Identity Api Scope Approval Ui Mac App

Posted on  by

-->

Azure Active Directory managed identities simplify secrets management for your cloud application. With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string.

Jun 01, 2020  The API Library lists all available APIs, grouped by product family and popularity. If the API you want to enable isn't visible in the list, use search to find it, or click View All in the product family it belongs to. Select the API you want to enable, then click the Enable button. If prompted, enable billing. Very often I see developers that are confused about the relationship of scopes and claims in IdentityServer. Hopefully this blog post will help. In OpenID Connect and OAuth 2.0 the definition of a scope is a resource that a client application is trying to get access to. This concept of a resource is deliberately vague.

Azure App Configuration and its .NET Core, .NET Framework, and Java Spring client libraries have managed identity support built into them. Although you aren't required to use it, the managed identity eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.

This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, Create an ASP.NET Core app with App Configuration first.

This article also shows how you can use the managed identity in conjunction with App Configuration's Key Vault references. With a single managed identity, you can seamlessly access both secrets from Key Vault and configuration values from App Configuration. If you wish to explore this capability, finish Use Key Vault References with ASP.NET Core first.

You can use any code editor to do the steps in this tutorial. Visual Studio Code is an excellent option available on the Windows, macOS, and Linux platforms.

In this article, you learn how to:

  • Grant a managed identity access to App Configuration.
  • Configure your app to use a managed identity when you connect to App Configuration.
  • Optionally, configure your app to use a managed identity when you connect to Key Vault through an App Configuration Key Vault reference.

Prerequisites

To complete this tutorial, you must have:

  • .NET Core SDK.
  • Azure Cloud Shell configured.

Mac App Identity Api Scope Approval Ui

If you don't have an Azure subscription, create a free account before you begin.

Add a managed identity

To set up a managed identity in the portal, you first create an application and then enable the feature.

  1. Create an App Services instance in the Azure portal as you normally do. Go to it in the portal.

  2. Scroll down to the Settings group in the left pane, and select Identity.

  3. On the System assigned tab, switch Status to On and select Save.

  4. Answer Yes when prompted to enable system assigned managed identity.

Grant access to App Configuration

Identity Api Scope Approval Ui Mac Application

  1. In the Azure portal, select All resources and select the App Configuration store that you created in the quickstart.

  2. Select Access control (IAM).

  3. On the Check access tab, select Add in the Add role assignment card UI.

  4. Under Role, select App Configuration Data Reader. Under Assign access to, select App Service under System assigned managed identity.

  5. Under Subscription, select your Azure subscription. Select the App Service resource for your app.

  6. Select Save.

  7. Optional: If you wish to grant access to Key Vault as well, follow the directions in Provide Key Vault authentication with a managed identity.

Use a managed identity

  1. Add a reference to the Azure.Identity package:

  2. Find the endpoint to your App Configuration store. This URL is listed on the Access keys tab for the store in the Azure portal.

  3. Open appsettings.json, and add the following script. Replace <service_endpoint>, including the brackets, with the URL to your App Configuration store.

  4. Open Program.cs, and add a reference to the Azure.Identity and Microsoft.Azure.Services.AppAuthentication namespaces:

  5. If you wish to access only values stored directly in App Configuration, update the CreateWebHostBuilder method by replacing the config.AddAzureAppConfiguration() method.

    Important

    CreateHostBuilder replaces CreateWebHostBuilder in .NET Core 3.0. Select the correct syntax based on your environment.

  6. To use both App Configuration values and Key Vault references, update Program.cs as shown below. This code creates a new KeyVaultClient using an AzureServiceTokenProvider and passes this reference to a call to the UseAzureKeyVault method.

    You can now access Key Vault references just like any other App Configuration key. The config provider will use the KeyVaultClient that you configured to authenticate to Key Vault and retrieve the value.

Prepare your repository

To get automatic builds from Azure App Service Kudu build server, make sure that your repository root has the correct files in your project.

