that you cannot issue authorizations to execute. This differs from other Azure services like Data Lake for example where you can issue 'use-like' authorization to read a container. There is only the Authorization pane that can be used to define claims. I had a little go but I am missing key information.
Ultimately I would not want the signature exposed to developers including myself.
I believe you could pair the Managed Identity of the Web Activity with the Azure AD OAuth feature for Logic Apps.
The required claims need to be setup on the Authorization blade for validation of the tokens.
I personally like storing the PostURL in the Azure KeyVault then doing an Azure KeyVault GET API Call in ADF, then passing the output securely in ADF to the request to trigger the logic app. It's two activities which is like nothing and it's a secure method that can just use managed identity authentication that's Native in ADF.
Here is example of how you get a value from AKV:
Getting value from AKV
Here is the URL for Azure KeyVault example secret:
https://kv-ccok-ops-#{pipeline().globalParameters.Environment}.vault.azure.net//secrets/FILESERVER-UserName?api-version=7.1
Using value from AKV
This example should be super easy to follow.
I have checked many sample examples even by Microsoft on Azure ADB2C Authentication. All examples showing how to implement Azure ADB2C in Asp.Net Core Web App and Web Api together.
In Azure Portal, while registering Web App/Api, there is an option to generate App Key. My question is:
Do we really need to generate App Key and use it in Asp.Net Web App? I tried many samples and everything is fine but when I set invalid key in AzureAdB2COptions, its still working with no problem and not throwing any error. I removed the key from Azure Portal and its still working. Can anyone explain why?
The sample I used is here
Is this App Key for Web Api authentication?
As juunas mentioned, client secret is needed if your application exchanges a code for a token. It is used to prove Azure AD app's identity when requesting a token.
And implicit flow will not use a client secret to get the token.
Besides, if you use native/public client app, it would not be able to protect a secret. So generally we don't need client secret in native app.
I have tested the sample you shared. When I modify the ClientSecret in appsettings.json file and run this project, it will give an error requires me to correct the secret. You could have a quick test in an incognito window.
We're currently working on a project that's in Azure and I wanted to make use of the extension methods available to persist the data protection keys to Azure Blob Storage.
One of the methods provided accepts a URI with a sas token to establish the connection to the storage account. However, I'm curious as to how the connection could be re-established again once the SAS token expires. I have reviewed the source code and didn't see how that's possible.
It would be helpful if someone could shed some light on this.
https://github.com/aspnet/AspNetCore/blob/416d8cd1ea098eb643b4258247af3448f5545c32/src/DataProtection/AzureStorage/src/AzureDataProtectionBuilderExtensions.cs
Instead of hardcoding it, you can get SAS token in startup (Also keep in mind that it will slow down your App startup). But this also mean that to pick up new key your app needs restart.
You can have it as a config parameter and with each deploy write PowerShell script to load new SAS token
Generate long term key and encrypt with Keyvalt combined with Managed Service Identity (MSI), . (PS. I am not security expert so I am not sure if its 100% safe). So even someone obtain your key it will be encrypted.
Not sure how to go about doing this; I'm not looking for B2C, I don't want my users to sign in. I just want my Xamarin app to be able to access an Azure AAD protected API. In other words, I want to authenticate the app itself with the Azure Active Directory, to access an Azure AAD protected API. From what I've found on the internets, service principal to service principal auth is discouraged when using mobile apps and I've not really found a way to do it service to service anyhow.
Any suggestions on how to properly do this? Links with tutorials would be great.
Thanks!
Azure does provide the ability to generate a client ID which you could have sent from your application and checked. Microsoft talk about this in this article. You will want to be careful with how you store this ID in your app as if someone were to steal this they would be able to access your API. Along with that you'd also want to make sure that your connection between your app and server is secured with a pinned SSL certificate so it cannot be man-in-the-middle'd.
Another interesting approach is software attestation where some service checks various aspects of your app to ensure that it is your app. Full disclosure, I work for a company which does this. See Approov. We take a fingerprint of your app and our SAAS checks that this matches at run time. We then issue a token which your app can use to prove that it is the real app.
I am trying the code sample from: https://github.com/OfficeDev/Microsoft-Graph-ASPNET-Webhooks and it is working fine on ngrok but I get this issue on azure when creating subscription.
Any suggestions to look into?
The error appears to be related to the app permissions. Check the application permissions for the proper level of access to the resource. For example, set the "Read user mail" permission if you want to subscribe to email notifications. Also ensure that the token being used for creating the subscription has access to the resource.
This is related to the permissions in the token and not a hosting difference between Azure or ngrok.