Coder Social home page Coder Social logo

azure-activedirectory-library-for-dotnet's People

Contributors

abhishek58g avatar aiwangmicrosoft avatar bgavrilms avatar bjartebore avatar brandwe avatar bratsche avatar bryanla avatar cchar avatar danieldobalian avatar henrik-me avatar hsar avatar iouri-s avatar jennyf19 avatar jmprieur avatar lovemaths avatar markzuber avatar mhutch avatar mikelapierre avatar mjcheetham avatar omercs avatar pmaytak avatar ptsurbeleu-msft avatar rayluo avatar rohitnarula7176 avatar somkape avatar tanujakulal avatar trwalke avatar weijjia avatar yamamoworks avatar zakramer avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

azure-activedirectory-library-for-dotnet's Issues

GetNativeSystemInfo causes Windows Phone 8.1 app certification to fail

Windows Phone 8.1 App Store Certification fails for any app that includes ADAL due to the following error:

This API is not supported for this application type - Api=GetNativeSystemInfo. Module=kernel32.dll. File=Microsoft.IdentityModel.Clients.ActiveDirectory.winmd.

ADAL needs to link against api-ms-win-core-sysinfo-l1-2-2.lib instead of kernel32.dll for this method.

[email protected]

Update AcquireTokenByAuthCode and AcquireTokenByRefreshToken to cache tokens

In web apps that use OpenId connect handler, we rely on using ADAL for getting access tokens using AcquireTokenByAuthCode and AcquireTokenByRefreshToken methods. Since these methods do not store or retrieve tokens from cache, developers are forced to do token management themselves, which includes storing and retrieving tokens to/from cache, checking the expiration time on the tokens etc.

Handling of SSO and non SSO modes in ADAL RT needs improvement

As per the ADAL documentation on the apis, below api would set the SSO mode
AcquireTokenAsync(string resource, string clientId);

This naturally meant to me that rest of the overloads would not set the SSO mode.However, I experienced that SSO mode was set by other overloads too when redirectUri parameter passed to them was same as the ms-App uri of the RT app.
So in another words, if developer does not want SSO mode, then redirectUri parameter passed to the api should be different than the ms-App uri of the app itself. To better educate developer on SSO/non SSO modes, this fact should be documented.

Or consider other ways to simplify this experience like:
Give EnableSSO flag on AuthenticationContext object similar to UseCorporateNetwork flag

Need better documentation on UseCorporateNetwork usage in ADAL RT

Thanks for fixing #75

I am using ADAL 2.9.10828.0745 from my get. This has some fixes in AcuireTokenAsync apis.

Current documentation on UseCorporateNetwork says "...this flag works only in SSO mode.
But with the latest ADAL bits, I don't see anything (documentation, property, method) to set the SSO mode. As a developer, how do I learn about setting SSO mode using ADAL?

Change log entry format to match other ADAL libraries.

ADAL libraries are moving to this standard log entry format.

timestamp:correlation-id - ClassOrComponent: description

If it makes sense on this platform, then dotnet should adopt this format as well, or the closest natural equivalent.

Signout-Signin experience issue in WinPhone

Using 2.7.10729.1634-rc bits of ADAL

When user Sign out and sign-in, I expect to provide the credentials directly. But I see a message saying you are already signed in.
Below screen that provides 2 options

  1. Remain signed in with this account
  2. Sign out and sign in with another account

Reading this, I expected that I won’t be prompted for credential when clicking (1) That is not the case. I had to provide my credentials.
On clicking (2), I expected to provide credential (either as same or different user)  I get error saying "Sorry we're having trouble signing you out"...
Both seems wrong to me.

Username/Password out-of-focus issues when redirecting to a 3rd party IDP: Shibboleth

Impact:

  • All Shibboleth users and potential other 3rd party federated Identity Provider users.
  • Unacceptable UX experience

To repro:

  1. Enter the user name: [email protected]
  2. The ADAL.NET library will redirect the user to her IDP sign in page, in this case Shibboleth

Expected Result:
User can see the full user name and password field, and the realm they are trying to sign in to.

Actual Result:
These three fields are out of focus, and there is no scroll bar for the user to move to locate the focus properly.

AcquireToken(resource, userAssertion, clientAssertion) throws while getting an access token using a multi-resource refresh token

A first chance exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

Additional information: AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'.

