Hello,
I’m trying to configure TIB for connecting to Microsoft Azure AD via OpenID-connect SocialProvider.
But I cannot pass ‘prompt=select_account’ attribute to Microsoft login dialog.
Is there a way to do that?
Thanks
Hi @pavelbakh, welcome to the community.
We would need more information. Such as:
- What are you trying to achieve?
- How did you configured your profile?
- How did you configured Azure AD?
- Are you using external or internal TIB?
- How do you start the flow?
Hi @Olu,
thank you for the response.
I’m using external TIB with following profile:
{
"ActionType": "GenerateOAuthTokenForClient",
"ID": "1",
"IdentityHandlerConfig": {
"DashboardCredential": "",
"DisableOneTokenPerAPI": false,
"OAuth": {
"APIListenPath": "httpbin",
"BaseAPIID": "{{api_id}}",
"ClientId": "{{oauth_client_id}}",
"RedirectURI": "http://localhost:4200/token",
"ResponseType": "code",
"Secret": "{{oauth_client_secret}}",
"NoRedirect": false
}
},
"MatchedPolicyID": "{{policy_id}}",
"OrgID": "{{org_id}}",
"ProviderConfig": {
"CallbackBaseURL": "{{TIB_URL}}",
"FailureRedirect": "http://localhost:4200/?fail=true",
"UseProviders": [{
"Name": "openid-connect",
"Key": "{{azure_ad_client_id}}",
"Secret": "{{azure_ad_client_secret}}",
"Scopes": ["openid", "email"],
"DiscoverURL": "https://login.microsoftonline.com/{{azure_tenant_id}}/v2.0/.well-known/openid-configuration",
"SkipUserInfoRequest": false
}]
},
"ProviderName": "SocialProvider",
"ReturnURL": "",
"Type": "redirect"
}
The Azure AD configuration as follows:
{
"id": "031aaacf-d864-4851-8434-XXXXXXXXXXXX",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": true,
"appId": "265f67cc-0ca4-4121-9c83-XXXXXXXXXXXX",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-08-19T12:22:34Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": "https://secure.aadcdn.microsoftonline-p.com/c1c6b6c8-2pwvh0pntd8hbpgbg3vo-xlu-xtko616igpvauksprc/appbranding/kepwpek1j3bh9w2cniftg-mrftpyij-hewvudn9-eje/1033/bannerlogo?ts=637728503871177307",
"logoutUrl": null,
"name": "authpoc-tyk-gw",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2023-10-29T08:51:09.663Z",
"keyId": "02a4cd23-9614-456e-bd3c-XXXXXXXXXXXX",
"startDate": "2021-10-29T07:51:09.663Z",
"value": null,
"createdOn": "2021-10-29T07:51:30.33644Z",
"hint": "XXXXXXXXXXXX",
"displayName": "Password uploaded on Fri Oct 29 2021"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "ebolttoutlook.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://TIB_ADDRESS/login/auth/1/openid-connect/callback",
"type": "Web"
},
{
"url": "http://localhost:4200",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-XXXXXXXXXXXX",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"apiConsumer",
"webApp"
],
"tokenEncryptionKeyId": null
}
The workflow as follows:
WebGUI login button → get request to https://TIB_ADDRESS/login/auth/1/openid-connect → redirect to Azure Login Dialog
I’m trying to get login dialog like:
So it should be always “Pick an account” form which require attribute ‘prompt=select_account’ to be set when requesting azure like:
https://login.microsoftonline.com/{azure_tenant_id}/oauth2/v2.0/authorize?client_id=265f67cc-0ca4-4121-9c83-XXXXXXXXXXXX&redirect_uri=https%3A%2F%2F{TIB_ADDRESS}%2Flogin%2Fauth%2F1%2Fopenid-connect%2Fcallback&response_type=code&scope=openid+email&state=state&sso_reload=true&prompt=select_account
Is that possible to configure TIB to achieve that?
Thanks for providing more information. I asked internally and got a response that this is not possible with TIB.
Normally you get redirected to Azure, however, we cannot set that kind of params in the URL you are redirected to currently.
is it allowed to connect Tyk via curl or Postman if saml is enabled?