Is it possible to use the AUTH access token we got back from MSAL on a mobile app to open an office365 page in the browser, like mail or calendar, etc. without having to re-auth the user?
I can send the token in the header, but can't find any requirements specs out there.
This is not possible today: the token you get from AAD is for your app - not for Office. In addition, users may be logged on the browser for example with a user that is different than the user signed-in to your application.
Related
We are using Azure B2C for login/authentication of our users. This works fine on our website (social and email login etc).
Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login).
As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience.
The overall goal here is 2 fold:
Build a native login experience
Integrate with biometrics.
Question:
Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. ROPC exists but does it integrate with social accounts too?
If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)
You need to use Webviews, and you can enable Biometric integration with webview type experience.
You cannot integrate any service with Social Accounts and ROPC. Any integration with Social IdPs will need a webview.
Yes, enable Keep Me Signed In for long lived sessions. Wrap the biometric code around the acquireTokenSilent() methods.
Then you have two options:
You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation.
You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric. Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.
Now you have a user logged into the App, with:
1 hour access token
Potentially up to infinity long refresh token
Multi day/year Azure AD B2C session cookie
Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent(). This MSAL method obtains a fresh access token for the required API resource/scope.
If the token is expired, or requires a different scope, the a new token is fetched.
You can wrap any action in your application with the biometric SDK.
if (performingSomeAction && requiresBiometric)
if (challengeBiometric succeeds)
acquireTokenSilent()
//do someAction
Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens. The acquireTokenSilent() method handles all of that already.
There is an app that wants to authenticate with my users using oAuth2.
So they open a window, with the authorize URL, and parameters (such as redirect uri)
Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI
Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.
However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?
What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?
Just to be clear, this is my first time writing an oAuth2 service myself.
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
If I am understanding your question correctly:
User visits some website
User wants to register or login using your websites OAuth2
You redirect back to the original page and send your generated token
The page can access content on your site with this token
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
User lands on site - Clicks Login with Github
User is redirected to Github site where they login and click "Authorize"
Github redirects user back to your site /authorize with an auth token.
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
I'm using Custom Token Authentication for my firebase app.
I will need to fetch the token from my server wherein the user needs to login first. I'm thinking of utilizing a popup.
But how do I pass to the opener (parent window) the retrieved token by the popup?
Firebase authentication uses pop-ups or redirects for OAuth authentication because a user's browser needs to be sent to the third-party OAuth provider (Google, Facebook, Twitter, etc.) in order to authenticate.
If you have your own authentication system, the simplest and easiest thing to do would be to use form input on a page, communicate with the server via XHR, and then update your UI to reflect that the user is now authenticated.
That said, if you're set on using a a new browser window / pop-up for authentication, check out Mozilla's open-source library github.com/mozilla/winchan which makes communicating between host pages and pop-ups fairly easy.
You may create a popup window for custom Firebase authentication as described in this example for Spotify OAuth: https://github.com/firebase/functions-samples/blob/master/spotify-auth/public/popup.html
Also you may use in the main application window firebase.auth().onAuthStateChanged() to listen to the Firebase user change event like in the example: https://github.com/firebase/functions-samples/blob/86f9e135af344b2e9268c055a9a1bcb00a7e7c0d/spotify-auth/public/main.js#L36
How does it work? Excerpt from the readme:
The ./popup.html receives the Custom Auth Token and other data back
from the AJAX request to the token Function and uses it to update the
user's profile, saves the access token to the database, authenticate
the user in Firebase and then close the popup. At this point the main
page will detect the sign-in through the Firebase Auth State observer
and display the signed-In user information.
I need to refresh the user linkedin access token without them having to go through the initial authorization process all over again. I have also looked at this documentation http://developer.linkedin.com/documents/exchange-jsapi-tokens-rest-api-oauth-tokens, but It doesn't work because my users authorize the app through regular OAuth and the article uses the JS OAuth. (Not sure, if there is a difference between two processes, and if there is a difference between access tokens received from each process). Even though, I'm already logged in another tab on the same browser,
it always prompts me to login to LinkedIn.
If I try IN.User.isAuthorized() it returns false though I'm logged in into LinkedIn and I can't seem to be able to refresh the token.
If I pass the user LinkedIn access token from my server to the JS and the user LinkedIn id IN.User.isAuthorized() always returns true even when I'm not logged in
So what I'm trying to ask is, is there a way to refresh the user linkedin oauth token thorguh JS when the user is logged in to linkedin on the same broswer like we are able do for facebook ? and what is it ?
You cannot refresh the token without the member being at your application.
If you want to refresh the token, the member needs to be there and you need to direct them through the authorization page. If they're signed in to LinkedIn, this will be a seamless refresh and we'll redirect page to your application.
I have an ASP.NET MVC application which uses Google+ sign-in to authenticate the user. The flow is as follows;
User accesses controller action decorated with [Authorize]
attribute, forms authentication is configured so the user is
forwarded to the log in page.
User clicks the Sign In with Google+ button and the server side flow is initiated as per guide
Server receives the Google tokens which are used to authenticate the user, logging them in and returning the standard asp.net auth cookie in the response. The user can then access the site with the cookie.
Now, if I go through the usual asp.net forms log out process of clearing the user's cookie/session there's a problem. If they attempt to access the application after they've logged out but are still signed into a Google product in another tab, they'll be re-directed to my login page. The Google+ sign-in button will automatically sign them back in again initiating the whole sign in process and getting a brand new asp.net cookie!! The only way to truly sign out is to ensure you are not signed into any Google products still and then attempt to sign out. Not exactly user friendly. I guess the same thing happens with all Google products, if I'm signed into Gmail and open Docs, I'll get signed in automagically. The difference being if you sign out of one, you'll sign out of all Google products. I think.
There is currently not a supported means of logging the user out from your site. What you can do is force the user to click the Google+ Sign-In Button before they will be authorized unless you have set a cookie on their client indicating they are signed in (or enrolled, if you want to distinguish between the sign-in action and being signed-in). You can look at this question:
how do i sign user out of my app?
or this question:
Preventing automatic sign-in when using Google+ Sign-In
for discussions on this topic on stack overflow and answers to similar questions.