A .NET 4.5 MVC web app that uses Azure AD groups for authorization.
There's a newer version of this sample taking advantage of the Microsoft identity platform (formerly Azure AD v2.0) Check it out: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-2-Groups
If you really need to access this Azure AD v1.0, you can navigate to the master branch, but please know that it's no longer supported.
Is this app consentable by users? (See mail with Yi)
Reading this documentation (section Groups overage claim) gives the impression that the number of groups that can be present in the returned token is 100+, this does no longer seem to be the case, as other sources report the limit is changed to 5. The low number of returned groups thereby force the application to utilize the graphAPI and session storage, calling the graphAPI on the initial visit to extracts the users groups.
An update the the documentation might be in order as to not confuse developers.
Sources:
Strack overflow, first comment
Azure-docs discussion
Another confused user
Need to add to instructions. Due to changing Graph permissions.
Hi ,
I cloned this repository in an attempt to find out how to access the Azure AD groups. When I Run the application and click on task, I am getting the below error,
Can anybody help?
I attempted to log in using credentials for a Windows Live account that is in my AD. The log in failed. I'm fairly confident that the credentials were connect, because I was able to log in the live account just before I attempted to log in to the sample. However, that isn’t the real issue.
The real issue is that since that failed attempt the log in page no longer contains edit boxes for user name or password (see image). I have cleared the cache and restarted my machine but the result is still the same. It is happening inside a library method call. It’s been a while since I did this, but I believe there is a way to get the source needed to step into a DLL like this, but I’m trying to avoid that.
Is this a known issue?
Would this be helpful?
When browsing to Tasks tab on the newly setup web app with the code getting error Failed to acquire token silently as no token was found in the cache. Call method AcquireToken. How to get rid of this error?
Just to say this is a very good sample, mainly because you have taken the time to explain how it works and the README file (that is important as its hard to see what is going on when you are just looking at the individual parts). And you have got good comments in the code, which is good too.
Also nice to see some clear code on using Active Directory Graph Client ver 2 as there isn't any documentation I can find on this library.
This sample covers a scenario I am currently trying to implement and this sample has directed me to a better way of doing things. Thanks for all your work on this.
Good start, but number of issues:
It becomes clearer, though, as we get to the next issue:
I think it would help if author ran through their example thoroughly before posting this online.
Hi team,
After downloading when i try to build the package in VS 2017 below error pops up
This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is ..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net46\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props. WebApp-GroupClaims-DotNet C:\MyProjects\DOTNET\Azure AD\active-directory-dotnet-webapp-groupclaims-master\active-directory-dotnet-webapp-groupclaims-master\WebApp-GroupClaims-DotNet\WebApp-GroupClaims-DotNet.csproj
And after that when i try to restore nuget packages below error comes up
Please advise how to fix this.
Can't compile the solution. When you try to restore the packages, this one has an issue.
I'm on Visual Studio 2015 Community Edition.
Hi I´m kinda stuck, i need some help in the following issue please.
class GraphHelper expose static methods, this is possible because it relies on class ConfigHelper to get the azure ad configuration info in order to query users thorugh the graph api. This approach works fine in asp.net 4.5 but I´m having trouble using this structure in aspnet50, one of the limitations is that I can´t use the ConfigHelper static approach as ConfigurationManager is not available in aspnet50. I tried to use the IOptions approach, but it's architecture depends on DI and static methods makes no sense this way, I guess I could inject azure ad settings through the controller making the request, but it doesn't feel like a clean solution. I'd appreciate any help on this matter or any examples about authorization based in Azure AD Groups and Roles Claims in aspent50.
The last commit does not return true when using User.IsInRole, if possible Id like to have a chat with you to discuss this as I am kind of stuck.
http://stackoverflow.com/questions/30574787/authorization-in-cloud-applications-using-ad-groups-issue-with-new-group
When I click Tasks button I get below error:
An error occurred while processing your request.
We're having trouble signing you in.
**You do not have sufficient priviliges to view this page.**
I followed it end to end.
What I'm missing here?
Thanks!
Funneling the access token up to the Javascript and making the Graph query from there changes the threat model for the application fairly significantly. Revert the application to doing the Graph query on the server side so that the access token is not exposed to the browser. Later, we can build a different sample that does everything in Javascript (with the explicit notion that the threat model is different).
I have been in the solution building business for 40 years. My pet peeve, very common with samples from Microsoft or developed for Microsoft, is samples that don't work, even when you follow the instructions to the letter. Very annoying.
Error:
Response status code does not indicate success: 400 (Bad Request).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[HttpRequestException: Response status code does not indicate success: 400 (Bad Request).]
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +90216
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +496
[IOException: Unable to get document from: https://login.windows.net/emitools.onmicrosoft.com/.well-known/openid-configuration]
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +830
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +24 Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() +512 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52 System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +24
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +1332
[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://login.windows.net/emitools.onmicrosoft.com/.well-known/openid-configuration'.]
