Develop Reference

ASP.NET MVC using ADAL library for ADFS 2016 - How to request access tokens for different APIs (audiences)

The following code below is used to authenticate users in ADFS 2016 and to request an Access Token for the resource defined in cp.APIBaseURL:
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
var cp = UnityConfig.Container.Resolve<IConfigurationProvider>();
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = cp.ClientId,
MetadataAddress = cp.MetadataAddress,
RedirectUri = cp.RedirectUri,
PostLogoutRedirectUri = cp.PostLogoutRedirectUri,
ResponseType = "code id_token",
Scope = "openid",
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = OnAuthorizationCodeReceived
}
});
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var cp = UnityConfig.Container.Resolve<IConfigurationProvider>();
AuthenticationContext ac = new AuthenticationContext(
configurationProvider.Authority, false,
new InMemoryTokenCache(context.AuthenticationTicket.Identity.Name));
AuthenticationResult ar = await ac.AcquireTokenByAuthorizationCodeAsync(
context.Code, new Uri(cp.RedirectUri),
new ClientCredential(cp.ClientId, cp.ClientSecretKey),
cp.APIBaseURL);
}
I would like to know how to change the code to request a 2nd Access Token for a different API (having a different audience)?
Can I also specify different scopes for the 2nd Access Token I need?

You can use result = await ac.AcquireTokenSilentAsync(resource, clientId); to request the access token for different resouces. Refer here for more details.
Can I also specify different scopes for the 2nd Access Token I need?
No,for v1(adal) Azure AD apps, scopes must be statically configured in the Azure Portal under the API permissions, configured permissions.

Asp.net Core Identity - Azure Authentication Middleware

Is there a package for authenticating with Azure AD, for Asp.net Core?
For example, the following Authentication packages exist, when querying Nuget:
Microsoft.AspNetCore.Authentication.Facebook
Microsoft.AspNetCore.Authentication.Twitter
Microsoft.AspNetCore.Authentication.Google
Microsoft.AspNetCore.Authentication.MicrosoftAccount
I tried to use the MicrosoftAccount package, but after wiring it up successfully, I got the following error from the Microsoft page:
Application '{my-app-id}' {my-app-name} is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
There's examples that don't use a middleware package, but the middleware package offers ease of use, and more directly integrates with the Identity framework.
Are there any direct packages that use Azure AD, or anyway to specify that the MicrosoftAccount package should point to the organizations/azure/tenant url?

This is what worked for me:
authBuilder
.AddMicrosoftAccount(Auth.Constants.AuthenticationScheme, options =>
{
options.ClientId = clientId;
options.ClientId = clientSecret;
if (tenantId != null)
{
var resource = "https://graph.microsoft.com";
options.AuthorizationEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/authorize?resource={resource}";
options.TokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/token?resource={resource}";
}
});
tenantId - look at the "Endpoints" section from the "App registrations" blade. You can extract it from the URLs, or use those URLs directly instead of what I've done above.
clientId - this is your "Application ID" in your registered app.
clientSecret - this is a password you create and register under the "Keys" section of your registered app.
You can then get back more information by using the access token with https://graph.microsoft.com, such as adding options like the following:
options.ClaimActions.DeleteClaim(ClaimTypes.Name);
options.ClaimActions.MapJsonKey(ClaimTypes.Name, "displayName");
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "userPrincipalName");
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
// Get the GitHub user
var request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me/");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = await context.Backchannel.SendAsync(request, context.HttpContext.RequestAborted);
response.EnsureSuccessStatusCode();
var contents = await response.Content.ReadAsStringAsync();
var user = JObject.Parse(contents);
context.RunClaimActions(user);
}
};

AADSTS70001: Application '574c1791-d632-4180-91e4-38094a8a3a77' is not supported for this API version

I am trying to use office365 api in my single page .net application not an mvc. I got the source code for mvc .net project C# in the website itself.
public async Task<ActionResult> SignIn()
{
string authority = "https://login.microsoftonline.com/common";
string clientId = System.Configuration.ConfigurationManager.AppSettings["ida:ClientID"];
AuthenticationContext authContext = new AuthenticationContext(authority);
// The url in our app that Azure should redirect to after successful signin
Uri redirectUri = new Uri(Url.Action("Authorize", "Home", null, Request.Url.Scheme));
// Generate the parameterized URL for Azure signin
Uri authUri = await authContext.GetAuthorizationRequestUrlAsync(scopes, null, clientId, redirectUri, UserIdentifier.AnyUser, null);
// Redirect the browser to the Azure signin page
return Redirect(authUri.ToString());
}
// Note the function signature is changed!
public async Task<ActionResult> Authorize()
{
// Get the 'code' parameter from the Azure redirect
string authCode = Request.Params["code"];
string authority = "https://login.microsoftonline.com/common";
string clientId = System.Configuration.ConfigurationManager.AppSettings["ida:ClientID"]; ;
string clientSecret = System.Configuration.ConfigurationManager.AppSettings["ida:ClientSecret"]; ;
AuthenticationContext authContext = new AuthenticationContext(authority);
// The same url we specified in the auth code request
Uri redirectUri = new Uri(Url.Action("Authorize", "Home", null, Request.Url.Scheme));
// Use client ID and secret to establish app identity
ClientCredential credential = new ClientCredential(clientId, clientSecret);
try
{
// Get the token
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
authCode, redirectUri, credential, scopes);
// Save the token in the session
Session["access_token"] = authResult.Token;
// Try to get user info
Session["user_email"] = GetUserEmail(authContext, clientId);
return Redirect(Url.Action("Inbox", "Home", null, Request.Url.Scheme));
}
catch (AdalException ex)
{
return Content(string.Format("ERROR retrieving token: {0}", ex.Message));
}
}
I converted the code to vb.net and i am receiving bad request error stating that my application is not supported for this api version when executed. The code is in WebForm1.aspx and the redirect uri link is to webform2.aspx
Private Sub SignIn()
Dim authority As String = "https://login.microsoftonline.com/common"
Dim clientId As String = System.Configuration.ConfigurationManager.AppSettings("ida:ClientID")
Dim authContext As New AuthenticationContext(authority)
Dim redirectUri As New Uri("http://localhost:26683/WebForm2.aspx")
Dim authUri As Uri = authContext.GetAuthorizationRequestURL("https://outlook.office.com/mail.read", clientId, redirectUri, UserIdentifier.AnyUser, Nothing)
Response.Redirect(authUri.ToString())
End Sub
How ever i have registered the application.In fact when i used the same client id and client secret for the mvc application it is executed without any error but when i use it in my single web application it throws this error.
Please help.What am i doing wrong

