i am wondering how to authenticate app to make requests to endpoints as i am getting 401 errors i have successfully generated app id and appkeys and which should be used as there is no documentation on it.
The application model is designed to work with oAuth 2.0 which allows the authentication and authorization with client application (client-id/client-secret) and resource owner (username/password). The oAuth 2.0 is under development. Once it's ready, the token endpoint should be able to generate access tokens that carry app and/or user id.
Related
I'd like to use an Application Load Balancer (ALB) to authenticate requests with Cognito to my node express back-end. After authenticating, the ALB maintains session with a session cookie, and will forward a few headers to the back-end in form x-amzn-oidc-* (e.g. x-amzn-oidc-accesstoken).
My application backend needs these claims to carry out requests. So how do I develop and test token signature verification locally?
Edit:
Similar question here.
Headers containing identifying information and access tokens here
https://learn.microsoft.com/en-us/rest/api/appservice/webapps/listfunctions
How can I generate the token highlighted in green dynamically using JavaScript or an Api? I know it can be generated using Azure CLI az account get-access-token but that does not fit my solution to help me monitor my functions programmatically.
You can acquire the access token either using the OAuth2 service endpoints, or MSAL. OAuth2 endpoints are Platform- and language-neutral, but MSAL is not.
The two Azure AD endpoints that you use to authenticate your client and acquire an access token are referred to as the OAuth2 /authorize and /token endpoints. How you use them depends on the type of OAuth2 authorization grant flow you need to support your app.
For instance, a non-interactive client can use client credentials grant, wherein the access token can be acquired by sending a POST request to the /token endpoint.
From Postman:
For more information, refer to the Azure REST API reference.
I am building an application with the following planned login flow:
User logs in at 1.1.1.1:8080 at php web page.
php web page sends request to api at 2.2.2.2:8080 to create JWT access token
JWT access token gets sent to reverse proxy to authenticate with SPA at 3.3.3.3:8080.
It should not be possible to access the SPA frontend at 3.3.3.3:8080 without the JWT access token. If the auth is invalid they should be redirected to the php page at 1.1.1.1:8080. What free technologies exist to implement this? I was looking at nginx but it looks like it is only possible with nginx plus.
I am building a web app with the following properties:
The Front-end is based on VueJS
The Back-end framework is still not confirmed but it will be a RESTFul API
The users for the app will be authenticated by Azure Active Directory (AAD)
Here's what I have done so far:
I have set up a Web App/API in my AAD. Along with that following the guidelines here, I have completely secured my VueJS app and now I need to be logged in into my AAD in order to be able to use the app.
The problem now is that, the front-end is secured. But what about the backend? I am trying to get an access_token from the AAD which I can then use as an authorization header with every request to my backend later on.
Here is what I get from my AAD when I sign in using the AuthenticationContext from the adal library.
As you can see I am getting an id_token and when I use the acquireToken function of adal I get an id_token again.
Is there anything I am doing wrong here? Do I need to create another Web App/API on Azure?
How do I go about this?
Thanks!
According to official documentation and this might be your case.
"The OAuth 2.0 implicit flow in Azure AD is designed to return an ID token when the resource for which the token is being requested is the same as the client application. In other words, when the JS client uses ADAL JS to request a token for its own backend web API registered with same App ID as the client, an ID token is returned and cached by the library. Note that in this case the resource should be set to the App ID of the client (App ID URI will not work). This ID token can then be used as a bearer token in the calls to your application's backend API."
You can find more about this here!
https://github.com/AzureAD/azure-activedirectory-library-for-js/wiki/Acquire-tokens
I have separated projects,
Server side node.js with express to serve restful api but returning JSON instead html. All the examples in internet are returning html with ejs.
Frontend is and independent application with backbone and socket.io.
I want to do a login and registration page and I did it with passport.js on the server side, but I have not idea of how to send the token to the frontend and store it there to send It on every request to the server. If the user is out of session then the login page, ,must be shown.
I want a way compatible with oauth 2.0 for multiple authentication strategies.
Sorry for my English and I have a lot of dudes and I don't understand all the concepts.
Basically what you have is an API and a client, and you need two things:
The client to be able to open a session on the API.
The client to be able to embed its session credentials in every request so that the API knows who is doing the query.
First Step
For opening the session, you have figured it out: you want your API to be an Oauth Client.
So when a user wants to log in, your client will redirect it to http://api.yourserver.com/login/google which will redirect to google, which will redirect again to your API with a token that allow your API to access Google's API (hence, know who your user is).
This token cannot be used to authenticate against your API. Its only goal is to allow your API to act on the user's behalf on google services.
Second Step
Then you need to decide how will your client authenticate against your API. You can choose to use a cookie which almost everyone do (it's the sane default for express sessions).
Or, if your API is consumed by many different clients, and you don't have control over those clients, you can choose to implement an Oauth Server to protect your API.
The clients will then authenticate against your API using a "Bearer Token" (it's an HTTP header).