Comments (2)
I noticed that the documentation page was updated 01/06/2022. But the sections about tokens remain unchanged.
Please do not close this issue before addressing this!
To summarize:
- in https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication there is sample code for Development that uses a self-generated long term token, and sample code for Release that validates a token generated by the AAD in your tenant
- in several places the documentation warns us not to use the AAD generated token in production, but not why; which is strange because a) it seems standard oAuth protocol, b) it is in the Release branch of the sample code
- in https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-to-provisioning-connectors-in-the-application-gallery it is suggested that you use a long-lived token for your non-gallery app, but there is no hint on how to generate that token (other than the source code in the Development branch sample)
from scimreferencecode.
Here's how to set up Postman for AAD-based bearer token. Please consider including in the Wiki
Essentially, the app is very basic and it only checks two things token issuer and audience. This is described in the docs
TLDR:
When requesting a token for your client, make sure you are using the OAuth 2 v2 endpoint
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
and just put this in the Scope field
8adf8e6e-67b2-4cf2-a259-e3dc5476c621/.default
Done!
Background
Just as described in the docs, this app does not do any additional validation or auth checks and only looks for Issuer and Audience. Out of box:
- Your issuer must be your AAD Tenant: https://sts.windows.net/{{TenantID}}/
- Your audience must always be: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 - this is a hardcoded number for custom gallery apps
Of course you can edit the code of the sample app for more sophisticated validation, but that's what you get out of box.
Thus, any token containing these values in the iss and aud fields will work.
You can use https://jwt.ms/ to test the tokens you are getting for the correct values.
Step by step:
- If you don't already have an app registration that represents Postman in your AAD, create one. If you already have it, you just get the IDs/Secret - you most likely know the drill.
Go to App Registrations, create a new one, record the "Application (client) ID" from the Overview page
White there, also copy the Tenant ID from the same page.
Then go to Certificates & secrets -> Client Secrets and create a new one. Choose any name and duration. Once created - copy the Value (not ID) somewhere. You will never see it again - make sure to copy it!.
- Now in Postman create Environment variables for ClientID , ClientSecret , TenantID and token. You may also hardcode them, but this is a bad practice. Variables are case-sensitive - be aware. Populate all the *ID variables with corresponding values from 0, we will deal with token later.
- Select the Collection-level Folder in Postman (SCIM Tests) and choose the Authorization tab (if you have your own custom collection, you probably know what you are doing anyway). Use the following values:
Type: OAuth 2
Add Auth Data To: Request Headers
== Configure New Token
Token Name: <choose one you like, we won't need it>
Grant Type: Client credentials
Access Token URL: https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
^^ Note the /v2.0/ - it will be different if you use the 1.0 endpoint
Client ID: {{ClientID}}
Client Secret: {{ClientSecret}}
^^ Note that variable names are case-sensitive.
Scope: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621/.default
^^ This is where the magic happens!
Client Authentication: Send as Basic Auth Header
-
Don't touch anything else, just scroll down and click the "Get new access token" button
You should have successful auth, followed by a window with the token value.
Copy out that value and assign it to a variable called token in your Postman Environment (note that it must be all lowercase - it is case-sensitive) -
This is it! You don't need to do anything else, as the requests are hard-coded to read the token from the {{token}} variable
I initially did the whole job of authorizing the Postman client to access the app, but realized that the app does not really do any checks, so ANYONE is able to access this demo app (again, your production app should probably do proper auth checks).
Conclusion
I still stand by the fact, that if would be nice if the app implemented a login page / proper AAD integration for a more friendly way of displaying user info. I work in presales (not a dev) and all I need is a sample app to show customers why SCIM is cool and they should demand it from the developers. This sample in its current state would probably be a show-stopper for way too many presales folks: one must know VS / VS Code, GitHub, upgrade the app from unsupported .NET Core 3.1 to at least .NET6, know Azure App Services, understand tokens, Postman etc., AND be able to write a customer-pleasing front-end to this thing...
Now I see why SCIM is spreading so slowly.. :)
from scimreferencecode.
Related Issues (20)
- Patch phone numbers triggers object null reference exception
- Microsoft Azure Scim Provisioning Issue HOT 2
- Nugget package HOT 2
- [Closed]
- Core2EnterpriseUserExtensions Apply Patch does not patches Name Formatted
- Missing metadata update for 'Groups' provider
- Missing support for filter expressions
- Json Serialization/Deserialization Issues HOT 2
- Postman Test data field names does not match the Resource data field names [See the 1st comment for enhancement suggestion] HOT 2
- [Enhancement] Use AttributeFilter to use newtonsoft only on the scim controllers HOT 4
- Postman collection link outdated
- Pagination not working on GET /Users or /Groups HOT 1
- RequestExtensions.TryGetRequestIdentifier and overall usage of "correlationIdentifier"
- User patch (remove) request in sample does not verify schema for required attributes
- Status Code being set to 201 on PUT request HOT 1
- Autorization on Azure Ad failled
- Is TryGetRequestIdentifier() extension method incomplete?
- Question on 'value' in PatchOperation2Combined and the static Create() method vs assigning a value
- Handling of path and pathless patch operations
- Upgraded Target to Latest Net Core
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scimreferencecode.