active-directory-javascript-singlepageapp-angular | use MSAL Angular to login logout | Azure library
kandi X-RAY | active-directory-javascript-singlepageapp-angular Summary
kandi X-RAY | active-directory-javascript-singlepageapp-angular Summary
Demonstrates how to use MSAL Angular to login, logout, protect a route, and acquire an access token for a protected resource such as Microsoft Graph.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-javascript-singlepageapp-angular
active-directory-javascript-singlepageapp-angular Key Features
active-directory-javascript-singlepageapp-angular Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-javascript-singlepageapp-angular
QUESTION
TL;DR
How can I delegate my user permissions to a service principal in Azure Ad when the usual interactive
way (e.g. web app with consent screen popup) is not feasible? This is because I cannot configure the MSI in the Azure Portal properly to work that way.
More detail
I want to grant an application permission to access the Graph API on behalf of a user. Usually, this is a well-documented scenario in which you create an app registration, acquire delegated user permissions
by asking permission for the needed scopes, and then use these permissions in the app.
The app that needs Graph access is a background service that is to work on its own without user intervention/activity. For this use case, the common approach is to use application permissions
. In my case this is not feasible, because application permissions require admin-consent and are all-or-nothing kind of permissions. There is no way this will be granted for me. Rightfully so, because its overkill.
But on the other hand that's really a pity. A pity, because I've found an example on how to assign Graph API application permissions directly to a Managed Service Identity
rather than to a self-registered app. And my service (as an Azure Functions app) already has a MSI assigned to it. So this would be the perfect fit, b then again, there is no way I'll get those application permissions.
So what is the workaround? We have this one user principal
which has all the required permissions we need for our background service. What I want to do is to delegate this user's permissions to the Function App/MSI. In order to do this, I used this SPA-template by the MSAL team to have something that will prompt me the permissions popup.
This however failed because the implicit oauth flow
was not enabled. To remedy this, you usually need to update the app manifest in the portal. However, since this is a MANAGED service identity, and not a self-registered one, the MSI is not listed in the portal under app registrations. So I cannot set this property to true.
Doing the same via Azure CLI also failed because apparently the MSI is not identified as an app.
...ANSWER
Answered 2021-Feb-09 at 09:48In my experience Managed Identities don't support the scenario you are suggesting. They do not have an app registration and in that way cannot authenticate users interactively.
I would go with your fallback solution; a normal app registration and use that to access Graph API on behalf of the user. This is what we do in our projects at least. App permissions -> Managed Identity if possible. Delegated permissions -> normal app registration + secret/certificate in Key Vault, retrieved with Managed Identity.
QUESTION
First I'm describing how I setup my applications then I will describe how I'm using the APIs.
Setup- In my Azure Active Directory, I have two applications registered: UI and Backend
- UI has the client ID clientId1 and backend has client ID clientId2 (it's a GUID, but for simplicity)
- Both are under the same tenant tentant1 (single tenant)
- Backend has an exposed API with scope "api://clientId2/access_as_user" and authorized client "clientId1" with the scope just mentioned selected
- I'm using
passport
andpassport-azure-ad
(I pretty much copied https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2). My config:
...
ANSWER
Answered 2020-Apr-11 at 22:59Turns out their code in the repository is not using proper configuration to verify the scope access...
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-javascript-singlepageapp-angular
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page