Tag Archives: Authentication

Azure AD B2C

19 Thursday Aug 2021

Posted by in Azure, Azure AD, Azure B2C

Leave a comment

Tags

,

In this article we look at the benefits of Azure AD B2C that provides identity-management framework allowing application to use corporate accounts and as well use social accounts to login to the application. This article will details provisioning Azure AD B2C tenant and subsequent articles will walkthrough implementation of a sample application that utilizes Azure AD B2C for Authentication and Authorization.

The capabilities provided by Azure AD B2C can be summarized as below:

Identity as a Service: Azure hosts all the necessary components so end users can register and sign-in

Business to Consumer: Enterprise applications have users in AD store, Azure AD B2C still has a directory of users but is targeted at consumers or external user(s)

Local or social account identities: External users able to register and sign-in to the application or use the social identities viz, Google, LinkedIn etc.

Customization: Provides ability to customize the UI

Protocol Supported: OpenID, OAuth and SAML

Scenarios where Azure AD B2C works well: Web Applications, Mobile Apps, Web API’s

Where Azure AD B2C Does not work: Web API Chains (ie one Web API calling another secured API)

In following section we will look at setting up Azure AD B2C tenant. A tenant represents an organization and contains a directory of users. This will be separate to Azure AD tenant which we have access to by default once signed into Azure.

Let us take brief tour of what Azure AD tenancy looks like from with in Azure Portal

Manage Tenants allow us to switch between different domains.

From the above it is clear that Azure AD B2C tenancy is separate from Azure AD tenancy. So there has to be a way of linking the two as under the hood the user accounts are still being managed by Azure AD.

In the next section we will look at the steps involved in setting up Azure AD B2C tenant:

  1. On Azure Portal home page navigate to “Subscriptions”

The next screen will list the available subscriptions

Click on Subscription and go to Resource Providers to register Microsoft.AzureActiveDirectory

Once Microsoft.AzureActiveDirectory resource provider is Registered, Create a resource by looking up for Azure Active Directory B2C

Creating a Azure B2C tenancy and linking it to existing Azure Subscription will appear as options in one page and first step will be to create a tenant

Enter initial domain name and then Review and Create

Once the Azure AD B2C tenant is created the next will be to link it to current Azure Subscription

Choose Azure Active Directory B2C and click on Create

Choose the option to link Azure B2C tenant to a subscription

Enter the details and click on Create

Once successful the link to subscription should be reflected in the created Azure AD B2C information page

This will complete the walk through of setting up Azure AD B2C tenant. In the next article we will look into features of Azure AD B2C in the context of providing IAM capabilities to users.

OAuth and OpenID Connect using IdentityServer

04 Saturday Apr 2020

Posted by in ASP.NET Core, OAuth2.0/OpenIDConnect, WebAPI

Leave a comment

Tags

, , ,

In article  we looked at use of JSON Web Token (JWT) for authentication with that foundation knowledge in place in this article we look at IdentityServer4  that provides end points for OpenID Connect (for authentication) and OAuth 2.0 (for authorization) to ASP.NET Core application.

Common protocols used for Authentication include SAML, WS-Fed, OpenID Connect. OpenID Connect in combination with OAuth 2.0 is designed for API. The following table highlights the differences between OpenID Connect and OAuth 2.0

 

OpenIDConnect

For a good example of authentication using OpenID Connect refer to article where we looked at providing login mechanism to Power Apps Portal through Open ID Connect using Google as Identity Provider, a capture or network traffic is as per below:

OpenIDConnect1

In the highlighted content the following will refer to OpenID Connect protocol

  • id_token is returned in JSON Web Token format
  • scope=openid is used for authentication

Being Authentication only framework what OpenID Connect does not do is provide access to the resources in the application and this is where Authorization Framework (Delegated Authorization) based on OAuth 2.0 protocol comes into effect.

The table highlighted some of the terms used in OAuth 2.0 to understand it better we will build an sample application for the following scenario the sample source code is at Git:

OpenIDConnect2

  1. Clients sends a request for authorization token from Secure Token Service (STS) API that has a reference to Identity Server4.
  2. The token presented to the client from STS will be in JSON Web Token format.
  3. The JSON Web Token with will be passed to the Web API method
  4. Dataset will be returned to the client.