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +2226
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
Microsoft.Owin.Security.OpenIdConnect.d__c.MoveNext() +1048
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.d__8.MoveNext() +447
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.d__5.MoveNext() +266
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +1174
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +937
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__2.MoveNext() +272
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
Microsoft.Owin.Host.SystemWeb.Infrastructure.ErrorState.Rethrow() +33
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +150
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +42
System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +9683593
When deploying the sample to an azure web role (osfamily 4) it seems to (infrequently/randomly) fail with a null pointer exception on trying to access HttpContext.Current in the AuthorizationCodeReceived callback.
reloading the page eventually results in successful completion.
Could there be a race condition where it's not guaranteed that HttpContext.Current gets initialized before we try to access it?
currently working around this by using context.Request variables instead of HttpContext - looking good so far.
The WebAppGroupClaimsDotNet.mdf file is missing from the repository. Can I find it somewhere else or is this by design?
<connectionStrings>
<add name="GroupClaimContext" connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=WebAppGroupClaimsDotNet;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\WebAppGroupClaimsDotNet.mdf;" providerName="System.Data.SqlClient" />
</connectionStrings>
In the following code there is a check for "_claim_names". What is the purpose of this check? It looks like if _claim_names exists and has the property groups then you get groups from the API.
I am looking into this code because I want to make sure I am covering the case when a user has too many groups, see these notes here and here.
Is this something the ClaimHelper currently handles?
Thanks! The sample has been very helpful so far.
If user is an AAD company admin, group claims return a RoleTemplate object with an objectID != the objectId of the Company Admin role returned by querying the graph for all of a user's roles.
How does this limitation work? I have my work email account as a Microsoft account to be able to use visual studio online. Is that account unusable then? Or do you only consider some accounts with domain names such as live.com, outlook.com and Hotmail.com and everything else works?
Please update git clone commandline in step 1 to groupclaims
git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-authz-groupclaims.git
now it is
git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-authz-roleclaims.git
I see using statements to Microsoft.Azure.ActiveDirectory.GraphClient, which is AAD Graph, and no references to Microsoft.Graph, but the readme tells us to add and approve MS Graph permissions?
Even in the code the Graph resource URL is the AAD version: https://graph.windows.net; versus the MS Graph version: https://graph.microsoft.com
What am I missing here?
The sample doesn't work in Azure until the connection string is updated to Sql Azure. We should mention this in the documentation.
I followed the readme but the example didn't work. (Can't list users and groups when I was trying to attach a task.)
I had to add "Access the directory a the signed-in user" permission in the "Windows Azure Active Directory" to solve my problem.
Is it an oversight in the readme or a problem specific to my azure AD ?
I'm unable to compile, and get a CSC error on a new-ish Windows 10 machine. I had to remove the following from the csproj to get a compile. Other than that, the powershell scripts are fantastic and the rest of the solution/approach really inspires me to make things.
This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.Hi,
I'm using Azure Active Directory tenant along with Graph API to fetch groupclaims objectIDs.
However, it's failing with Forbidden error at runtime.
I used the same code with another Azure Active Directory tenant (which created almost 4 months back), it's working perfectly.
I have followed ditto to create new Azure Active Direct tenant and double checked configuration details in Azure management portal.
Even, I have created many times new Azure Active Directory tenant with the same steps (https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims) but still getting, Forbidden error.
{StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:{ ocp-aad-diagnostics-server-name: a**********Bc= request-id: 9**_1 client-request-id: 4b_*********b9 x-ms-dirapi-data-contract-version: 1.5 x-ms-gateway-rewrite: false ocp-aad-session-key: GXB*********************5bi0 X-Content-Type-Options: nosniff DataServiceVersion: 3.0; Strict-Transport-Security: max-age=31536000; includeSubDomains Access-Control-Allow-Origin: * Duration: 1168232 Cache-Control: private Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Powered-By: ASP.NET Date: Fri, 08 Jan 2016 23:29:43 GMT Content-Length: 139 Content-Type: application/json; odata=minimalmetadata; streaming=true; charset=utf-8}}
In general, Forbidden error is due to lack of permissions on the server, but another active directory tenant is working perfectly (which is also created by me 4 months back). There isn’t any configuration change between the working AAD Tenant and newly created one.
followed the steps: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Could someone help me to fix this issue.
Thanks,
Pradeep
I've run into a server error with this sample in a specific scenario; signing in using a federated domain w/ adfs.
Server throws an error, even if I'm trying to access a page on the server where authentication isn't reqired.
After closing and reopening the browser, access again works as expected.
Here's the error message:
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
Microsoft.Owin.Security.Cookies.CookieAuthenticationProvider.Exception(CookieExceptionContext context) +3
Microsoft.Owin.Security.Cookies.d__2.MoveNext() +3454
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +49
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +1008
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +483
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Mapping.d__0.MoveNext() +1178
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Mapping.d__0.MoveNext() +1178
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +291
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__2.MoveNext() +293
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +208
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +434
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288
See Jimaco's email.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.