Reputation: 7107
Create Application with Authenticates against O365 Azure AD with OpenIdConnect
I've got an application I'm creating for use with Office 365 accounts (Will be multi-tenant). I'm looking to use OpenID Connect for authentication. I do not need regular Microsoft accounts working.
I've tried creating an application at: https://portal.azure.com -> Azure Active Directory -> App Registrations
As well as: https://manage.windowsazure.com -> Active Directory -> Applications
These did not appear to work for OpenId Connect.
Creating an app at: https://apps.dev.microsoft.com
Did work for OpenId Connect.
Can someone please help advise:
- What's the difference between these different URL's?
- Is it possible to get OpenID Connect running from an app registered on one of the Azure sites so that all my Azure stuff is centralized?
Upvotes: 1
Views: 3350
Answers (2)
Reputation: 3421
When you create a new app in https://portal.azure.com there is no service principal created for you in your local tenant. When you do the first authorize request to your app, the service principal gets created in your local AD tenant. See http://www.cloudidentity.com/blog/2016/10/04/provision-an-app-created-on-portal-azure-com-in-your-own-tenant/ for more infromation.
If you create an app using the classic portal, both the application object and the service principal are created.
To verify your issue I created a new app using the modern portal, https://portal.azure.com, and opened
GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={application_id}
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2F
&response_mode=form_post
&scope=openid
&state=12345
&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7
in a browser while having fiddler running in the background.
Note: replace {tenant}, {application_id} and the redirect_uri with your Azure AD tenant id (guid) and your application ID (also a guid). state and nonce are required but can have any value.
When you open the URL in a browser, it will first ask the user to consent the app, and if successful make a postback to the redirect_uri with id_token.
See https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/ for more information on doing OpenID Connect requests.
You can also create a new app using https://apps.dev.microsoft.com. You should use this page to register new apps if you want to take advantage of the v2.0 endpoint and authentication protocol. See https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-limitations/ for more information.
Upvotes: 3
Reputation: 1193
At the moment, there are two different OpenID Connect endpoints you need to choose from. If you don't require Microsoft accounts, I recommend you register an app at portal.azure.com, and use the https://login.microsoftonline.com/common/oauth2/authorize endpoint for performing OIDC. There is good protocol documentation and code samples available at aka.ms/aaddev
Upvotes: 0
Related Questions
- How Do I register an application from an external Azure AD tenant?
- OpenId Connect Only Token AAD
- OAuth 2.0 , Azure AD and OpenId Connect
- Azure app openid connect issue with azure ad login in azure portal
- Azure AD and Office 365 authentication for apps
- Implemeting Authentication using OpenId Connect implementation for Azure AD?
- Azure AD Oauth2/OpenID Connect web app authentication problems
- Need windows Azure app to authenicate against Office 365 Active Directory
- How to use Azure AD for authenticate users for third-party applications?
- OWIN OpenIdConnect Single Sign On with Office 365