First I am new to the topic ADFS. The goal is a Single-Sign-On OAuth2 authentication for SPA Web application.
We have two on premises ADFS servers(called Server-A and Server-B) which is running on two different domain respectively(A, B).
Now users can be from any of the domain(A, B) and they can login into my application.
These two ADFS servers trust each other and the ADFS of Server-B has been added on ADFS of Server-A as Claim provider trust and ADFS of Server-A has been added on ADFS of Server-B as Relying party trust.
My application endpoint is ADFS of Server-A and my application hosted on IIS which is inside Server-A.
Now when any user of domain A trying to login in my application that time I am getting "access_token" and "Claims" both.
PROBLEM: When any user of domain B trying to login that time getting
below error message -
Error message while user of domain B trying to login.
Basically in this image step #7 getting failed.
I am using below javascript code for getting code and token
Below code to get the "Authorization code"
function getAuthorizationCode() {
var _url = _adfs_server + "/adfs/oauth2/authorize?response_type=code&client_id=" + _client_id + "&redirect_uri=" + _redirect_url + "&resource=" + _resource;
window.location.href = _url;
}
Above code snippet - I am getting the "Authorization code" from "Redirected URL" query string. And after that I am calling below code to get the access token
function getAccessToken(code) {
var redirect = decodeURIComponent(_redirect_url);
var _data = {
'grant_type': 'authorization_code',
'client_id': _client_id,
'redirect_uri': redirect,
'code': code
}
$.ajax({
type: "POST",
url: _adfs_server + "/adfs/oauth2/token",
crossDomain: true,
data: _data,
success: function (response) {
_token = 'Bearer ' + response.access_token;
callWebAPI();
}
});
}
So any configuration between two ADFS servers are missing or some other steps need to do?
What version of ADFS are you using?
You talk about OAuth but that's only available on Server 2012 R2 (ADFS v3.0). And even then, it has limited functionality.
The CP / RP trusts you mention above are for WS-fed. They are N/A for OAuth.
Also OAuth uses a JSON token not a SAML one.
Related
I have a multi-tenant Web API of tenant A. It has permissions exposed and accepted by a B2C Web API of tenant B. (The API App Services live in the same tenant, but their AD instances are separate due to the one being a B2C tenant).
I have the following code in my B2C Web API authenticating with tenant B to access the multi-tenant Web API of tenant A.
I'm using Microsoft.Identity.Web (v1.25.5) and .NET Core (6), and so I don't have to handle making unnecessary calls to get an access token, I'm using the IDownstreamWebApi helper classes (though I have tried without according to the documentation, but land up with the same error.)
My code:
appsettings.json
program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options =>
{
builder.Configuration.Bind("AzureAdB2C", options);
},
options => {
builder.Configuration.Bind("AzureAdB2C", options);
})
.EnableTokenAcquisitionToCallDownstreamApi(options =>
{
builder.Configuration.Bind("AzureAdB2C", options);
})
.AddDownstreamWebApi("TenantAApi", options =>
{
builder.Configuration.Bind("TenantAApi", options);
})
.AddInMemoryTokenCaches();
Calling code:
var response = await _downstreamWebApi.CallWebApiForAppAsync(
"TenantAApi",
options =>
{
options.HttpMethod = httpMethod;
options.RelativePath = url;
}, content);
var responseContent = await response.Content.ReadAsStringAsync();
The error I receive:
MSAL.NetCore.4.48.0.0.MsalClientException:
ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.WithTenantId(String tenantId)
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync(String scope, String authenticationScheme, String tenant, TokenAcquisitionOptions tokenAcquisitionOptions)
at Microsoft.Identity.Web.DownstreamWebApi.CallWebApiForAppAsync(String serviceName, String authenticationScheme, Action`1 downstreamWebApiOptionsOverride, StringContent content)
What doesn't make sense is that I'm calling this from a B2C Web API, from what I can see in the existing AbstractAcquireTokenParameterBuilder code (see line 292), B2C authorities are not AAD specific, and even so, adding an Authority or AadAuthorityAudience to my AzureAdB2C config object has no effect.
Am I missing a configuration property somewhere?
It seems that this isn't possible according to the following wiki post -
https://github.com/AzureAD/microsoft-identity-web/wiki/b2c-limitations#azure-ad-b2c-protected-web-apis-cannot-call-downstream-apis
For now I'm going to try a different approach and get an access token with a ConfidentialClientApplication object, and if that doesn't work, create a separate app registration in the other tenant and authenticate with that instead.