RuntimeRoot directory files
ASP.NET (Windows only)*.sln, *.csproj, or default.aspx
ASP.NET Core*.sln or *.csproj
PHPindex.php
Ruby (Linux only)Gemfile
Node.jsserver.js, app.js, or package.json with a start script
Python*.py, requirements.txt, or runtime.txt
HTMLdefault.htm, default.html, default.asp, index.htm, index.html, or iisstart.htm
WebJobs<job_name>/run.<extension> under App_Data/jobs/continuous for continuous WebJobs, or App_Data/jobs/triggered for triggered WebJobs. For more information, see Kudu WebJobs documentation.
FunctionsSee Continuous deployment for Azure Functions.

To customize your deployment, include a .deployment file in the repository root. For more information, see Customize deployments and Custom deployment script.

Note

If you develop in Visual Studio, let Visual Studio create a repository for you. The project is immediately ready to be deployed by using Git.

Deploy from local Git

The easiest way to enable local Git deployment for your app with the Kudu build server is to use Azure Cloud Shell.

Configure a deployment user

FTP and local Git can deploy to an Azure web app by using a deployment user. Once you configure your deployment user, you can use it for all your Azure deployments. Your account-level deployment username and password are different from your Azure subscription credentials.

To configure the deployment user, run the az webapp deployment user set command in Azure Cloud Shell. Replace <username> and <password> with a deployment user username and password.

  • The username must be unique within Azure, and for local Git pushes, must not contain the ‘@’ symbol.
  • The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.

The JSON output shows the password as null. If you get a 'Conflict'. Details: 409 error, change the username. If you get a 'Bad Request'. Details: 400 error, use a stronger password.

Record your username and password to use to deploy your web apps.

Enable local Git with Kudu

If you don't have a local git repository for your app, you'll need to initialize one. To initialize a local git repository, run the following commands from your app's project directory:

To enable local Git deployment for your app with the Kudu build server, run az webapp deployment source config-local-git in Cloud Shell.

This command gives you something similar to the following output:

Deploy your project

In the local terminal window, add an Azure remote to your local Git repository. Replace <url> with the URL of the Git remote that you got from Enable local Git with Kudu.

Push to the Azure remote to deploy your app with the following command. When you're prompted for a password, enter the password you created in Configure a deployment user. Don't use the password you use to sign in to the Azure portal.

You might see runtime-specific automation in the output, such as MSBuild for ASP.NET, npm install for Node.js, and pip install for Python.

Browse to the Azure web app

Browse to your web app by using a browser to verify that the content is deployed.

Use managed identity in other languages

App Configuration providers for .NET Framework and Java Spring also have built-in support for managed identity. You can use your store's URL endpoint instead of its full connection string when you configure one of these providers.

For example, you can update the .NET Framework console app created in the quickstart to specify the following settings in the App.config file:

Clean up resources

If you plan to continue to the next tutorial, keep the resources you created in this quickstart for that you can reuse them.

If you're finished with the quickstart sample application, delete the Azure resources you created in this quickstart to avoid charges.

Important

Deleting a resource group is irreversible. The resource group and all the resources in it are permanently deleted. Make sure that you don't accidentally delete the wrong resource group or resources. If you created the resources for hosting this sample inside a resource group that contains resources you want to keep, delete each resource individually from its respective pane instead of deleting the resource group.

  1. Sign in to the Azure portal, and select Resource groups.
  2. In the Filter by name box, enter the name of your resource group.
  3. In the result list, select the resource group, and either right-click the row or use the ellipsis (...) button to open the context menu.
  4. Select Delete resource group.
  5. You're asked to confirm the deletion of the resource group. Enter the name of your resource group to confirm, and select Delete.

After a few moments, the resource group and all its resources are deleted.

Next steps

In this tutorial, you added an Azure managed identity to streamline access to App Configuration and improve credential management for your app. To learn more about how to use App Configuration, continue to the Azure CLI samples.

-->

In this tutorial, you'll learn how to integrate an iOS or macOS app with the Microsoft identity platform. The app will sign in a user, get an access token to call the Microsoft Graph API, and make a request to the Microsoft Graph API.

Api

When you've completed the guide, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure Active Directory.

Note

If you are new to the Microsoft identity platform, we recommend you start with the Sign in users and call the Microsoft Graph API from an iOS or macOS app.