Azure MobileServiceClient fails to authenticate user in ASP.NET

I'm having troubles with OAuth .NET backend authentication for Azure mobile-services in ASP.NET 5.0. I'm trying to implement external login with Facebook,Twitter,Google and Microsoft.
I'm successfully getting access_token from all external sources and then trying to log in into MobileServiceClient.
here is my code
var app = System.Web.HttpContext.Current.Items["AzureClient"] as MobileServiceClient;
app.Logout();
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
var accesToken = loginInfo.ExternalIdentity.Claims.FirstOrDefault(c => c.Type == "access_token");
MobileServiceUser user = null;
if (providerName == "Microsoft")
{
user = await app.LoginWithMicrosoftAccountAsync(accessToken);
}
else
{
var token = new JObject();
token.Add("access_token", accessToken);
user = await app.LoginAsync(loginInfo.Login.LoginProvider, token);
}
And I'm getting authenticated but only with facebook token. Microsoft and Google throw 401 unauthorized exception. Twitter throws "Method not allowed". What am I dowing wrong?
I've double-checked that app secret and app keys are populated for all providers in azure management portal.
Please, help

I'm not sure if tokens from social network can be forwarded to MobileServiceClient or not but it works with facebook and doesn't work with all the others. I'm really puzzled about this behaviour;
I finally ended up with creating an ActiveDirectory application and using ADAL AcquireToken method to obtain AD token for my MobileServicesClient. As it is described here
Azure Website Single Sign On accessing Azure Mobile Service from Azure Active Directory as User
here is my Method obtaining token from AD
private string GetAdToken()
{
string clientID = "<clientId>";
string authority = "<AuthorityUrl>";
string resourceURI = "<WebApiUrl>";
var appKey = "<applicationKey>";
var ac = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
var clientCredential = new ClientCredential(clientID, appKey);
var ar = ac.AcquireToken(resourceURI, clientCredential);
Session["token"] = ar.AccessToken;
return ar.AccessToken;
}
and here is my method which is run before quering Azure datatables through MobileServiceClient.
private async Task<MobileServiceUser> EnsureLogin()
{
var app = System.Web.HttpContext.Current.Items["AzureClient"] as MobileServiceClient;
app.Logout();
JObject token = new JObject();
token["access_token"] = Session["token"].ToString();
return await app.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, token);
}
So now it doesn't metter what provider I use to log in to my web application. MobileServiceClient always works with ad token.
I'm not sure if it is an acceptable practice but it works and maybe this will help somebody like me struggling against azure authentication

Testing a Web App Protected by Passive Federated Auth

My team has an ASP.NET MVC-based website and WebAPI that is protected by passive federated authentication. It all works properly. The problem we're having is that we need to test the website and the web API after an automated deployment. How can we authenticate and get the FEDAUTH cookie to the website from automated test code, assuming that the test code is run by a user authorized to access the website?

You can have your Web API support active authentication. It requires some work to change the configuration and authentication handler, but it will make your web API easily accessible from a program client as well. If you just want to get a FEDAUTH cookie in your automated test code, the following code sample can work. It mimics a browser to post the user token to the website and get a cookie back.
// The code needs the STS server and the website url
var stsUrl = "https://your_STS";
var serviceUrl = "https://your_Service";
// Use Windows Credential to get the token
var binding = new WSHttpBinding(SecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
var factory = new WSTrustChannelFactory(binding, stsUrl) { TrustVersion = TrustVersion.WSTrust13 };
// Override current login user credential if needed:
// factory.Credentials.Windows.ClientCredential = userCredential;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(serviceUrl)
};
RequestSecurityTokenResponse rstr;
var token = factory.CreateChannel().Issue(rst, out rstr);
var fedSerializer = new System.IdentityModel.Services.WSFederationSerializer();
var rstrContent = fedSerializer.GetResponseAsString(rstr, new WSTrustSerializationContext());
// After this the security token is acquired and saved in rstrContent
var client = new HttpClient();
// Initiate a request to the service, which will be redirected to STS. Read WS fed fields from redirected URL.
var response = client.GetAsync(serviceUrl).Result;
response.EnsureSuccessStatusCode();
var redirectQuery = response.RequestMessage.RequestUri.Query;
var queryParams = System.Web.HttpUtility.ParseQueryString(redirectQuery);
// construct a authentication form
var formData = new Dictionary<string, string>
{
{"wa", queryParams["wa"]},
{"wresult", rstrContent},
{"wctx", queryParams["wctx"] },
};
// post the authentication form to the website.
response = client.PostAsync(serviceUrl, new FormUrlEncodedContent(formData)).Result;
response.EnsureSuccessStatusCode();
// After this, the auth cookie is set in this HttpClient that you can use to access your service