Nick's .NET Travels

Continually looking for the yellow brick road so I can catch me a wizard....

Manually Using Fiddler to Authenticate (Part II – Actual Walkthrough)

In this second part of Manually Using Fiddler to Authenticate I’ll use a combination of web browser and fiddler to request both an authorization code and then an access token for the Azure Active Directory I setup in an earlier post. This is going to follow the workflow covered in this MSDN document.

There are a couple of things I’ll need before I start:

- The tenant id of the AAD that I’m going to be signing into. This can be the actual id (eg e688d594-8643-4bdf-9e4c-0be8bcbc645f which you can see in the address bar when editing information via the Azure portal eg https://manage.windowsazure.com/@hutchinsonbuilders.com.au#Workspaces/ActiveDirectoryExtension/Directory/e688d594-8643-4bdf-9e4c-0be8bcbc645f) or the domain:

realestateinspector.onmicrosoft.com

- The Client Id of the application I setup for the native client (remember that I’m effectively simulating the workflow that my native clients will go through, so it makes sense to use that AAD application)

client_id=a5a10ee9-f871-4bde-997f-3f1c323fefa5

- The redirect uri that was defined in the AAD application for the native client. When we actually come to use this process in the native client we will of course have to determine the native clients redirect uri and add that to the AAD application but for the timebeing I’ll use the value I specified when setting up the AAD application:

redirect_uri=http//tba.com

NOTE: I need to make sure that I appropriately url encode any query string parameters (there are plenty of web based converters – I use this URL decoder/encoder), so in this case the redirect uri will need to be specified as follows:

redirect_uri=http%3A%2F%2Ftba.com

Putting this all together we can generate the url for requesting an authorization code https://login.windows.net/realestateinspector.onmicrosoft.com/oauth2/authorize?response_type=code&client_id=a5a10ee9-f871-4bde-997f-3f1c323fefa5&redirect_uri=http%3A%2F%2Ftba.com. Navigating to this url via a web browser will prompt the user to sign in using the standard aad sign in prompt

image

After signing in the user will be redirected to the redirect uri, in this case http://tba.com with the authorization code specified in the address eg http://www.tba.com/?code=AAABAAAAvPM1KaPlrEqdFSBzjqfTGKrfFcsSklul1Lrd_bv-lbWetE6ZyTlruH0Yy7bB6Zue1lg0hpJ_2h5dLxd8gweAItUT6Hgvh7dXcyKsTuYfW_gpo9kkiGHYzxo53ayrrBJqsVyPLkJ6SagQp7_8vyfvieYrGF2tTXy_bMPpA3HG63qe_D_Iqpie9AtSnXWT7ax2UlufFSHNiu4pqIPxz_yc_TXBAHNKjSCevVTbLc4Kg71pyf3galmjXwi72KxDRn4QSwmY9Gdmhllo3A1ywOVrfct0DtZhe3oxzIdVpi5TUhKmDxbsnk2kHo60H1_SnmMFoIY-H2GTWdEScF0kPEa7NztBTJ9RIvx3YBMSPL4tZCgWo6Ta-xfCfeo47LZmWr_k07f1N85S1dhfumeVsSORGJI3CtTnnQxDxbLCKhaQweIW08pl1198STbwpFokuOMjH20KXX2KdbXxoaw67wWMsoyQypVDhBFgDPcZqHPOVT1J8pj-G6ic_WR3JtQ_Ig1xIAA&session_state=d2b5f011-74db-4b0e-84eb-979250fdee97

The next step is to request an access token. Now remember that this access token should be one that has permissions to access the Mobile Service I setup. As such, when requesting the access token I need to specify the Mobile Service as the resource I want to have access to. Here are the attributes I need for the access token request.

grant_type=authorization_code
client_id=a5a10ee9-f871-4bde-997f-3f1c323fefa5                <—
same as previous request
code=AAABAAAAvPM1KaP-----------_WR3JtQ_Ig1xIAA      <—truncated for brevity 
resource=https://realestateinspector.azure-mobile.net/login/aad    <—
the Mobile Service APP ID URI specified in the AAD application setup for the Mobile Service
redirect_uri=http://tba.com     <—the same redirect uri used in the authorization code request

Putting this all together into a POST request that I can issue in Fiddler:

POST: https://login.windows.net/realestateinspector.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=a5a10ee9-f871-4bde-997f-3f1c323fefa5&code=AAABAAAAvPM1KaPlrEqdFSBzjqfTGKrfFcsSklul1Lrd_bv-lbWetE6ZyTlruH0Yy7bB6Zue1lg0hpJ_2h5dLxd8gweAItUT6Hgvh7dXcyKsTuYfW_gpo9kkiGHYzxo53ayrrBJqsVyPLkJ6SagQp7_8vyfvieYrGF2tTXy_bMPpA3HG63qe_D_Iqpie9AtSnXWT7ax2UlufFSHNiu4pqIPxz_yc_TXBAHNKjSCevVTbLc4Kg71pyf3galmjXwi72KxDRn4QSwmY9Gdmhllo3A1ywOVrfct0DtZhe3oxzIdVpi5TUhKmDxbsnk2kHo60H1_SnmMFoIY-H2GTWdEScF0kPEa7NztBTJ9RIvx3YBMSPL4tZCgWo6Ta-xfCfeo47LZmWr_k07f1N85S1dhfumeVsSORGJI3CtTnnQxDxbLCKhaQweIW08pl1198STbwpFokuOMjH20KXX2KdbXxoaw67wWMsoyQypVDhBFgDPcZqHPOVT1J8pj-G6ic_WR3JtQ_Ig1xIAA&resource=https%3A%2F%2Frealestateinspector.azure-mobile.net%2Flogin%2Faad&redirect_uri=http%3A%2F%2Ftba.com

What I get back from this request is a JSON response

image

The response gives a number of return values which can be used for a variety of things, one of which is the unassigned JSON Web Token which you can explore using tools such as http://jwt.io/.

image

Pingbacks and trackbacks (1)+

Comments are closed