How this tutorial works

The app in this tutorial will sign in users and get data on their behalf. This data will be accessed via a protected API (Microsoft Graph API in this case) that requires authorization and is protected by the Microsoft identity platform.

More specifically:

  • Your app will sign in the user either through a browser or the Microsoft Authenticator.
  • The end user will accept the permissions your application has requested.
  • Your app will be issued an access token for the Microsoft Graph API.
  • The access token will be included in the HTTP request to the web API.
  • Process the Microsoft Graph response.

This sample uses the Microsoft Authentication library (MSAL) to implement Authentication. MSAL will automatically renew tokens, deliver single sign-on (SSO) between other apps on the device, and manage the Account(s).

This tutorial is applicable to both iOS and macOS apps. Note that some steps are different between those two platforms.

Prerequisites

  • XCode version 11.x or greater is required to build the app in this guide. You can download XCode from the Mac App Store.
  • Microsoft Authentication Library (MSAL.framework). You can use a dependency manager or add the library manually. The instructions below show you how.

This tutorial will create a new project. If you want to download the completed tutorial instead, download the code:

Create a new project

  1. Open Xcode and select Create a new Xcode project.
  2. For iOS apps, select iOS > Single view App and select Next.
  3. For macOS apps, select macOS > Cocoa App and select Next.
  4. Provide a product name.
  5. Set the Language to Swift and select Next.
  6. Select a folder to create your app and click Create.

Register your application

  1. Go to the Azure portal

  2. Open the App registrations blade and click +New registration.

  3. Enter a Name for your app and then, without setting a Redirect URI.

  4. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) under Supported account types

  5. Click Register

  6. In the Manage section of the pane that appears, select Authentication.

  7. Click Try out the new experience near the top of the screen to open the new app registration experience, and then click +New registration > + Add a platform > iOS/macOS.

    • Enter your project's Bundle ID. If you downloaded the code, this is com.microsoft.identitysample.MSALiOS. If you're creating your own project, select your project in Xcode and open the General tab. The bundle identifier appears in the Identity section.

  8. Click Configure and save the MSAL Configuration that appears in the MSAL configuration page so you can enter it when you configure your app later. Click Done.

Add MSAL

Choose one of the following ways to install the MSAL library in your app:

CocoaPods

  1. If you're using CocoaPods, install MSAL by first creating an empty file called podfile in the same folder as your project's .xcodeproj file. Add the following to podfile:

  2. Replace <your-target-here> with the name of your project.

  3. In a terminal window, navigate to the folder that contains the podfile you created and run pod install to install the MSAL library.

  4. Close Xcode and open <your project name>.xcworkspace to reload the project in Xcode.

Carthage

If you're using Carthage, install MSAL by adding it to your Cartfile:

From a terminal window, in the same directory as the updated Cartfile, run the following command to have Carthage update the dependencies in your project.

iOS:

macOS:

Manually

You can also use Git Submodule, or check out the latest release to use as a framework in your application.

Add your app registration

Next, we'll add your app registration to your code.

First, add the following import statement to the top of the ViewController.swift, as well as AppDelegate.swift or SceneDelegate.swift files:

Identity api scope approval ui mac apps

Then Add the following code to ViewController.swift prior to viewDidLoad():

The only value you need to modify above is the value assigned to kClientIDto be your Application ID. This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application in the Azure portal.

Configure Xcode project settings

Add a new keychain group to your project Signing & Capabilities. The keychain group should be com.microsoft.adalcache on iOS and com.microsoft.identity.universalstorage on macOS.

For iOS only, configure URL schemes

In this step, you will register CFBundleURLSchemes so that the user can be redirected back to the app after sign in. By the way, LSApplicationQueriesSchemes also allows your app to make use of Microsoft Authenticator.

In Xcode, open Info.plist as a source code file, and add the following inside of the <dict> section. Replace [BUNDLE_ID] with the value you used in the Azure portal which, if you downloaded the code, is com.microsoft.identitysample.MSALiOS. If you're creating your own project, select your project in Xcode and open the General tab. The bundle identifier appears in the Identity section.

For macOS only, configure App Sandbox

  1. Go to your Xcode Project Settings > Capabilities tab > App Sandbox
  2. Select Outgoing Connections (Client) checkbox.

