I'm using the Azure Data Factory integration with Quickbooks, the refresh token expires in 24 hours. Is there any way around this?
I attempted this first using parameterized linked service for Quickbooks. However it did not seem there was support for asking for those parameters when copying the data in flow. I was able to solve this instead by using Azure Key Vault to store the secret and refresh token for linked service. Then I created a pipeline with web activity to first get current secret from vault -> web activity to get new refresh token from Intuit -> web activity to set secret in key vault. That way the Quickbooks linked service will always find the latest from key vault.
My pipeline looks a follows:
ADF Pipeline
It seems like Each day(every 24 hours), QuickBooks Online will return a new Refresh Token for every Refresh Token API call. Which means if a new refresh token is returned, the previous one will be forced to expire. For more info please refer to below posts:
https://help.developer.intuit.com/s/question/0D50f000051WZUGCA4/refresh-token-is-expiring-each-day-instead-of-lasting-100-days
https://help.developer.intuit.com/s/article/Validity-of-Refresh-Token
If you would want to update the Refresh token for every ADF pipeline run, then you may have to have another process or a web activity to get the Updated/latest refresh token using QuickBooks/Intuit REST API's and parameterize the refresh token and access token fields in Quickbooks linked service. By parameterizing the Quickbook linked service, you can get the latest access and refresh token using web activity in ADD and pass those values to the subsequent activity where Quickbooks connector is being using.
To explore about parameterizing your linked service, please refer to this doc: https://learn.microsoft.com/en-us/azure/data-factory/parameterize-linked-services?tabs=data-factory
Related
I am trying to figure out what is needed so that my application is able to make a pull request on behalf of my user.
I have an app registration, for this app registration I am requesting the following API permission:
https://app.vssps.visualstudio.com/user_impersonation
Once the user accesses my REST API with a proper bearer token, I need to obtain the on-behalf token so that I may contact the Azure Devops APIs.
Question is what scopes do I need to request for the on-behalf-of token so that I may create pull requests as my authenticated user?
The git repo to which I'm trying to create the pull request is hosted on o365exchange.visualstudio.com.
to create pull request on Azure DevOps Serivces side, you could call the rest api: POST https://dev.azure.com/{organization}/{project}/_apis/git/repositories/{repositoryId}/pullrequests?api-version=6.0
You could find the needed scope under the doc:
You could find the corresponding scope details in the doc:
When you register your app, you could choose it here:
I hope this could do some help. Thanks.
I am in the process of expanding our login options on our product to support MS Identity Platform, to be able to use Azure AD login (and gain SSO/MFA with that)
Currently we are using .Net Core + JWT (JwtBearerDefaults.AuthenticationScheme)
The environment is angular clients, .Net Core APA, and a back-end database.
I have the setup working.
My challenge is that in our business model and backend database we have ~2.000 userrights and our own User/Role model granting access.
I am currently getting the IdToken from MSAL and in my proof of concept using the oid to couple the Azure ID with our User model.
But, in our existing JWT solution, our access token holds claims about the User Id, but also the role, and another property (Unit/Vessel) determining access. From these three properties we can verify against the 2.000 userights on API side whether or not a request is allowed or not.
I would like to keep this information (User, Role, Unit) in the token - but have doubts on how.
Constraints:
We cant create/use Azure claims. We have too many, and customers will manage the Azure application - while we create, add, remove rights for each version of our software.
Azure don't know about role/unit data - and these are different for each customer - so that information can't be in Azure either.
My best idea is outlined below - would this approach be correct, and live up to the way ID/Access is separated?
I hope someone can give me some feedback on this.
My idea is, that the Angular client gets the Azure IDToken. I then use the Azure IDToken, call our API, which on server side, validates ID Token, and then grants me an access token, which contains the user, role and unit. This token is not Azure'd at all, just a token generated by our API - which again will be the only one validating it). Pro's on this approach is also I can keep one type of Access Token, no matter which IDToken is supplied by Azure or our own API.
Tried to outline the flow below in this DrawIO diagram.
I hope someone with more experience in the Token field can validate if this would be a viable approach?
Best regards
/Anders
This is a viable approach except for one thing.
Do not use Id token for authorization.
Your front-end should acquire an access token from AAD for your back-end.
This access token contains the user objectId, allowing you to map the user to a user in your database.
An Id token is only meant for the application that requested authentication and tells it metadata on the user like their display name etc., but it is not meant for authorizing anything.
TL;DR: Is it possible to hit the Azure B2C auth server and have it return to a URL on the app (so a full round-trip) a JWT with altered claims? IE not part of signing in - that has already happened and we are using a JWT already.
I have successfully set up Azure B2C to use a custom policy that hits a REST API to get extra claims information.
However, I have a certain situation where I want the user to specify a "mode" and have their JWT altered by Azure B2C to set the current mode as a claim.
Basically, the REST API will return something like:
{
"available_modes":"1,2,3"
}
And then I want the user to be able to change this so that they can select a mode, eg "2". Is there a way to hit the auth server and have it hit say https://myapi.com?mode=2, passing through the username claim to that API endpoint. Then, the auth server would return the JWT that ultimately has been altered to set something like "current_mode" claim value to "2".
This is a somewhat contrived example but I hope it makes sense, would it be possible by a custom claim to have it go off to the auth server and back in one round trip, returning with a new JWT?
I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road.
So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created).
Upon making this change though I can make the call by putting in the function into the URL.
Base URL:
https://something.com/api/function_name
URL with token:
https://something.com/api/function_name?code=token_here
However, my function expects some input to be given.
On an anonymous endpoint you'd extend the base URL like so:
https://something.com/api/function_name/?parameter=value
Where parameter is what the code will expect, and the value being passed into the variable in the code.
Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)
But I don't understand how I can do both the function authorization as well as passing in the parameter.
I've tried:
https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value
Does anyone know how this is supposed to work?
On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal?
I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.
I've looked here:
Azure function with Azure AD authentication access using JavaScript
And most other topics I found on stackoverflow didn't even get close.
PS: This PS doesn't need an answer, but I would appreciate any thought.
This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions)
The update function would then need to rotate secrets on (specific) applications/service principals.
The Azure Function is based on v2 and uses Powershell Core as language.
if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:
Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode:
Click save. And once the process is done, pls note the client_id of your function ad app, we will use it later.
Creating an Azure AD App
Create a client secret for it, note the client secret value and the new Azure AD app ID:
Make a request to get an access token from your Azure AD so that we can call your http triggered function:
Request URL:
POST https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token
Request Header:
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->
Just as below:
As you can see in response, you can get an access token, so use this token in http request header Authorization param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:
Plz mark me if this is helpful for you.
To call the Key Protect service API, you need to provide Authorization, Bluemix-space and Bluemix-org headers. The Authorization header contains a Bluemix access token. Such tokens can be obtained by calling
cf oauth-token command (see How to get OAuth token from CloudFoundry).
What I do not understand is:
What is the default validity of such a token in Bluemix?
If I need to call Key Protect service from a Blumeix (e.g. Liberty) application, I need to store somewhere the Authorization credentials in order to call the service. What is the best / suggested way to do that? Environment variable? User-provided service?
The oauth-token returned using the cf oauth-token command is valid for the given session. However in Bluemix this session is set a validity of 1 day. You can look at the related thread here, where this is answered, https://developer.ibm.com/answers/questions/207063/oauth-access-token-expiry-how-to-increase-validity.html
You can refer to the Key Protect API docs here to get an understanding of how to use the APIs, with the retrieved oauth token from Bluemix, https://console.ng.bluemix.net/apidocs/639-key-protect?&language=node#retrieve-secrets-based-on-a-search-query