I am using Graph API to read user information from Azure AD. I am getting all the user information in the response except the password. Is there anyway I can get that?
I am calling this API. (Reference)
https://graph.windows.net/myorganization/users/{user_id}?api-version
As noted in the Graph API References:
The passwordProfile property always returns null. This is to prevent the user’s password from being displayed. You can reset the user’s password by updating the passwordProfile property.
If you are looking to have someone authenticate to your service using their AAD Account, you should either use Federation to have your authentication provider trust the AAD authentication provider, or you can even register your application in our system, and use AAD as your authentication provider.
I hope this helps!
Related
My project is a MVC Core 3.1 web application.
The autentication is based on the Microsoft.identity.web template to sign-in users in Azure AD B2C.
You can find the samples here: https://github.com/AzureAD/microsoft-identity-web/wiki#samples
Users can register/login as standard users on B2C or login with the corporate account (azure AD, so an openID Connect Identity Provider).
When Users signs in with the corporate account, I get a JWT token with a claim named "idp_access_token" which contains the access_token from Azure AD. It contains some claims I need for the application (for some reasons I can't even see the emailAddress/unique_name in the B2C token so I need to get it from here...).
But I'm not sure how (and where) I'm supposed to deal with this token and how to access the claims inside it. Can I map them in the claimPrincipal? Because I would like to use the email as the "User.identity.name".
Should I write a service (transient?) and Inject it where I need it?
Sounds like you are using a feature you don’t actually need. Usually the embedded IdP access token is used to call the services that the IdP hosts. For example, a user logs in with Facebook and your app wants to call the Facebook API to post to their Facebook wall.
You as the app developer should not inspect or use the token for your own self, as you cannot trust it. If you want data from that token, then perform the relevant claims mappings in your B2C policy/user flow, as B2C does validate the token and can trust it. You cannot. Services provided by the IdP will verify it, so also can trust it.
My organization runs a grafana 7.0 instance that only allows SSO logins. I would like to create an API token for my user account but based on these instruction it seems like doing so is not possible without supplying a password. Is this understanding accurate?
As #Amal.Touzani mentioned, API key is created per organisation, not per user.
Instruction, mentioned by you, needs admin password to authenticate the admin user during API token creation. Later on access level will be defined by role specified in request, in example it is "role": "Admin". Role could be Viewer, Editor or Admin (as mentioned here)
Of course, all these steps could be done from Grafana Administration UI:
I think your user should have the permission to create API token but you don't supply the
password.
Based on the documentation , the Admin API needs (username , password ) to authenticate .
But API Tokens are currently only linked to an organization and an organization role , please see these links :
https://grafana.com/docs/grafana/latest/http_api/admin/
https://grafana.com/docs/grafana/latest/http_api/auth/
https://grafana.com/docs/grafana/latest/tutorials/api_org_token_howto/
From Keycloak UI, I am able to edit the account information of the user using {keycloak_server_address}/auth/realms/NTC/account/ link.
I am aware of update user admin API to edit user information. Is there any way to edit user information by the user itself with manage-account privilege?
We required this functionality and we ended up creating our own REST api. We have Keycloak admin credentials in configuration file and when user calls our method we create request to KeyCloak api with admin credentials. We use jwt token authentication in our api and check prefered_username claim.
It is not a simple solution, but if you realy need it I guess it is only way to do it.
I'm trying to figure out how to use the Azure Graph API to query a user's full name (first and last) from a given username. I understand I can do this with the following Graph API call...
https://graph.windows.net/myorganization/users/{user_id}?api-version
However, I am not sure how I go about getting an access token to use with this, because this process will be called without a user logging in, which is usually how we obtain an access token.
Is there anyway I can pass a username/password to a given URL using cURL or something and obtain an access token that way, so it is done behind-the-scenes?
There are two main authentication methods which are supported by OAuth 2:
Authorization Code Grant Flow
Client Credentials Grant Flow
The first flow requires a user agent to be present to sign into the client service and results in a delegated token. The second method does not require a user to sign in, as it only authenticates using the client secret; this results in an app only token.
If you want to create a background service that captures data from the AAD Graph API, you can absolutely do this using the Client Credentials Grant Flow, which does not require a user to be present at any point during the authentication flow.
You simply need to configure your application to to have app only scopes. Read here: Permission scopes | Graph API concepts. App only scopes all require tenant administrators to consent to the application in order to get access to data.
Finally, I feel I must mention that there is another less used flow specified in the OAuth 2 spec: Resource Owner Password Credentials Grant. This flow specifies how a client application who has knowledge of a user's username and password could directly pass those parameters and get an access token on behalf of the user. However using this flow is not good practice at all.
The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
We support this in our V1 endpoint, but not in our new V2 endpoint. You can read this blog to learn more.
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.