petros-d
commented
4 years ago FYI I've seen issue #18 with the same error, but I believe my app has been setup in Azure AD correctly (as a public client, though I've tried both):
Closed petros-d closed 4 years ago
petros-d
commented
4 years ago FYI I've seen issue #18 with the same error, but I believe my app has been setup in Azure AD correctly (as a public client, though I've tried both):
hongooi73
commented
4 years ago The vignette works fine, but makes a couple of implicit assumptions:
get_azure_token has an auth_type argument that sets which authentication flow to use. If you don't specify this, it tries to guess based on the other arguments supplied. In your case, since you have a client secret, you want to specify auth_type="authorization_code" to override the default.
The resource argument for the token is meant to contain whatever Azure resource you want access to: storage, database, Kusto, etc. Since you're changing this argument at will, it looks like you don't actually have any resources that require authorization and you're only using AAD for authentication. In this case, obtaining an AADv2 token with resource="openid" is the way to go.
get_azure_token(resource="openid", tenant, password="xxx", app,
auth_type="authorization_code", version=2, use_cache=FALSE,
authorize_args=list(redirect_uri="http://localhost:5000"), auth_code=params$code)Example of native (aka "mobile and desktop") redirects in the AAD/registered app/authentication pane in the portal:
Example of web redirect:
petros-d
commented
4 years ago Thank you for providing the example of a native (aka "mobile and desktop") redirect in the Azure Portal.
After configuring my app registration to use that, the application now successfully gets the access token and is able to decode it with decode_jwt().
Out of interest, I am attempting to configure App Roles as fields in the token following the documentation here but am not seeing the roles appear in the access token. When attempting to simulate the same process with Postman, I'm seeing the same issue with the access token not containing the roles, however I do also get an id_token, which does contain the roles.
Is there a way to use AzureAuth to retrieve and access the id_token as well?
hongooi73
commented
4 years ago See the front page of the repo or the intro vignette. The ID token can be obtained with extract_jwt(token, "id") and decode_jwt(token, "id").
I'm not an expert on configuring AAD roles; you may want to ask your local IT people or maybe on StackOverflow. In the meantime, since AzureAuth seems to be working, I'm closing this. Let me know if you run into other problems with the package.
I'm tryng to setup an R Shiny app with Azure AD for authn and authz.
I can't seem to get the example working based off either this blog or the Shiny vignette.
Leaving the resource set to https://management.azure.com gives an access denied error:
Once the resource was changed to https://graph.microsoft.com/, I get an error stating "_The request body must contain the following parameter: 'client_assertion' or 'clientsecret'", full output below:
Adding the password field to get_azure_token() gets rid of the error, but uses the client_credential authentication flow:
The output for this is below:
However I would like the users OpenID token for authz, which I believe is not compatible with the client_credentials flow. Are the examples provided in the vignette and the blog still accurate?
The code I am running is available in my repo here: https://github.com/petros-d/AzureAD-RShiny/blob/master/shinyapps/app.r
Note the example is running in a docker container with only a single port exposed. The logs make reference to the application listening on random high ports (
Listening on http://127.0.0.1:43161) when trying to use the authorization_code flow. Are these ports being accessible externally a requirement for this auth type?