Call Stack

Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.SendPostRequestAndDeserializeJsonResponseAsync<Microsoft.IdentityModel.Clients.ActiveDirectory.TokenResponse>(string uri, Microsoft.IdentityModel.Clients.ActiveDirectory.RequestParameters requestParameters, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState)
Microsoft.IdentityModel.Clients.ActiveDirectory.OAuth2Request.SendHttpMessageAsync(string uri, Microsoft.IdentityModel.Clients.ActiveDirectory.RequestParameters requestParameters, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState)

Microsoft.IdentityModel.Clients.ActiveDirectory.OAuth2Request.SendTokenRequestByRefreshTokenAsync(string uri, string resource, string refreshToken, string clientId, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState)

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.SendOAuth2RequestByRefreshTokenAsync(string resource, string refreshToken, string clientId, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState)

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RefreshAccessTokenAsync(Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult result, string resource, string clientId, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState)

Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCacheManager.LoadFromCacheAndRefreshIfNeededAsync(string resource, Microsoft.IdentityModel.Clients.ActiveDirectory.CallState callState, string clientId, string userId)

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenOnBehalfCommonAsync(string resource, Microsoft.IdentityModel.Clients.ActiveDirectory.UserAssertion userAssertion, Microsoft.IdentityModel.Clients.ActiveDirectory.ClientKey clientKey, bool callSync)

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireToken(string resource, Microsoft.IdentityModel.Clients.ActiveDirectory.UserAssertion userAssertion, Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential clientCredential)

Library crashes on re-entry in WinJS phone app

Crashes with the error message

The text associated with this error code could not be found.

System.UriFormatException: Invalid URI: The hostname could not be parsed.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at System.Uri..ctor(String uriString)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler..ctor(Authenticator authenticator, TokenCache tokenCache, IWebAuthenticationBrokerContinuationEventArgs args)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.ContinueAcquireTokenAsync(IWebAuthenticationB

Update AuthenticationResult.Serialize() to return an encoded string

An authenticationResult object should be base64 encoded before adding it to the token cache store because ADAL tries to decode it while trying to read the result from the cache. This is not obvious and fragile - if ADAL changes it's implementation, the apps that are adding tokens into the cache would be broken.

Consider updating AuthenticationResult.Serialize() to return an encoded string.

Distinguish between 'AnyUser' and 'UnknownUser' with regards to cache

We need to distinguish between ‘I don’t care’ and ‘I don’t know’ when it comes to user. Currently, when UserAssertion is created without explicit user in On Behalf Of scenario, we assume it means ‘AnyUser’ and match it with any user we find in the cache. However, there is a user in the assertion that we don’t know as we cannot look inside that assertion. In this case, we can say ‘we don’t know’ the user and do not match any token from the cache. This reduces cache usage, but can avoid such confusions. The good news is that this is not an interactive flow, so the change in behavior does not lead to more user involvement.

Remove AcquireTokenAsync overloads without redirectUri from both WinRT and WinPhone

Here are the implications of this change:

  1. Our interactive overloads become identical across .NET, WinRT and WinPhone.
  2. Common code across platforms can be used.
  3. We accept ‘null’ as a sign for ‘Application Callback Uri’ which means in WinRT, we call the WAB overload without callbackUri. In WinPhone, we never call that overload anyway (to be able to pass state parameter).
  4. Developer also has the option of passing ms-app which would be pass through and give SSO functionality.
  5. We preserve PromptBehavior argument as each of its values works in some cases depending on the other arguments.
  6. No rename of the API would be needed.

In WinPhone, set PromptBehavior internally to appropriate value

We do not pass PromptBehavior explicitly in WinPhone, so we need to decide what value to use internally. Similar to WinRT, in non-SSO mode, it does not matter what value we pick. They are all the same. In SSO mode, the only case that makes difference is when user selects KMSI.

Regex update for AuthenticationParameters

It will be similar to node.js and ios ADAL
This is related to the Authentication Challenge. ADAL receives 401 challenge and gets authority information from the header using regex.

