Closed SalmanMukhtar closed 5 years ago
Hi @SalmanMukhtar,
This change is being made because of the new security requirement for accessing the Partner Center API. Starting February 4, 2019 you will need to use multifactor authentication (MFA) when connecting to Partner Center and the Partner Center API using app + user authentication. This means the password flow that the pervious version of the samples project was using would no longer work. With this in mind decided it would be best to modify the sample to prompt for credentials to keep the complexity of the sample application to minimum.
With you production application it is recommended that you develop a process to register the credentials. At a high level this process would look similar to the following
Through this process you will be able to have a headless process perform any operation you see fit. To help us better understand your use case would you mind sharing some details about why you have the console application set to run with a scheduled task?
Hi Isaiah,
Thanks for coming back on my question. I will send a detail email tomorrow about your question. Shoul i share some code as well to understand the app in detail??
Regards, Salman
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: Isaiah Williams notifications@github.com Date: 20/11/2018 19:06 (GMT+01:00) To: Microsoft/Partner-Center-DotNet-Samples Partner-Center-DotNet-Samples@noreply.github.com Cc: Salman Mukhtar salman.mukhtar@basefarm.com, Mention mention@noreply.github.com Subject: Re: [Microsoft/Partner-Center-DotNet-Samples] Alternative to pop for user credentials (#7)
Hi @SalmanMukhtarhttps://github.com/SalmanMukhtar,
This change is being made because of the new security requirement for accessing the Partner Center API. Starting February 4, 2019 you will need to use multifactor authentication (MFA) when connecting to Partner Center and the Partner Center API using app + user authentication. This means the password flow that the pervious version of the samples project was using would no longer work. With this in mind decided it would be best to modify the sample to prompt for credentials to keep the complexity of the sample application to minimum.
With you production application it is recommended that you develop a process to register the credentials. At a high level this process would look similar to the following
Through this process you will be able to have a headless process perform any operation you see fit. To help us better understand your use case would you mind sharing some details about why you have the console application set to run with a scheduled task?
- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Microsoft/Partner-Center-DotNet-Samples/issues/7#issuecomment-440374450, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AXQSNcBFWFh3HcVAR3lrjxFuykvG6Nf_ks5uxESPgaJpZM4YqyIl.
Hi Isaiah,
Here comes some details about the question you asked. We are Microsoft CSP partner. We bill our customers with some profit margins on top.
The application i have is a console app running on a server on our premises with task scheduler. It downloads customers, subscriptions and invoices. I have registered a NATIVE app and not a web app. I use the application-id and secret from the NATIVE app.
By using that data we do billing and also provide reports to customers for their consumption.
In the old solution the authentication was done by providing user credentials in following method LoginUserToAad(). I get a token by using following line in the mentioned method and then use that token to do different operations.
result = authContext.AcquireToken( Configuration.UserAuthentication.ResourceUrl.OriginalString, Configuration.UserAuthentication.ApplicationId, userCredentials);
But now in your new authentication code you are using AcquireTokenAsync with a popup to enter user credentials.
return Task.Run(() => authContext.AcquireTokenAsync( Configuration.UserAuthentication.ResourceUrl.OriginalString, Configuration.UserAuthentication.ApplicationId, RedirectUri, new PlatformParameters(PromptBehavior.Always), UserIdentifier.AnyUser)).Result;
As my solution is automatic where i do not need to add user name and password. That comes from config file. So the application works fine without human interaction.
In the new solution where a popup appears, someone have to add the user name and password in case the token get expired or so. So i am trying to find a way to avoid it.
Also here is a copy of my code if you want to take a look for more details. https://1drv.ms/u/s!AuRO-6uuGYN2h8tc8fdr_C7IhdVLyQ
Regards, Salman
Hi Isaiah,
Hope you are doing well. Any update on above?
Regards, Salman
This is so annoying by Microsoft. I have no idea how I can do this with MFA. If anyone comes up with a solution or hack as to how I can get around not putting in the credentials everytime I would be most gratefu
I have an internal application to collect billing for our customers and my job was working well collecting data daily now I am stuck.
Hi
Same here. popup is so annoying. need to find an alternative as my automated solution will not work with the popup.
Salman
Sent from my Samsung Galaxy smartphone.
Same by me. I've posted that on the Microsoft cloud Yammer community in the hope that we have a reaction faster.