Create your app’s UI

Now create a UI that includes a button to call the Microsoft Graph API, another to sign out, and a text view to see some output by adding the following code to the ViewControllerclass:

iOS UI

macOS UI

Next, also inside the ViewController class, replace the viewDidLoad() method with:

Use MSAL

Initialize MSAL

Add the following initMSAL method to the ViewController class:

Add the following after initMSAL method to the ViewController class.

iOS code:

macOS code:

For iOS only, handle the sign-in callback

Open the AppDelegate.swift file. To handle the callback after sign-in, add MSALPublicClientApplication.handleMSALResponse to the appDelegate class like this:

If you are using Xcode 11, you should place MSAL callback into the SceneDelegate.swift instead.If you support both UISceneDelegate and UIApplicationDelegate for compatibility with older iOS, MSAL callback would need to be placed into both files.

Acquire Tokens

Now, we can implement the application's UI processing logic and get tokens interactively through MSAL.

MSAL exposes two primary methods for getting tokens: acquireTokenSilently() and acquireTokenInteractively():

  • acquireTokenSilently() attempts to sign in a user and get tokens without any user interaction as long as an account is present. acquireTokenSilently() requires providing a valid MSALAccount which can be retrieved by using one of MSAL account enumeration APIs. This sample uses applicationContext.getCurrentAccount(with: msalParameters, completionBlock: {}) to retrieve current account.

  • acquireTokenInteractively() always shows UI when attempting to sign in the user. It may use session cookies in the browser or an account in the Microsoft authenticator to provide an interactive-SSO experience.

Add the following code to the ViewController class:

Get a token interactively

The code below gets a token for the first time by creating an MSALInteractiveTokenParameters object and calling acquireToken. Next you will add code that:

  1. Creates MSALInteractiveTokenParameters with scopes.
  2. Calls acquireToken() with the created parameters.
  3. Handles errors. For more detail, refer to the MSAL for iOS and macOS error handling guide.
  4. Handles the successful case.

Add the following code to the ViewController class.

Get a token silently

To acquire an updated token silently, add the following code to the ViewController class. It creates an MSALSilentTokenParameters object and calls acquireTokenSilent():

Call the Microsoft Graph API

Once you have a token, your app can use it in the HTTP header to make an authorized request to the Microsoft Graph:

header keyvalue
AuthorizationBearer <access-token>

Add the following code to the ViewController class:

See Microsoft Graph API to learn more about the Microsoft Graph API.

Use MSAL for Sign-out

Next, add support for sign-out.

Important

Signing out with MSAL removes all known information about a user from the application, as well as removing an active session on their device when allowed by device configuration. You can also optionally sign user out from the browser.

To add sign-out capability, add the following code inside the ViewController class.

Enable token caching

By default, MSAL caches your app's tokens in the iOS or macOS keychain.

To enable token caching:

  1. Ensure your application is properly signed
  2. Go to your Xcode Project Settings > Capabilities tab > Enable Keychain Sharing
  3. Click + and enter a following Keychain Groups entry:3.a For iOS, enter com.microsoft.adalcache3.b For macOS enter com.microsoft.identity.universalstorage

Add helper methods

Add the following helper methods to the ViewController class to complete the sample.

iOS UI:

macOS UI:

For iOS only, get additional device information

Use following code to read current device configuration, including whether device is configured as shared:

Multi-account applications

This app is built for a single account scenario. MSAL also supports multi-account scenarios, but it requires some additional work from apps. You will need to create UI to help users select which account they want to use for each action that requires tokens. Alternatively, your app can implement a heuristic to select which account to use by querying all accounts from MSAL. For example, see accountsFromDeviceForParameters:completionBlock:API

Test your app

Run locally

Build and deploy the app to a test device or simulator. You should be able to sign in and get tokens for Azure AD or personal Microsoft accounts.

The first time a user signs into your app, they will be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes in the Azure portal.

After you sign in, the app will display the data returned from the Microsoft Graph /me endpoint.

Get help

Visit Help and support if you have trouble with this tutorial or with the Microsoft identity platform.