Windows Integrated Authentication not working

I'm trying to get Windows Integrated Authentication to work as described in this blog post
http://www.cloudidentity.com/blog/2014/07/10/adal-v2-and-windows-integrated-authentication/

I'm getting error code invalid_authority_type using code similar to what's in the blog post

AuthenticationResult result = 
     authContext.AcquireToken(todoListResourceId, clientId, new UserCredential());

From a quick look at the code, it appears that the condition on line 286 of AcquireTokenHandlerBase.cs is evaluating to false because AcquireTokenNonInteractiveHandler.SupportADFS is false. Is that the expected behavior? Is there a different overload I should be calling?

AcquireTokenInteractiveHandler throws System.IndexOutOfRangeException when empty extraQueryParameters is passed.

Latest dev branch sources (2.7.10804.0745-rc)
AcquireTokenInteractiveHandler throws System.IndexOutOfRangeException when empty extraQueryParameters is passed.

Below is the code that throws this. We should be checking for string.IsNullorEmpty not just null.
if (extraQueryParameters != null && extraQueryParameters[0] == '&')
{
extraQueryParameters = extraQueryParameters.Substring(1);
}

Microsoft.IdentityModel.Clients.ActiveDirectory.winmd!Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.AcquireTokenInteractiveHandler(Microsoft.IdentityModel.Clients.ActiveDirectory.Authenticator authenticator = {Microsoft.IdentityModel.Clients.ActiveDirectory.Authenticator}, Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache tokenCache = {Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache}, string resource = "api.aadrm.com", string clientId = "6507DFAF-F19E-47C6-82C3-08AFEE79D74E", System.Uri redirectUri = {System.Uri}, Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior promptBehavior = Always, Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier userId = {Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier}, string extraQueryParameters = "", Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.IWebUI webUI = {Microsoft.IdentityModel.Clients.ActiveDirectory.WebUI}, bool callSync = false) Line 62 C#
Microsoft.IdentityModel.Clients.ActiveDirectory.winmd!Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAndContinueCommon(string resource = "api.aadrm.com", string clientId = "6507DFAF-F19E-47C6-82C3-08AFEE79D74E", System.Uri redirectUri = {System.Uri}, Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier userId = {Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier}, string extraQueryParameters = "", Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextDelegate authDelegate = {Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextDelegate}) Line 208 C#
Microsoft.IdentityModel.Clients.ActiveDirectory.winmd!Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAndContinue(string resource = "api.aadrm.com", string clientId = "6507DFAF-F19E-47C6-82C3-08AFEE79D74E", System.Uri redirectUri = {System.Uri}, Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier userId = {Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier}, string extraQueryParameters = "", Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextDelegate authDelegate = {Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextDelegate}) Line 154 C#
UILib.DLL!UILib.AuthenticationManager.GetToken.AnonymousMethod__3() Line 73 C#

AcquireTokenSilent

Hi! I'm having this exception when trying to run the AcquireTokenSilent method on AuthenticationContext class :
AdalSilentTokenAcquisitionException
Message : Failed to acquire token silently. Call method AcquireToken.

I'm following this sample code https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet, so the scenario is the same. I searched on the web but every solution I found wasn't the right one. I also took a look at the source code and I found this code in the AcquireTokenSilentHandler class :

protected override Task<AuthenticationResult> SendTokenRequestAsync()
{
    Logger.Verbose(this.CallState, "No token matching arguments found in the cache");
    throw new AdalSilentTokenAcquisitionException();
}

So, is this feature not implemented or I just can't figure out what is going on?

Thanks a lot.

Rodrigo

Refactor AcquireTokenForMSAHandler code in to another class.

The AcquireTokenForMSAHandler class repeats code that is already in AcquireTokenNonInteractiveHandler. Further, there really isn't anything MSA specific going on in the class. The code should be refactored to remove the redundancy and to remove the reference to MSA.

Need better help/documentation on UserIdentifierType

The help available on the fields of UserIdentifierType is not intuitive. e.g. it is not clear when to use OptionalDisplayableId or RequiredDisplayableId or UniqueId. Also, it is not clean how result will be different in each case.

WIA does not work with PromptBehavior.Never (prompt=none)

This flag is not working for federated users. We need a better solution (either changing the behavior of prompt=none or passing another flag to AAD to make sure it redirects to ADFS for federated cases while maintaining prompt=none behavior for managed users).

Update token cache logic in AcquireTokenByAuthoricationCode

"The lack of a resource would make a cached access token inaccessible in subsequent calls, however if its associated refresh token is an MRRT then having it cached would help making subsequent AcquireTokenSilent calls succeed. Hence, it looks like we should cache the acquiretokenbyauthorizationcode result, at least when we know that the origin authority trades MRRTs."