Great. Please keep me in the loop as well. Please share if you find anything. Thanks
Regards, Salman
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: Hein Pauwelyn notifications@github.com Date: 14/12/2018 16:21 (GMT+01:00) To: Microsoft/Partner-Center-DotNet-Samples Partner-Center-DotNet-Samples@noreply.github.com Cc: Salman Mukhtar salman.mukhtar@basefarm.com, Mention mention@noreply.github.com Subject: Re: [Microsoft/Partner-Center-DotNet-Samples] Alternative to pop for user credentials (#7)
Same by me. I've posted that on the Microsoft cloud Yammer communityhttps://www.yammer.com/cloudpartnercommunity/#/threads/show?threadId=1209030139 in the hope that we have a reaction faster.
- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Microsoft/Partner-Center-DotNet-Samples/issues/7#issuecomment-447356590, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AXQSNQD3-xz_wVPCIq70Kw7zMN4QGdbfks5u48HngaJpZM4YqyIl.
Great please keep us posted
I appreciate everyone sharing their feedback and the additional information regarding where you are blocked. After reading through the comments I would like to take this opportunity to provide some context for this change. Microsoft will be requiring multifactor authentication for the Partner Center Dashboard and the Partner Center API when using app + user authentication. As a result of this new requirement Microsoft has introduced the secure application model. In addtion to this guidance new sample projects have been published that demonstrate how to accomplish the following tasks
You will use the refresh token to request new access tokens for use with the Partner Center API. With this new requirement on the horizon the SDK sample project was modified in this fashion to reduce the complexity of leveraging the sample. This way you do not have to implement the secure application model just to test the Partner Center .NET SDK.
If you are planning to use the SDK sample project as base for your integration you will need to modify the LoginUserToAad function to fulfill the secure application model guidance. You can do this by performing the following
Finally, I would like to recommend that each of you join the Partner Center security guidance Yammer group. In this group you will be able to find recordings from the past webinars we have hosted regarding this topic and be able to find additional resources.
@SalmanMukhtar, @maciz84: An replay on Yammer from Isaiah Williams was this:
Hi Hein Pauwelyn - Savaco,
I will be responding to the issue in GitHub as well. We made this change to the SDK sample because of the upcoming new security requirements for Partner Center and the Partner Center API. Starting February 4, 2019 Microsoft will be requiring multifacot authentication for both the dashboard and the API when using app + user. This means you will need to build a process that follow the secure application model guidance. You can find details about this model at https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model
Fianlly, when I get an opportunity to respond on GitHub, I will include some possible solutions. In the meantime, I would like to encourage you to join the Partner Center security guidance group that is part of this Yammer network. You will find numerous helpful resource there as well.
(Just for information)
Hi Hein.
Thanks for keeping us in the loop. Good to hear that there are some possible solution to come around this problem. Wait to get more tips.
Regards, Salman
@HeinPauwelyn thank you for keeping us updated. Look forward to possible solutions π
Hi guys,
Sorry to be a pain, but has anyone managed to find a solution yet?
Hi
Not yet. Still trying.
Salman
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: maciz84 notifications@github.com Date: 28/12/2018 10:39 (GMT+01:00) To: Microsoft/Partner-Center-DotNet-Samples Partner-Center-DotNet-Samples@noreply.github.com Cc: Salman Mukhtar salman.mukhtar@basefarm.com, Mention mention@noreply.github.com Subject: Re: [Microsoft/Partner-Center-DotNet-Samples] Alternative to pop for user credentials (#7)
Hi guys,
Sorry to be a pain, but has anyone managed to find a solution yet?
- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Microsoft/Partner-Center-DotNet-Samples/issues/7#issuecomment-450328078, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AXQSNUGyR6Xsi4UESqlUpqQyJZtQn2EOks5u9ea3gaJpZM4YqyIl.
@SalmanMukhtar cheers dude, I am also trying but no luck so far :(
Hi @SalmanMukhtar, @maciz84, and @HeinPauwelyn,
I hope that each of you are doing well. Several days back I posted a reply to this thread with additional information on how you can modify this sample project if you desire. We have provided an additional sample that demonstrates how to utilize the secure app model to obtain the required access token to interact with Partner Center. You can find this sample at https://github.com/Microsoft/Partner-Center-DotNet-Samples/tree/master/secure-app-model/keyvault.
Please let me know if the information I shared was helpful.
