identityserver4 - Identity Server 4 (with external Azure AD auth) token is not valid in Graph API -


i switching application azure active directory authentication authentication identity server (using azure ad external auth). authentication , authorization part implemented , web api validates token , give me i'm asking.

our application uses external apis, such graph api , sharepoint online require azure ad token. e.g. when go https://graph.microsoft.com/v1.0/me js application token identity server, graph api response is

401 {   "error": {     "code": "invalidauthenticationtoken",     "message": "access token validation failure.",     "innererror": {       "request-id": "ce7651bb-5dc4-49e9-90ff-02df440ed4ad",       "date": "2017-08-11t08:53:12"     }   } }

i expected because identity server giving me token, , not passing existing token provided azure ad. copied claims azure ad token identity server token, no changes.

what right approach enable application continue using apis require azure ad token?

edit:

what i'm hoping this.

  1. click login button on js (or other client app)
  2. redirect identity server login screen
  3. click on azure ad external auth
  4. redirect microsoft login page , enter credentials there

  5. redirect identity server app

    a. started fiddler , see "microsoft" redirect {identityserverappurl}/signin-aad (i suppose because configured callbackpath property on openid connect options). request carry cookie idsrv.external. i'm not sure think inside access token azure ad. don't know how decode this. tried base64, not working.

    b. when request finished redirect made {identityserverappurl}/account/externallogincallback. in action method check debugger fields , data in request can't find token aad. i'm hoping token , put in additional calims.

  6. identity server app redirect js client app own token , additional claim contains azure ad token valid on graph api , sharepoint.

first locate action method or middleware handle {identityserverappurl}/signin-aad?

second, there way token azure ad or other external provider inside {identityserverappurl}/account/externallogincallback action method?

be aware i'm new kind of stuff , maybe i'm totally wrong thinking.

i manage azure ad authentication without identity server, know have request have multiple external providers , i'm hoping handle authentication in 1 app. if 1 day request have additional external provider need add in 1 place.

you need retrieve access token aad graph api - how works, check microsoft documentation.

once have access token, can return claim in either identityserver identity or access token (depending if want make available front or back-end).

you can try first in simple mvc app remove moving partsy - , once have ad part working, move code app using identityserver middleware.


Comments

Post a Comment

Popular posts from this blog

PHP and MySQL WP -

i trying accomplish 2 things here code. writing php directly wp page using insert php plugin. 1) query mysql database , return results 1 column 4 columns. 2) make each result own hyperlink directs user new wp page runs new query on page. i able query show results , turn results dynamic hyperlink, cannot formatting down. right returns result 1 column. here have: [insert_php] $servername = "localhost"; $username = "login"; //edited privacy $password = "password"; //edited privacy $database = "database"; //edited privacy // create connection $conn = new mysqli($servername, $username, $password, $database); // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } echo "connected successfully"; //get results database $result = mysqli_query($conn,"select mine mines order mine"); $all_property = array(); //declare array saving property //showing proper...
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m...
Read more

go - golang pprof for c library code -

i have been trying profile golang application pprof, seems details of c code(linked static library) missed in output result. flame graph from frame graph can see c code time consuming reported within "runtime._externalcode", no details @ all. , sure static library compiled debug enable. so there way make pprof details(like stack trace) of 3rd party c code? or there other golang profiling tool this?
Read more