While making a basic http calls from “Keycloak” to “Azure ADB2C” to retrieve a token as a response from AD B2C.
The current flow looks like this. For a Java web application which is integrated with the ‘Keycloak’ as an identity broker, and from the ‘Keycloak’ we have integrated with ‘Azure AD B2C’ as an identity provider for user authentication and to send the token response back to the keycloak request.
Use case 1: We have integrated a Azure ADB2C signin user flow endpoint in keycloak, which is sending the SignIn requests to b2c and retrieving the token as a response from Azure b2c is fine.
Use case 2: Have a blocker in this use case, While making a basic http header call from ‘Keycloak’ to “Azure AD B2C’, we are seeing an error code in the ‘keycloak’ logs as ‘Invalid_grant’, invalid_secret and ‘Invalid_credentials’ upon different calls passing from keycloak. And upon verifying in Azure ADB2C side, we haven’t found any logs for above request from ‘Keycloak’.
Is there any workaround or any changes has to be made In keycloak to handle a basic http calls to Azure ADB2C?
Thank you!!
For client to client calls, Azure AD B2C supports client_credntial flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
You can send the client_id and client_secret parameters in a Basic Authentication header.
Related
I’ve integrated “KeyCloak” (identity broker) with Azure ADB2C for authenticating a user.
Firstly, the user ADB2C Login user flow endpoint integrated with Keycloak and tested it, which is absolutely fine. Also, we have integrated B2C “Forgot Password” userflow endpoint with Keycloak, Upon successful Forgot Password completion in B2C, while redirecting the response back to the keycloak we are seeing an error response from the Keycloak screen as - “Missing State Parameter in Response From Identity Provider”
In the request url has Scope, Client_id, State, Response_type, Redirect_URI, nonce. But in the B2C response url contains “Client_ID”, response_type, scope and redirect_Uri.
So far, unable to find a way to handle this issue. Please suggest, if there is any approach to handle this issue either from the ADB2C or Key-Cloak.
“ADB2C- Implemented with OAuth standard authentication protocol”
Keycloak error page code:- “Missing State Parameter In Response from Identity Provider”
Thank you.
• The ‘state’ parameter is used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery attacks. In your case, the keycloak identity broker service is the authorization service while Azure AD B2C is the client.
• And since, the state parameter is missing in the response URL from Azure AD B2C, it might be the case that redirect URIs for the keycloak identity broker or the application may not be correctly configured in Azure AD B2C due to which keycloak throws an error of state parameter missing.
• Keycloak might have considered this response as a CSRF attack due to the missing state parameter and thus displayed an error whereas in Azure AD B2C, the redirection URI relating to specific keycloak page might not be correctly configured due to which though the response reached keycloak default URI but not the intended application integrated URI due to which the state parameter might be missing.
Please refer the below documentation links regarding CSRF and state parameter configuration as well as redirection URI in Azure AD B2C: -
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
I wish to send an event from ADF "Web" Activity to event grid topic. I managed to do it with sending "aeg-sas-key" from web activity as documented here.
However, I tried to achieve the same through ADF Web activity without using "aeg-sas-key" but Authentication as managed identity
But it gives me below error:
{ "error": { "code": "Unauthorized", "message": "Request has an
unsupported Authorization scheme:Bearer. Authorization scheme must be
SharedAccessSignature. Report
'a2af905c-e3ca-401a-be09-3f0b3c6b7d4e:8:5/20/2021 2:00:24 PM (UTC)' to
our forums for assistance or raise a support ticket."
I have added the managed Identity Application of ADF to Event Grid topic with contributor role, but it still does not work. Am I missing something?
To be short, I need to know how to send events to Event Grid topic from ADF Web Activity using Managed Identity Authentication?
Not all the APIs in Azure support MSI auth, just the APIs secured by Azure AD support that, essentially the MSI auth uses the Azure AD client credential flow to get the token, then use the token to call the API.
In this case, as mentioned in the error message, to send an event to your topic, it uses aeg-sas-key to auth, i.e. Basic auth, it does not support the Azure AD auth which means it also could not use MSI to auth.
we want to access the Keycloak (Version 10) REST API from one of our backend services. To authenticate, we have setup the followings:
new clients within our realm
enabled service account for that client
assigned all [1] roles of “realm-management” to the services account
Accessing the API, e.g. fetching a selected user always results in a 401 response.
Steps to make the requests are:
Retrieve access_token from https://my-keycloak.com/auth/realms/my-realm/protocol/openid-connect/token using grant_type=client_credentials + Client ID + Client Secret
Fetch user from https://my-keycloak.com/auth/realms/my-realm/users/some-user-id-4711
using the Authorization: Bearer $ACCESS_TOKEN with the Token from step 1.
My Question: Is it even possible to use a custom client or do we have to stick to login via admin-cli? How would we need to configure the custom client, to grant access to the REST API.
Thanks,
Martin
[1] Simply setting all roles for the sake of testing, regardless that we only want to read data in the end.
We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha
Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.
I have a native app registered in AAD and I've added it in ACS as identity provider. Now I would like to use the JWT token issued from AAD to request a token from ACS for service bus. I checked out this article: How to: [Request a Token from ACS via the OAuth WRAP Protocol][1]
[1]: https://msdn.microsoft.com/en-us/library/azure/hh674475.aspx#BKMK_1 and it lists three ways of requesting token from ACS: Password, SWT and SAML. I'm wondering if it's supported or there's any example of requesting by using JWT token.
As such ACS capabilities are being moved to Azure active directory and AAD will soon be the one service for all authn/authZ and ACS will be sunset. So you need to follow the process or registering your app in AAD and then how to manually handle the JWT token response on successful authentication of request from the client application. It uses json web token handler.
Refer the sample here. AAD JWT token handler sample
Of course this is a sample with web api and you have to modify as per your application.