active-directory-angularjs-singlepageapp | AngularJS based single page app | Azure library
kandi X-RAY | active-directory-angularjs-singlepageapp Summary
kandi X-RAY | active-directory-angularjs-singlepageapp Summary
An AngularJS based single page app, implemented with an ASP.NET Web API backend, that signs in users and calls web APIs using Azure AD
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-angularjs-singlepageapp
active-directory-angularjs-singlepageapp Key Features
active-directory-angularjs-singlepageapp Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-angularjs-singlepageapp
QUESTION
I have to integrate my AngularJS SPA with Azure AD. There is a sample app for this (https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp). That sample is working fine and i have no problem logging in using that sample application.
But the sample is using some very old versions of jquery (1.11.1) and angular (1.2.25). I use jquery 3.1.1 and angular 1.6.4.
When I use those version together with the sample app i cannot login.
I am being redirect to login.microsoftonline.com which reply with a 302 authorize respond with a very long querystring and the page is stuck there, meaning is stays with that long url in the browser address bar.
If i change the scripts to the old version, refresh the page and try again i am logged in.
And i am not logged in.
Any ideas on how to get this to work?
Here is my controller
...ANSWER
Answered 2017-Jun-13 at 06:18Please follow the suggestion mentioned by tomidix, it fix this issue. Here is the code for your reference:
app.js
QUESTION
I am working on integrating Azure Active Directory
for my Angular SPA (or any Javascript) application. Application has a front-end (built with JavaScript) and a Web API (built with any c# or any server side languages).
For reference, https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp
I know that I configured OAuth 2.0 Implicit Grant in SPA AAD Registration. OAuth 2.0 Implicit Grant is slightly relaxed to let SPA gaining access to web resources tied to SPA AAD Registration by redeeming 'id_token'.
OAuth 2.0 Implicit Grant Protocol:
- Reach Azure Auth Endpoint with client_id, resource,.. for id_token
- Challenge it with credentials
- Get id_token as it is posted back to SPA URI.
- Use id_token as bearer token to access the restricted web resources.
SPA works very well with id_token and OAuth 2.0 Implicit Grant Protocol for Internal Web API alone.
Reason why we could not acquire access_token from SPA or JS:
SPA could not send XHR to Azure Token Endpoint as SPA is blocked by CORS Policy of Azure Token Endpoint. So, SPA XHR could not acquire access_token.
But, iFrames implementation of Adal.js can fetch access_token by calling cross-domain web resources.
It looks like this is a special case for SPA alone.
QUESTIONS:
How does AAD determine which web resources that 'id_token' holder can access? By looking up the web resources tied to SPA AAD Registration?
[OP] Adal.js is responsible for intercepting our post-backs to receive and store tokens like id_token & access_token
Cannot AAD implement the following approach?
- Redirect to Azure Auth Endpoint with client_id, resource,.. for Auth Code.
- Acquire Authorization_Code from Azure Auth Endpoint by posting it back to SPA URI.
- Instead for XHR to Azure Token Endpoint, can't we redirect to Azure Token Endpoint with Auth_Code, client_id, resource,.. to let Azure Token Endpoint post back the access_token back to redirect_uri?
[OP] Adal.js had other plans to use iFrames to call Cross-domain API (Az Auth Endpoint, in this case) and acquire Access Tokens.
P.S. I need real answers for above questions. This case is now solved :)!
...ANSWER
Answered 2019-Apr-24 at 10:23How does AAD determine which web resources that 'id_token' holder can access? By looking up the web resources tied to SPA AAD Registration?
It doesn't. If your API is configured to accept valid AAD tokens with the audience set to your front-end app's client id, it'll accept the token. This isn't a good pattern though, you should use access tokens to call APIs.
As for your question regarding access tokens, a front-end can acquire access tokens through implicit flow by using a redirect or a hidden iframe. If you use ADAL.js or MSAL.js, they do this for you automatically if you ask for an access token from them.
Essentially they open an iframe that goes to the /authorize endpoint with:
response_type=token
resource=https%3A%2F%2Fgraph.microsoft.com
orscope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
if using v2/MSALprompt=none
The last parameter tells AAD to not do a prompt (it's a hidden iframe). If a valid session still exists in the user's browser and consent has been granted for the scopes asked, a token is returned as a redirect to your SPA within the iframe. ADAL/MSAL then can grab the token from the iframe URL as they are running on the same host name.
Because of the way this works, you'll want to check if you are within an iframe when your SPA loads and not render the app at all if it is.
And no, you cannot call the /token endpoint from a JS front-end.
