search

davidjrh / dnn.azureadprovider

The DNN Azure Active Directory Provider is an Authentication provider for DNN Platform (formerly DotNetNuke) that uses Azure Active Directory OAuth2 authentication to authenticate users.
MIT License
35 stars 22 forks source link

Using AzureUserToken with other Apps #6

Closed iiminov closed 6 years ago

iiminov commented 7 years ago

Recently I came across OneNote javascript library (adal.js and angular-adal.js) which I was able to get working on my DNN website. The only issue that I have with it is that the user is presented with a login button to sign in to Azure which makes little to no sense when they signed in with Azure AD in the first place.

I did notice that when I sign in using Azure AD provider I get AzureUserToken. I suppose I have two questions:

  1. Can I use AzureUserToken (oauth_token part of cookie value) to request data from various APs (Graph, OneNote, OneDrive, Share Point, etc.)?

  2. And if I can how can I realise this in DNN (web service)?

As per many tutorials and sample apps, I have been trying to use HttpClient with Authorization header while supplying the AzureUserToken. But no matter what I try I am not able to get any response once the request is sent. So my application just sits there waiting for a response.

At this stage, I came to one of two conclusions. Either I am doing something wrong, like sending requests to the wrong Uri or failing to include additional headers. Or I need to do something with the AzureUserToken before I can request data (from OneNote in this case).

Here is a snipet of my HttpClient that I am trying:

private static HttpClient client = new HttpClient();
// two examples of attaching Authorization header to the request
// where token is oauth_token part of AzureUserToken
//client.DefaultRequestHeaders.Add("Authorization", string.Format("Bearer {0}", token));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

HttpResponseMessage response = await client.GetAsync(path);
if (response.IsSuccessStatusCode){
    var resp = await response.Content.ReadAsAsync<OneNoteResponse>();
    if (resp.value != null) {
        notebooks = resp.value.ToList();
    }
}
iiminov commented 7 years ago

And last Friday afternoon I got a response to my original email from David Rodríguez:

The issued token works for the setup "audience", that is the WebAPI application you setup on Azure, so is not going to work. I haven’t played with the permissions on the Azure AD side, but I would try to setup applications for the desired Apps (OneNote, SharePoint, etc.) and then give permissions to the WebAPI application to access those apps (all setup on Azure AD).

While testing the HttpClient request loop I thought that the permission would be of some relevance. I had enabled all permissions for OneNote that I could see but I still wasn't able to get this working.

At this stage, I hope that David would get a chance to test this and revert back with the findings.

iiminov commented 6 years ago

Still, no real solution but it seems to be a real pain as even MS product and dev guys run for the hills when we say we want Auth2 v2.0 and MS Graph API v1.0 to talk with One Note API v1.0.

There is On-Behalf-Of flow which looked like it might be the solution to our problem but we have not been successful in getting this to work. Either an issue with how we were trying to use the On-Behalf-Of flow or configuration issue.