@isaiahwilliams thank you so much for putting the time to provide a sample. I am currently trying to get it to work but I struggling with KeyVault errors. I know I can try to search how set up Azure Key Vaults but I think it would be really useful if you explain how to generate the keys and how to use the certificate etc within your app
I am getting an error
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
Ok got around this but what is the KeyVaultEndpoint. Because now the forbidden error is gone but it is saying not found now. I am guessing I have put in the wrong one? Where can I find this? Is it the DNS Name which is like https://cspapplication.vault.azure.net/
Ok so I am almost there but the main problem is the block of code below errors out with Object Reference not set to instance of an Object. The GetADAppToken method works but is not authorised so cannot query the API:
Newtonsoft.Json.Linq.JObject token = await AuthorizationUtilities.GetAADTokenFromRefreshToken( "https://login.microsoftonline.com/" + tenantId, "https://api.partnercenter.microsoft.com", CSPApplicationId, CSPApplicationSecret, refreshToken);
Hi @maciz84,
It looks like you are having issues caused by the configuration for Key Vault. I would recommend that you review the Key Vault setup documentation available at
http://assetsprod.microsoft.com/csp-partner-application-overview.pdf
Please let us know if you have any concerns or questions.
@isaiahwilliams ok I will have read of the document but that is what I suspected. Was thinking thatβs its something to do with Vault setup but cannot pin it down to anything at the moment.
@isaiahwilliams ok I have rebuilt the CSP application and the Partner Consent projects using your templates and added my values etc.
Just to ensure that I understand how it works....I have run the PartnerConsent app first as that is the app that will create the necessary Keys to the Vault etc then the CSP application will consume the tokens first via the KeyVaultAccessApp (which I created as per guidelinese in your link) and then that passes the token to the CSP Application..correct or not?
In any case I get an error when I run the PartnerConsent App with the message below:
AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid
I am running out of ideas as to how I can get this working to be honest :(
Hi @maciz84,
Are you using a federation service like ADFS?
Get Outlook for iOShttps://aka.ms/o0ukef
From: maciz84 notifications@github.com Sent: Monday, January 7, 2019 1:54 AM To: Microsoft/Partner-Center-DotNet-Samples Cc: Isaiah Williams; Mention Subject: Re: [Microsoft/Partner-Center-DotNet-Samples] Alternative to pop for user credentials (#7)
@isaiahwilliamshttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fisaiahwilliams&data=02%7C01%7C%7Cf5b2081614234d00f2c008d67475693a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636824444952196064&sdata=xoZRTBisHffAANEpBe3Bs7cfCiY6Aj7bl1Z6gff1BN0%3D&reserved=0 ok I have rebuilt the CSP application and the Partner Consent projects using your templates and added my values etc.
Just to ensure that I understand how it works....I have run the PartnerConsent app first as that is the app that will create the necessary Keys to the Vault etc then the CSP application will consume the tokens first via the KeyVaultAccessApp (which I created as per guidelinese in your link) and then that passes the token to the CSP Application..correct or not?
In any case I get an error when I run the PartnerConsent App with the message below:
AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid
I am running out of ideas as to how I can get this working to be honest :(
β You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2FPartner-Center-DotNet-Samples%2Fissues%2F7%23issuecomment-451849987&data=02%7C01%7C%7Cf5b2081614234d00f2c008d67475693a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636824444952196064&sdata=M8XaBDQe8P5jC7LDN3ILeBknUgrGzTzVI1pkrivy4gQ%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAUJw3RPxvU1tt2lUQj7_8sux8sREnbKdks5vAv1NgaJpZM4YqyIl&data=02%7C01%7C%7Cf5b2081614234d00f2c008d67475693a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636824444952196064&sdata=WSAtO5xQ3G%2Bv10d%2BNmE6ITGEMsJJbapBmBE1sWCZhKQ%3D&reserved=0.
@isaiahwilliams as far I know we are not using ADFS. Hence why this error was strange, do you know how I can check this?
Ok I just checked this out and I do not have it enabled So what does this mean then? Does it need to be on or not?
Ok I give up on this....I will run it manually until I dont't care anymoe. I am sorry to be ranting but I don't understand how Microsoft thinks sometimes.
I agree that security is very important but they did not think how some of us SME companies would deal with a problem like this, which was 'automated' for us until now. I appreciate the work that @isaiahwilliams has done he has been great but there just doesn't seem to be any solution to this and if there is one, it hasn't been documented in way that most people would understand.
