Thursday, February 07, 2019

Oracle APEX Less Social Sign-On with MS Azure and Office 365

After my last blog post a natural question came up: what if I'm a little anti-social?

Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?

There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, I insist you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:


Authorization Endpoint URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token Endpoint URL: https://login.microsoftonline.com/common/oauth2/v2.0/token

Use the following:

Authorization Endpoint URL: https://login.microsoftonline.com/yourCompanyDomain/oauth2/v2.0/authorize
Token Endpoint URL: https://login.microsoftonline.com/yourCompanyDomain/oauth2/v2.0/token

For Insum, this would be insum.ca:

Authorization Endpoint URL: https://login.microsoftonline.com/insum.ca/oauth2/v2.0/authorize
Token Endpoint URL: https://login.microsoftonline.com/insum.ca/oauth2/v2.0/token

The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.

The REAL step to secure your application is to do one or both of the following:

  1. Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
  2. Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.

I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.

Edit:

You can also log into the Azure Portal
https://portal.azure.com
and edit the manifest of your application.

Azure Active Directory > App Registrations > [Your Application] > Manifest

Change

"signInAudience": "AzureADandPersonalMicrosoftAccount",

to

"signInAudience": "AzureADMyOrg",

2 comments:

Chris said...

Hi Anton,

great that you are blogging about Social Sign-In. Did you ever try the OpenID Connect mode, too? I think your discovery URL should be

https://login.microsoftonline.com/insum.ca/.well-known/openid-configuration

Regards,
Christian

prince arora said...


You have discussed an interesting topic that everybody should know. Very well explained with examples. I have found a similar website
office sign
visit the site to know more about sinking.