In my last post, I talked about using ADAL (now deprecated) with the KeyVaultClient class to get an access token using OAuth2 Client Credentials Grant flow and query Azure Key Vault with that access token. In this post, I’ll talk about using a couple of new classes in the Azure SDK for .NET library to accomplish the same goal. We will use Azure.Identity name space for our Azure AD token…
Read MoreSome tips and tricks with Fiddler capture
Recently, I came across a couple of scenarios where I could not get Fiddler to capture SSL traffic easily. Below are the some tips and tricks that may help in these situations. Scenario 1: Capture Node.js web traffic in Fiddler In the same command window where you run npm start to start the node server, run the below set commands first to set the proxy info before running npm start.…
Read MoreUsing OpenID Connect OWIN middleware to validate an Azure AD JWT token signed with a symmetric key
Azure AD by default uses a certificate to sign an OAuth2 JWT token using an asymmetric algorithm (RS256). Alternatively a JWT token can be signed with a “shared” secret using a symmetric algorithm (HS256). Asymmetric signing algorithm is always more secure in preventing the token to be tampered with compared to a symmetric algorithm since the private key is always kept at the Identity Provider (IDP) and the token consumer…
Read MoreHow to use postman to perform a Client Credentials Grant flow with a certificate
This post will demonstrate a couple of things: How to create a signed jwt token (aka Client Assertion) using Powershell. How to use this generated Client Assertion in Postman to get an Access Token Using Client Credentials Grant Flow. To get an Access Token using Client-Credentials Flow, we can either use a Secret or a Certificate. This post will use a self-signed certificate to create the client assertion using both…
Read MoreMSAL.Net in PowerShell – Use .pfx file for Client Credentials Flow
This post will show you how to authenticate for the client credentials flow in PowerShell with MSAL.Net using the .pfx file for the certificate authentication instead of loading the certificate from the certificate store. This post is in part based on this: Using PowerShell to Configure a signing certificate for a SAML-based SSO enterprise application Also, special thanks to my team members Bac Hoang and Will Fiddes for assisting with…
Read MoreWhat’s the security implication of changing the default client type from confidential to public in Azure AD?
From time to time, I get asked this question by a few different customers especially when they encounter the error “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’” when authenticating to Azure AD. The error is related to the following Default client type setting in the Authentication blade of a registered application: By default the setting is set to No (confidential client). Changing to ‘Yes’ converts…
Read MoreUsing PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application
In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft…
Read MoreWhy /memberOf Microsoft Graph API returning null fields for some attributes.
What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: { “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”, “value”: [ { “@odata.type”: “#microsoft.graph.group”, “id”: “b0a133d4-3f3d-4990-be22-879151155f19”, “deletedDateTime”: null, “classification”: null, “createdDateTime”: null, “creationOptions”: [], “description”: null, “displayName”: null, “expirationDateTime”: null, “groupTypes”: [], “isAssignableToRole”: null, “mail”: null, “mailEnabled”: null, “mailNickname”: null, “membershipRule”: null, “membershipRuleProcessingState”: null, } } What is the reason behind seeing null values? When we make a call…
Read MorePerforming Azure AD OAuth2 Authorization Code Grant flow with PKCE in PostMan
Proof Key for Code Exchange (PKCE) is a mechanism, typically used together with an OAuth2 Authorization Code Grant flow to provide an enhanced level of security when authenticating to an Identity Provider (IDP) to get an access token. In fact for Single Page Applications (SPA), Authorization Code Grant flow with PKCE is now the recommended OAuth2 authentication protocol over its predecessor, the Implicit Grant flow, for acquiring an access token.…
Read MoreUsing MSAL.Net to perform the client credentials flow with a certificate instead of a client secret in a .NetCore console appliction.
The sample files for this post can be found in this GitHub repository: https://github.com/RayGHeld/NetCore_ClientCredentials_withCert There is also a Powershell script there to create a certificate for this sample. You can perform the OAuth2 client_credentials grant flow to sign in as an application for your automated type of services. This flow does not require an interactive user to authenticate and should only be run in secure environments. There are 2 methods…
Read More