My last plea is to say if someone has managed to get this working please, oh please help me and Microsoft out because none of this works.
Just to be sure: authentication in user+app+MFA (which will be required since February 4) scenario is not possible in fully automated way? First someone need to login on to account interactively using his MFA method to retrieve the token and then use it inside app and refresh it using refresh_token when it expires?
EDIT: for future readers i'll repost Isaiah's response from yammer:
There is no way to automate the consent process used to obtain the refresh token. However, once you have that value it can be used in a headless manner to obtain an access token for the Partner Center API/SDK. If you look at the partner consent and CSPApplication samples in that repository you will see how this can be accomplished.
@maciz84 I'm with You on this - Microsoft has indeed some strange ideas. If all of the PC API methods could be called as service principal this would not be a problem (i assume that MFA requirement will apply only for user+app scenario?). I still don't get it why i can't verify partner's MPN id or create user for customer as a SP.
Hi @isaiahwilliams
I just tested new consent web app and got this warning.
You have not authenticated using multi-factor authentication
Does that means i have to enable MFA for the account which owns the application? If yes then where can i do that?
If not then please guide me a bit.
Regards, Salman
Hi @isaiahwilliams
I got it working. Never mind.
Regards, Salman
Hi,
Things are working now as they should according to the new security model. Hopefully all will go smoothly when the switch is made on FEB 4.
Closing the case now.
Regards, Salman
@SalmanMukhtar if you ever have the time could you please let us know how you managed to get this working?
Hell yeah I finally got it to work π Thanks everybody my issue was to do with the region and resource for the Azure Key Vault
Hi,
I have downloaded latest .net SampleSDK from GitHub and created the application ids as per the document and i am getting Authentication failed error message when running the sample code
When running the colsole app it prompts for authentication and after entering user credentials i got this error message
Authentication failed. MFA required. (10001)
please see attached screenshot for more details and any help would be greatly appreciated.
Base Description: Microsoft.Store.PartnerCenter.Exceptions.PartnerException: Authentication failed. MFA required. (10001) Thank you, Srini
Hi,
I am assuming that MFA authentication is enabled on the user you are using. In that case you have to use partner center consent app first to generate a token and store it in key vault. Use this (https://github.com/microsoft/Partner-Center-DotNet-Samples/tree/master/secure-app-model/keyvault).
When you start the app it will ask you to login and also will ask you for MFA. Once successfully logged in you will get a token that will be saved in key vault by consent app.
That token is going to be used further in partner center samples.
Hope that explains and will resolve your issue.
Regards, Salman
Hi Salman, I am getting the following error message when trying to generate a key vault using partner center consent sample code, which was downloaded using the above url:
Please advice any help would greatly appreciated ...
Thank you, Srini
I think you have to add localhost as redirect URI. Try this
On https://portal.azure.com/ Click Azure Active Directory Then Click App Registration Then Click on the listed app you are using to login Then Click on Redirect URIs And add http://localhost under Mobile and desktop applications
Then try to run the consent application. Hope this will resolve your issue.
Salman
Hi Salman,Thank you for your response,I tried adding localhost as shown below in the screenshot but still getting the same exception...
Best Regards,Srinivasa Rao YadlapalliMobile: 732 476 7034
On Tuesday, October 20, 2020, 04:56:17 AM EDT, Salman Mukhtar <notifications@github.com> wrote:
On https://portal.azure.com/ Click Azure Active Directory Then Click App Registration Then Click on the listed app you are using to login Then Click on Redirect URIs And add http://localhost under Mobile and desktop applications
Then try to run the consent application. Hope this will resolve your issue.
Salman
β You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
Alright. Then there must be something wrong the way you setup your things. Can't help you anymore unless I see. Best of luck.
Salman
I tried running the sample SDK and it is authenticated but it said forbidden, I also have the partner consent working and the token is already on the KeyVault, anyone has the steps to fetch the token from KV in the console sample app?
Hi isaiah,
I am looking at the SDK samples with new changes you made for secure model. In LoginUserToAad() a popup appears for user credentials.
I have an old version where i am using userCredentials to acquire a token by using authContext.AcquireToken. In that case there is no window appears. The application is console app that runs, login and download the information that i need.
In the new SDK samples due to the pop up the program asks for user credentials in the popup. Is there any way to avoid it or go around it? So that the pop up wont appear and my console app can run in a windows scheduler.
Regards, Salman