The OAuth2 specifications define six different grant types (https://tools.ietf.org/html/rfc6749 and https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15). Each provides the most optimal (from the security point of view) way of obtaining access or (for OIDC) id_tokens given the circumstances of the client application. This blog summarizes the questions that the implementer of the OAuth2 client application needs to ask and how […]
Author Archives: mrochon
Using Groups in Azure AD B2C
Out-of-the-box AAD B2C does not expose any functionality related to Security Groups. They exist as an entity type and can be accessed via the regular Azure AD portal blade but there are no features for including user group membership in a token issued as a result of a user flow. To use groups you will […]
Azure BOTs – getting extra access tokens
Existing docs show how to enable use of OAuth2 in an Azure Bot application to sign-in the user and get an access token to MS Graph for the user. The following describes an approach for getting access tokens to more than one resource, without re-displaying the sign in dialog (using the V2 Azure AD endpoint). […]
Federation patterns using Azure AD
Objectives This post considers scenarios where an application needs to be accessed by users from many sources of authentication. (Office 365, owned and operated by Microsoft but whose use is managed separately by many independent organizations is an example of such a resource). It proposes a framework for determining an optimal solution for the application […]
Multi-tenant apps and Azure AD
MR: Nov 21st, 2019: I have modified my sample to use security groups in B2C to simulate application tenants and moved all functionality from a custom database to IEF policies. The new sample app’s source is available on GitHub. This is a follow up to my previous blog re multi-tenant applications using B2C. Here I […]
Developing an Azure AD B2C multi-tenant application
The ‘regular’ Azure AD has build-in support for multi-tenant applications. In that case, a user from any Azure AD tenant can sign in to an application registered in another tenant. The application can then use the user’s security context to give the user a view of data that is specific to that tenant. The goal […]
Claims augmentation with OWIN but outside of Startup code
Claims list included in the ClaimsPrincipal usually originate from the security token received by the application as part of user authentication (SAML, OpenIDConnect id token) or access authorization (OAuth2 bearer access token). However, sometimes there is a need to modify that list with claims derived from other sources: Attributes retrieved from custom databases Attributes not initially included […]
Using Azure AD to enable partner access to SharePoint 201x
Introduction The following summarizes my experience with setting Azure AD as authentication provider for Sharepoint 2013 or 2016. This setup enables access to SharePoint for external users (business partners, customers). While there are other approaches that could be used for this purpose, e.g. an on-premises AD with ADFS, using Azure AD has a number of advantages: No […]
OWIN and WS-Federation with CA Siteminder
A customer was having a problem integrating an ASP.NET application with CA Siteminder v12.52. Firstly, there was a problem with using SAML2.0 token formats. To get around that, we reconfigured SM to use SAML1.1 for this application. Still, the application was failing with error message: ID4037: The key needed to verify the signature could not […]
Discovering AuthorizeAttribute role names
The AuthorizeAttribute is used in ASP.NET code to decorate controller classes and methods which require authorization, e.g. [Authorize(Roles =“admin”)] public class HomeController : Controller { Meaning that to call any method in this class, the user needs to have a role claim with the value ‘admin’. With many controllers and methods the number of roles used […]