Using MSAL with non-Microsoft Identity providers - identity

I would like to know if MSAL can be used with Identity providers other than Microsoft products. If yes, how.
I checked the MSAL documentetion but it is not straightforward in this question.
What I would like to do is to authenticate to Google and OneLogin (and possibly others later) using MSAL, but I don't know how.
However, I successfully used MSAL with Azure AD.
MSAL seems to be a good library to use it generally with any IDPs.

According to the reply from the MSAL.NET GitHub discussion, MSAL.NET only supports Azure identity providers, so as of September of 2022, it would not work with third-party providers. The third-party support may be added later, but no timeline at this point.

PROVISO
I believe you're asking about MSAL.JS, as using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples)
ANSWER
Yes, it's possible to use a non-MS OIDC provider with MSAL.JS since October 2020.
You'd have to specify extra auth properties: protocolMode: 'OIDC' and knownAuthorities: ["your-id-server.com"]. See the official docs on the parameters of #azure/msal-browser.
If you follow the official JavaScript examples then the config would look like:
auth: {
clientId: "YOUR-CLIENT-ID",
authority: "https://your-id-server.com",
knownAuthorities: ["https://your-id-server.com"],
redirectUri: "https://you-client-app.com",
protocolMode: "OIDC"
}
HISTORY
Till this PR was merged 16-Oct-2020, MSAL worked with MS end-points exclusively. So the #leastprivilege's answer of 2017 was correct back then.
Thankfully, issue requests 1555 and subsequently 2120 helped to change the tide.

Related

Is there a way to find the workitems for a release in Azure DevOps Api 5.1?

I can find a release in Azure DevOps Api 5.1 by a request to https://vsrm.dev.azure.com/mycompany/myproject/_apis/release/releases/myreleaseid?api-version=5.1
How can I get the workitems of that release as shown on the devops portal under Deployment - Stages - Workitems?
My naive approach just using https://vsrm.dev.azure.com/mycompany/myproject/_apis/release/releases/myreleaseid/workitems?api-version=5.1
resulted in a 404.
There is a stakeholder in the workitem and I want to send him a notification adter the release.
How can I get the workitems of that release as shown on the devops
portal under Deployment - Stages - Workitems?
Hard to say, but I don't find any document about this topic... So I determine to use F12 to find that. And here's the one I finally find:
Get:https://vsrm.dev.azure.com/mycompany/myproject/_apis/Release/releases/myreleaseId/workitems?baseReleaseId={my baseReleaseId}&%24top=250&artifactAlias={my artifactAlias}
It will returns the IDs of the workItems for the release. Its response format:
After you get the IDs, it's easy to get details if you need using Get Work Items Batch or what.
In addition:
1.myreleaseId is the ReleaseID. (On my side, the ID is 7 if it's Release-7)
2.my artifactAlias is this:
3.For my baseReleaseId, I'm not 100% sure about its meaning. I think it could be something like ReleaseToCompareAgainst. Hint from Daniel. (On my side, if my releaseId=7, then I use basereleaseID=6(7-1), it works to get the correct WIT ids). (Actually I suggest you can use F12 in that web page to check your corresponding URL.)
And according to Mathias F: The baseReleaseId realy is the last previous release that has a deployment (-1 in some cases)
4.About how to use F12 to find rest api which may not be documented:
Hope all above helps :)

PSD2 QSealC signed message

I have looked everywhere for an example of a QSealC signed message, and I could not find any info.
I need to verify the signature of a QsealC signed payload AND I need to sign the responding payload but I understand that the payload is all in json,
Are there examples out there of QSealC signed payloads?
thanks
You will do both the signing and validation as detailed by IETF's draft-cavage-http-signatures, where you should pay special attention to section 4.1.1 for constructing and section 2.5 for verifying the Signature header.
This draft is referenced by both Berlin Group's XS2A NextGenPSD2 Framework Implementation Guidelines and Stet (France). However, note that it's normal that each unique implementation imposes additional requirements on the HTTP Message Signing standard, e.g. by requiring specific headers to be signed or using a specially formatted keyId. I am not sure whether other standardizations such as Open Banking (UK) reference it.
Take note that you do not need actual QsealC PSD2 certificates to begin your implementation work of the neither the signing nor validation process, as you can create your own self-issued certificates, e.g. using OpenSSL, by adding the OID's found in the ASN.1 profile described in ETSI TS 119 495.
However, I strongly recommend you find a QTSP in your region and order certificates both for development and testing, and for use in production when the time comes.
I won't go into details on the actual process of creating the signature itself, as it's very well detailed in draft-cavage-http-signatures, but consider the following example;
You're requesting GET https://api.bank.eu/v1/accounts, and after processing your outgoing request you end up with the following signing string;
date: Sun, 12 May 2019 17:03:04 GMT
x-request-id: 69df69c1-76d0-4590-8f28-50449a21d0d8
psu-id: 289da2e6-5a01-430d-8075-8f7af71f6d2b
tpp-redirect-uri: https://httpbin.org/get
The resulting Signature could look something like this;
keyId=\"SN=D9EA5432EA92D254,CA=CN=Buypass Class 3 CA 3,O=Buypass AS-983163327,C=NO\",
algorithm=\"rsa-sha256\",
headers=\"date x-request-id psu-id tpp-redirect-uri\",
signature=\"base64(rsa-sha256(signing_string))\"
The above signature adheres to Berlin Group requirements as detailed in Section 12.2 in their implementation guidelines (per. v1.3), except some linebreaks added for readability, which in short are ;
the keyId must be formatted as SN={serial},CA={issuer}, but note that it seems to be up to the ASPSP to decide how the serial and issuer is formatted. However, most are likely to require the serial to be in uppercase hexadecimal representation and issuer formatting in conformance with RFC 2253 or RFC 4514.
The algorithm used must be either rsa-sha256 or rsa-sha512
The following headers must be part of the signing string if present in the request; date, digest, x-request-id, psu-id, psu-corporate-id, tpp-redirect-uri
The signature must be base-64 encoded
As developers have just begun to adopt this way of signing messages, you'll likely have you implement this yourself - but it's not too difficult if you just carefully read the above mentioned draft.
However, vendors have begun supporting the scheme, e.g. Apache CXF currently supports both signing and validation from v3.3.0 in their cxf-rt-rs-security-http-signature module as mentioned in the Apache CXF 3.3 Migration Guide. Surely, others will follow.
Validating the actual signature is easy enough, but validating the actual QsealC PSD2 certificate is a bit more cumbersome, but you'll likely have to integrate with EU's List of Trusted Lists to retrieve root- and intermediate certificates used to issued these certificates, and form a chain of trust together with e.g. Java's cacerts and Microsoft Trusted Root Certificate Program. I personally have good experiences using difi-certvalidator (Java) for the actual validation process, as it proved very easy to extend to our needs, but there are surely many other good tools and libraries out there.
You'll also need to pay special attention the certificate's organizationIdentifier (OID: 2.5.4.97) and qcStatements (OID: 1.3.6.1.5.5.7.1.3). You should check the certificate's organizationIdentifier against the Preta directory, as there might be instances where a TPP's authorization is revoked by it's NCA, but a CRL revocation hasn't yet been published by it's QTSP.
DISCLAIMER: When it comes to the whole QsealC PSD2 certificate signing and validation process, I find both Berlin Group and EBA to be very diffuse, leaving several aspects open to interpretation.
This is a rough explanation, but hopefully it give you enough to get started.