I've configured a .Net Core Web app to use OpenID Connect for authentication using the Authorization Code model as per my IdP sample instructions (https://www.onelogin.com/blog/how-to-use-openid-connect-authentication-with-dotnet-core):
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o => {
o.ClientId = "[Client ID]";
o.ClientSecret = "[Client Secret]";
o.Authority = "[Authority]";
o.ResponseType = "code";
o.GetClaimsFromUserInfoEndpoint = true;
});
Then my controller is set up to require authentication:
[Authorize]
public IActionResult About()
{
ViewData["Message"] = "You must be authenticated to view the About page";
return View();
}
I also have configured ngrok to provide a temporary public URL which should be used in the authentication flow redirect back to my site using:
ngrok http 5000 -host-header="localhost:5000"
This command successfully sets up the proxy and once running, I can browse to the site via the proxy url (e.g. https://75c97570.ngrok.io).
The issue I'm running into is that when I attempt to browse to the 'About' page I'm redirected to the IdP site and prompted to log-in as expected, however, the 'redirect_uri' value passed via the query string is my 'localhost' address (https://localhost:5000/signin-oidc) not the ngrok proxy address (https://75c97570.ngrok.io/signin-oidc). This is causing an issue because my IdP requires a non-local url (hence the ngrok proxy), so the redirect_uri value being passed (localhost) doesn't match the one configured in my IdP account (ngrok) and I receive an error message that the 'redirect_uri did not match any client's registered redirect_uris'.
I'm assuming this is a .Net configuration issue. Is there a way to tell .Net to use the ngrok proxy address for the 'redirect_uri' value on redirect as opposed to the localhost address? I've tried using the 'CallbackPath' option on the OpenID Connect configuration options, however it appears that this only allows for a sub-path of the current url (e.g. http://localhost:5000/[something]) and can't be used to specify a completely different url. Is there another way to configure the redirection to use the proxy url?
Thanks!
Ok, after some digging I found one solution to this issue. I added the following code to the initialization of my OpenIdConnect service:
.AddOpenIdConnect(o => {
...(snip)...
o.Events.OnRedirectToIdentityProvider = (context) =>
{
context.ProtocolMessage.RedirectUri = "https://75c97570.ngrok.io/signin-oidc";
return Task.FromResult(0);
};
...(snip)...
}
This does the trick of changing the 'redirect_uri' value which is passed to my IdP on the redirect. Not sure if this is the best way to handle this, however it does work.
We have an MVC 5 application that we have added Web Api Controllers to in order to provide REST API functionality. We have successfully implemented OAuth authentication through the OWIN pipeline using a custom OAuth Provider class.
Now we want to implement authentication cookies as well to protect static resources on the server. I'm sure there's a million other ways to do this, but the request for the resource is a link directly to that resource so I can't use my OAuth token or any other mechanism which is why we want to use cookies...the browser sends them already, no need to change anything.
From everything I've read it is possible to do both Bearer Token authentication and Cookie authentication with the OWIN Pipeline. Basically Web API will use Bearer Tokens cause that's all the client will supply and requests for certain static resources on the server will use Cookies which are sent on all requests.
Our problem is that with the code below an auth cookie is never generated. Throughout the pipeline I never see a set-cookie header on the response, which is why I added the Kentor Cookie Saver to the pipeline...it's supposed to help.
WebApiConfig.cs
...
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
...
Startup.Auth.cs
...
app.UseOAuthBearerTokens(OAuthOptions);
// I was told this might help with my cookie problem...something to do with System.Web stripping Set-Cookie headers
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
ExpireTimeSpan = TimeSpan.FromHours(4)
});
...
Custom OAuth Provider
...
// Creates our claims and properties...keep in mind that token based authentication is working
CreatePropertiesAndClaims(acct, out properties, out claims);
if (IsAccountAuthorized(claims))
{
AuthenticationProperties authProps = new AuthenticationProperties(properties);
ClaimsIdentity claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaims(claims);
AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, authProps);
context.Validated(ticket);
ClaimsIdentity cookieIdentity = new ClaimsIdentity(claims, Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType);
context.Request.Context.Authentication.SignIn(cookieIdentity); // This should create the auth cookie!??!