QUESTION
I have followed this guide:
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp
and I connect successfully. I would like to send the bearer token to my C# server and use it to call my workbench(another AD app) functions.
I am trying to use the bearer token I get from angular in a postman call and it is unauthorized. It is important to mention that I gave my angular client on AD permission to access my workbench instance and it's still not working, that leads me to some questions:
I have tried using a .NET client from this guide:
http://blog.pomiager.com/post/using-rest-api-in-azure-workbench-blockchain
and it works. I notice here that in the AuthenticationContext object it receives credentials that is using the Client ID and the Client Secret. I notice that in the angular AD example we never use the secret. But the thing is that, when looking at the guide to create your own workbench UI, in the authService.js, it never takes the secret as a parameter as well. As can be seen here:
I understand that that credentials should be set on the server. In the angular example that I provided there is also a ASP.NET server
How can I create a valid bearer token for the workbench from the angularJS AD example? Should I replace the OWIN lib with something else?
Thanks
...ANSWER
Answered 2019-Feb-28 at 15:28You have two options:
OPTION1 - Call Workbench API directly from AngularJS based SPA
In this option you work with Implicit Grant Flow and only call Workbench API through
Delegated Permissions
i.e. in context of the signed in User.Also know that AngularJS SPA itself should not make use of any client secrets because it is a security risk and anyone using your application may be able to extract secret from JavaScript code.
Here is a code sample from Azure Samples. This sample has TodoSPA (your AngularJS app) and ToGoAPI (separate API, analogous to WorkBench API). So you don't need to host the ToGoAPI yourself, but assume WorkBench API is your ToGoAPI. Follow the same steps just permission name 'Access To Go API' will be different and you will use
Access Work Bench API
instead.Call an Azure AD protected Web API in an AngularJS Single Page App
Important code pieces -
In
App\Scripts\app.js
, replace the property name of the endpoints object to the new location of yourTo Go API
, which will be Workbench api url in your case. In App\Scripts\toGoListSvc.js, replace the apiEndpoint variable with the same value.OPTION2 - Create a backend API that supports your AngularJS based SPA
AngularJS SPA calls this backend server based API, which then calls Workbench API.
In this option you can use client secrets and work with both
Delegated permissions
as well asApplication Permissions
.You need this option only if you need to work with
Administrator
permission shown in screenshot for Workbench API shown above.From a flow standpoint, you can directly use Client Credentials grant flow from backend API if you don't need to call Workbench with context of a user. In case you need to call in context of a user, make use of On behalf of flow.
Since your blog reference that you're trying to follow makes use of only Delegated permissions, I think you should be good with option 1 but you can decide further based on your requirements.
QUESTION
We have a SPA which authenticates using ADAL (similar to examples provided https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp). Now we want to host our application inside a secure environment where all communication outside is blocked by default. So we want to whitelist IP addresses which are/can be associated with AAD login process.
Using DNS lookup to find IP addresses for login.microsoftonline.com doesn't give me all the IPs since I did nslookup from different location and found different set. So, wondering do you guys know a set of such IPs.
PS: I found a list of IPs here - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites but this list is huge. Do I need to whitelist all?
...ANSWER
Answered 2017-May-26 at 03:07Yes, you should whitelist all IPs in the Office 365 URLs and IP address ranges - Identity and Authentication documentation.
This list is so big because Azure AD is a globally available service and thus is deployed across the world in order to meet its availability and performance SLAs. Also worth mentioning is that Azure AD is comprised of many different services (Auth, MFA, Azure AD Connect, etc) which have their own IP addresses.
Lastly, don't forget to also add the IP address of any federation server(s) if the Azure AD tenant is federated (this is generally ADFS). This last point is particularly challenging if your applications is a multitenant application.
QUESTION
I've got a self-hosted web api application with an angular front end, and I need to now start authenticating users via Azure Active Directory.
I've downloaded the SinglePageApp example and I've set this up and have it running successfully. https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi
When applying the necessary changes to my own app, I can successfully redirect the user to the Azure login screen and get back the userProfile using adal.js/adal_angular.js. I'm getting 401 unauthorized errors whenever I call my API, however using Fiddler, I can see that the bearer token is added to the HTTP header in each call.
Here is my AdalAngular setup:
...ANSWER
Answered 2017-Mar-14 at 16:01You need to declare the ConfigureAuth(appBuilder);
as the first line in the Startup.cs Configuration method. You can find a good explanation here on why it need to be declared as the first.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-angularjs-singlepageapp
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page