Azure fails when try to create a MySQL database

When I try to create a MySQL database on Microsoft Azure using pure REST request (PUT) to:
https://management.azure.com/subscriptions/<subscriptionid>/resourceGroups
/resource-<id>/providers/successbricks.cleardb/databases/<my-database>?
api-version=2014-04-01
I am getting this error:
HTTP STATUS CODE 400 Bad Request
Error message: 'Legal terms have not been accepted for this item on
this subscription. To accept legal terms, please go to the Azure
portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure
programmatic deployment for the Marketplace item or create it there
for the first time'
So I went to Microsoft Azure Portal, and I accepted the legal terms. I tried again, same error. I searched in almost the entire Azure Portal for some configuration about this and I found nothing.
Someone have the same problem?
Thanks.
you should not only accept the terms but follow the procedure of making the programmatic access possible. It should be on the license page.
Programmatic deployment only can be found in Virtual Machines MySQL, not in Data Storage MySQL Database. Try REST request after you enabled programmatic Deployment.
In addition, I successfully created a MySQL database using REST API without reproducing your question, but note that the request body need to be sent as well when using PUT request.
OK guys, found the solution. I don't know why, but if we change the JSON attribute { "plan.name": "Pay-As-You-Go" } to { "plan.name": "Free" } the database is created successfully.
I opened a support ticket to know which are the MySQL available plans. I will update the answer as soon as possible.

How do I get access from a client app by using PhoneGap to OpenHAB?

I'm developing a hybrid app (using PhoneGap) for openHAB. At the moment I'm struggling to build a connection from my hybrid to the OpenHAB runtime. Any suggestions?
The intended way to connect to the openHAB runtime is the REST API which is described in detail in the wiki (see https://github.com/openhab/openhab/wiki/REST-API).
You could also have a look at the implementations of the native Android client (see https://github.com/openhab/openhab.android) or the greenT HTML5 application based on Sencha Touch (see https://github.com/openhab/openhab/tree/master/distribution/openhabhome/webapps/greent).
Hope this helps,
Thomas E.-E.
The openhab has a REST API implemented as a bundle. this can be accessed via the URL "http://openhabip:8080/rest/".
If you want to access the items and implemet your own UI you can use "http://openhabip:8080/rest/items" with HTTP GET, POST ,PUT.
Otherwise you can use the "http://:8080/rest/sitemaps" and use the openhab provided sitemaps.
The details are in https://github.com/openhab/openhab/wiki/REST-API

Weblogic 10 JDBC Data Source Descriptions

Introduction
When creating a new domain for Weblogic Portal 10.3.0.0, the following datasources are created by default for use by the Weblogic Server (including the Name and JNDI Names).
For Example:
I am sure the p13nDataSource is accessed by the SQLAuthenticator Authentication Provider for performing DBMS authentication.
NAME JNDI NAME
cgDataSource cgDataSource
cgDataSource-nonXA cgDataSource-nonXA
p13nDataSource p13n.trackingDataSource p13n.sequencerDataSource cm.sequencerDataSource p13n.leasemanager p13n.dataSyncDataSource p13n.entitlementsDataSource p13n.quiescenceDataSource p13n.credentialsDataSource
portalDataSource weblogic.jdbc.jts.commercePool contentDataSource contentVersioningDataSource portalFrameworkPool
portalDataSourceAlwaysXA portalDataSourceAlwaysXA
portalDataSourceNeverXA portalFrameworkPoolNeverXA
Question
I understand the difference between XA and Non-XA, but does anyone have any information or descriptions regarding what each of the other data sources are used for?
The Default JDBC Configuration for the Basic WebLogic Platform Domain docs on Oracle documentation provides you some insight. Unfortunately, these docs are for version 8.1 (I haven't found the 10.3 version of it), but a lot of them remain true for 10.3.