}
else
{
context.SetError("Unauthorized", "You don't currently have authorization. Please contact support.");
}
...
Keep in mind that Token based authentication is working so I assume it's a configuration setting missing or misconfigured, or a pipeline ordering issue.
THANK YOU!
I know it is a late answer, but we came across exactly the same problem. My colleague and I spent 4 hours trying to figure out why. Here is the answer that hopefully can save somebody else from bang their head against the wall.
Inspect the response, you can see there is Set-Cookie:.AspNet.Cookies=LqP1uH-3UZE-ySj4aUAyGa8gt .... But the cookies it is not saved. What you need to do is, in your ajax call, include credentials.
$.ajax({
url: url,
type: 'POST',
xhrFields: {
withCredentials: true
}
)
we are using the Fetch API, it looks like the following
fetch(url, {
method: 'post',
headers: {
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8"
},
credentials: 'include'
})
I'm using HTTP.post in meteor and I need to send basic authentication with only a username to an external service. Where does this go and what would that look like?
I am only using it on the server side so I know it should look like the below code, but I'm not sure where to put the username and what to call it.
I've tried this.
var resultSet = HTTP.post("https://billy.balancedpayments.com/v1/customers", {
params: {"processor_uri": "/customers/customerURI"},
authentication: {"MYKEYHERE":""}
});
And this.
var resultSet = HTTP.post("https://billy.balancedpayments.com/v1/customers", {
params: {"authentication": "MYKEYHERE",
"processor_uri": "/customers/customerURI"}
});
And this.
var resultSet = HTTP.post("https://billy.balancedpayments.com/v1/customers", {
params: {"processor_uri": "/customers/customerURI"
},
headers: {'Authorization': 'MYKEYHERE'}
});
I get this error each time.
Error: failed [403] 403 Forbidden Access was denied to this resource.
Unauthorized: CustomerIndexView failed permission check
The plain auth : 'username:password' should do (from docs):
var resultSet = HTTP.post("https://billy.balancedpayments.com/v1/customers", {
params: {"processor_uri": "/customers/customerURI"},
auth: 'yourkey:'
});
As per the balanced payments documentation:
To authenticate with Balanced, you will need the API key secret provided from the dashboard. You have to use http basic access authentication. Your key has to be set as the username. A password is not required for simplicity.
So this means you leave the password blank, so its just your key followed by the colon :
Also you might want to consider using the balanced package for Meteor which does all the boilerplate for you.
I worked on a sample application integrating OpenID into ASP.NET Web Forms. It works fine when hosted locally on my machine. However, when I uploaded the application to a live server, it started giving "Login Failed".
You can try a sample here: http://samples.bhaidar.net/openidsso
Any ideas?
Here is the source code that fails to process the OpenID response:
private void HandleOpenIdProviderResponse()
{
// Define a new instance of OpenIdRelyingParty class
using (var openid = new OpenIdRelyingParty())
{
// Get authentication response from OpenId Provider Create IAuthenticationResponse instance to be used
// to retreive the response from OP
var response = openid.GetResponse();
// No authentication request was sent
if (response == null) return;
switch (response.Status)
{
// If user was authenticated
case AuthenticationStatus.Authenticated:
// This is where you would look for any OpenID extension responses included
// in the authentication assertion.
var fetchResponse = response.GetExtension<FetchResponse>();
// Store the "Queried Fields"
Session["FetchResponse"] = fetchResponse;
// Use FormsAuthentication to tell ASP.NET that the user is now logged in,
// with the OpenID Claimed Identifier as their username.
FormsAuthentication.RedirectFromLoginPage(response.ClaimedIdentifier, false);
break;
// User has cancelled the OpenID Dance
case AuthenticationStatus.Canceled:
this.loginCanceledLabel.Visible = true;
break;
// Authentication failed
case AuthenticationStatus.Failed:
this.loginFailedLabel.Visible = true;
break;
}
}
As Andrew suggested, check the exception. In my case, my production server's time & date were off and it wouldn't authenticate because the ticket expired.
Turn on logging on your live server and inspect them for additional diagnostics. It's most likely a firewall or permissions problem on your server that prevents outbound HTTP requests.
You may also find it useful to look at the IAuthenticationResponse.Exception property when an authentication fails for clues.