ADAL RT: AcquireTokenAsync(resource, ClientId) fails when app access to account info is off

Go to Control panel --> PC Settings --> Privacy --> General.
Make sure that option for 'Let apps access my name, picture & account info' is set to off.
This is the default settings.

In RT app, call
authContext.AcquireTokenAsync(resource, ClientId)

Getting below error.
"user_information_access_failed: Cannot access user information. Check machine's Privacy settings or initialize UserCredential with userId"

My app doesn't need to access any local info (authContext.UseCorporateNetwork = false). I should be able to get tokens without changing privacy settings.

Not able to sign out and sign in as different user

I would like to provide a sign out and sign in as different user experience in my app.
In sign out, I am clearing the token cache
Ctx.TokenCacheStore.Clear() And Call 'AcquireTokenAndContinue'.

Since I do not know the user id upfront, I am using the below overload
public void AcquireTokenAndContinue(string resource, string clientId, Uri redirectUri, AuthenticationContextDelegate authDelegate);

Calling AcquireTokenAndContinue return the token for previous user. I don't get any prompt to enter new credentials.

SSO is broken on WinPhone

The method WebAuthenticationBroker.GetCurrentApplicationCallbackUri returns exception

System.UriFormatException: Invalid URI: The hostname could not be parsed.
Result StackTrace:
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at System.Uri..ctor(String uriString)
at Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri()

Following up with the WAB team...

Native projects calling AcquireTokenAndContinue in winphone throws exception

Create a Winphone Store Native project or WinJS project.
Add reference to ADAL.
Call AcquireTokenAndContinue method

There seems to be an issue in calling WebAuthenticationBroker.GetCurrentApplicationCallbackUri in winphone. If a native project calls into a managed winmd that calls GetCurrentApplicationCallbackUri we are getting an exception.

With this bug, overload w/o redirect uri will fail – which is ok as the underlying platform code is throwing.
We fail even for the overload developers specify the redirect uri. This is due to the fact that , In WEbUI::Authenticate method we check whether this is SSO mode or not. This is failing.
if (redirectUri.AbsoluteUri == WebAuthenticationBroker.GetCurrentApplicationCallbackUri().AbsoluteUri)

Till the issue is fixed in platform, we should catch the exception and continue…

AuthenticationResult.UserInfo.IdentityProvider field is populated as null, which is confusing

I am using a native client application to get an access token for a resource, registered in a standard Azure AD tenant e.g. mytenant.onmicrosoft.com.
I am using ADAL RT in my app to get the access token. After successful authentication for
admin@ mytenant.onmicrosoft.com user, I see that AuthenticationResult.UserInfo.IdentityProvider field is null. How can it be null? I assume it should look like https://sts.windows.net/mytenant.onmicrosoft.com. Right?

If I uses Microsoft user e.g. [email protected] for authentication, then I see that IdentityProvider is populated as live.com.

I think the reason for this is , in first case you don't get "idp" claim, in later case you get "idp" claim from
AAD.

However, as a developer, this is confusing/ambiguous experience for me. I would expect a valid value for IdentityProvider in both the cases.

Extra space appears in first ADAL prompt for username, causing auth failures unless removed

The first ADAL prompt which appears, asking for your username, is pre-populated with a single space. Users do not see the space, and enter their username. Since the space+username combination is not valid, authentication fails. Even removing the space in the subsequent page (where password is also prompted) does not seem to fix it, and the user has to close the ADAL prompt and start over.

This is a blocking issue.

[email protected]

Update MRRT logic based on open id connect document

The current behavior to determine whether a refresh token is MRRT or not is based on presence of the field 'resource' in token response, but that needs to change as MRRT is a behavior of the STS, not the refresh token and needs to be determined from STS metadata using Open ID Connect Discovery.

Contents of ADAL dialogs render too small and sometimes offset on Windows Phone

ADAL dialogs render at a very small size on Windows Phone, requiring the user to manually zoom in to be able to read the text or confidently click on buttons or input boxes. There is a large amount of empty white space which serves no purpose.

The dialogs also sometimes render offset, partially offscreen in one direction or another. Fixing this requires first zooming out, then zooming back in with a new center.

Both of these issues make the scenario feel unpolished and unprofessional.

[email protected]

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.