The process of granting Client application to call the methods within WebAPI is commonly referred to as a OAuth flow and involves the steps involved in granting consent (permission) to invoked the methods in WebAPI

The sample code solution structure has the following highlighted projects:

OpenIDConnect3

 

IdentityServer(SecureTokenService)> SEIS.IdentitySrv

WebAPI > SEIS.Registration.Api

Client > ConsoleAppClient

An understanding of ADFS concepts will be helpful, the steps described below are synonymous to setting up relying party trust in ADFS.

Step 1: Build and Configure Secure Token Service 

ASP.NET Core provides built in DI (Dependency Inject) and this capability is used to set up STS.

OpenIDConnect4

IdentityServer needs to have following information

  • Clients trying to access WebAPI
  • List of API end points IdentityServer is trying to secure

In our sample scenario they will be ConsoleApp (Client), RegistrationAPI. The plumbing  code will be in Startup.cs

OpenIDConnect5

Config.GetAllApiResources() and Config.GetAllClients() will have pointers to WebAPI and ConsoleApp Client respectively

OpenIDConnect9

This will setup STS with known clients and API resources

Step 2: Build WebAPI and configure to use STS

Using DI (dependency injection) in Starup.cs specify the Secure Token Service (STS) under ConfigureServices method

OpenIDConnect6

Now indicate to use authentication

OpenIDConnect7

The above will set up API to accept access token from STS.  To add permissions to Controller method(s) we need to add Authorize attribute

OpenIDConnect8

Step 3: Build ConsoleApp to request AccessToken from STS before invoking WebAPI methods

The first step for ConsoleApp client will be to request AccessToken from STS and then pass the token using SetBearerToken method of HttpClient object before calling the WebAPI methods

OpenIDConnect10

Result of ConsoleApp client

OpenIDConnect11

The access_token issued by STS confirms to JSON Web Token Format (reference) decoding this at jwt.io will show the following result

OpenIDConnect12

 

 

 

 

Illustrative sample of Authentication using JSON Web Token(JWT)

22 Saturday Feb 2020

Posted by in ASP.NET Core, WebAPI

1 Comment

Tags

, ,

In the article we looked a aspects of authentication/authorization frameworks that can be used in COTS and bespoke applications. This article will look at Web API authentication using JWT. The sample source code can be obtained from here

The sample code will demonstrate the following scenario

JWTSample1

The User data-model used in the sample application has the attributes as per table below

JWTSample

 

  1. Console App will invoke a post request with username and password to Gateway Api based on Ocelot api gateway and works well for Microservices architecture.  In architecture pattern consisting of several microservices, ocelot provides a simple configurable end point to communicate with each microservice.

JWTSample2

 

“/authentication/authenticate” > pointer to authentication controller and authenticate method within the microservice Web API. 

The JSON file for Ocelot API will consists of ReRoutes specified as a combination of DownstreamPathTemplate and UpstreamPathTemplate.

JWTSample3

The output of the Console App will be as per below, the returned JWT token will be in the format [Header].[Payload].[Signature]

JWTSample4

If we decode the JWT token in the debugger at jwt.io we will get the user information.

JWTSample5

JWTSample6

 

Portal Authentication

02 Sunday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

1 Comment

Tags

Dynamics 365 CE portal users can be anonymous, customers/partners, admin users with varying access permissions and type of resources accessed include content, data.

Anonymous Users: Should be given minimal amount of access.

Customers/Partners: Should be able to logon and modify the data

Admin Users: Have access to information to enable decision-making process.

Two modes of Authentication are supported for Dynamics 365 portal

  • Local Authentication: Implemented using forms based authentication (FBA) model and the user will be a Contact record in Dynamics 365 CE instance
  • External Authentication: Uses ASP.NET Identity API model and authentication is performed using third-party IDP (Identity provider) for example Azure AD, Google etc.

Authentication using System User:

A system user having access to Dynamics 365 CE instance organization will be an Azure AD user.

Example scenario:

Portal URL https://spaceflight.powerappsportal.com

Login User: girishs@idyconsulting.onmicrosoft.com

PortalAuth1

Click on Azure AD and logon

PortalAuth2

It should now redirect to the home page

PortalAuth3

Authentication using Local Account (Contact Record):

PortalAuth4

Note Email has to be unique for every registered user. Once successfully registered the user will appear as a contact in CRM

PortalAuth5

The password entered during registration will be stored as a hash and this can be viewed from using Advanced Find

PortalAuth6

The following solutions must be present in the Dynamics 365 CE Instance/Org for the portal authentication to work, by default they are installed once portal is provisioned.

PortalAuth7