Alternative to pop for user credentials about partner-center-dotnet-samples HOT 43 CLOSED

I have an internal application to collect billing for our customers and my job was working well collecting data daily now I am stuck.

from partner-center-dotnet-samples.

Just to be sure: authentication in user+app+MFA (which will be required since February 4) scenario is not possible in fully automated way? First someone need to login on to account interactively using his MFA method to retrieve the token and then use it inside app and refresh it using refresh_token when it expires?

EDIT: for future readers i'll repost Isaiah's response from yammer:

There is no way to automate the consent process used to obtain the refresh token. However, once you have that value it can be used in a headless manner to obtain an access token for the Partner Center API/SDK. If you look at the partner consent and CSPApplication samples in that repository you will see how this can be accomplished.

@maciz84 I'm with You on this - Microsoft has indeed some strange ideas. If all of the PC API methods could be called as service principal this would not be a problem (i assume that MFA requirement will apply only for user+app scenario?). I still don't get it why i can't verify partner's MPN id or create user for customer as a SP.

from partner-center-dotnet-samples.

Hi Isaiah,

Hope you are doing well. Any update on above?

Regards,
Salman

from partner-center-dotnet-samples.

Same by me. I've posted that on the Microsoft cloud Yammer community in the hope that we have a reaction faster.

from partner-center-dotnet-samples.

Hi @SalmanMukhtar, @maciz84, and @HeinPauwelyn,

I hope that each of you are doing well. Several days back I posted a reply to this thread with additional information on how you can modify this sample project if you desire. We have provided an additional sample that demonstrates how to utilize the secure app model to obtain the required access token to interact with Partner Center. You can find this sample at https://github.com/Microsoft/Partner-Center-DotNet-Samples/tree/master/secure-app-model/keyvault.

Please let me know if the information I shared was helpful.

from partner-center-dotnet-samples.

Hi,

Things are working now as they should according to the new security model. Hopefully all will go smoothly when the switch is made on FEB 4.

Closing the case now.

Regards,
Salman

from partner-center-dotnet-samples.

Hi @SalmanMukhtar,

This change is being made because of the new security requirement for accessing the Partner Center API. Starting February 4, 2019 you will need to use multifactor authentication (MFA) when connecting to Partner Center and the Partner Center API using app + user authentication. This means the password flow that the pervious version of the samples project was using would no longer work. With this in mind decided it would be best to modify the sample to prompt for credentials to keep the complexity of the sample application to minimum.

With you production application it is recommended that you develop a process to register the credentials. At a high level this process would look similar to the following

1. Create a system/webpage that implement the authorization code flow
2. Use the authorization code to obtain a token from Azure AD for use with the Partner Center API
3. Store the refresh token returned from Azure AD in the above step. It highly recommended that you store this value in secure location such as Azure Key Vault.
4. Utilize the refresh token to get an access token each time you need to perform an operation using the Partner Center API/SDK

Through this process you will be able to have a headless process perform any operation you see fit. To help us better understand your use case would you mind sharing some details about why you have the console application set to run with a scheduled task?

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

Hi Isaiah,

Here comes some details about the question you asked.
We are Microsoft CSP partner. We bill our customers with some profit margins on top.

The application i have is a console app running on a server on our premises with task scheduler. It downloads customers, subscriptions and invoices. I have registered a NATIVE app and not a web app.
I use the application-id and secret from the NATIVE app.

By using that data we do billing and also provide reports to customers for their consumption.

In the old solution the authentication was done by providing user credentials in following method LoginUserToAad(). I get a token by using following line in the mentioned method and then use that token to do different operations.

result = authContext.AcquireToken(
Configuration.UserAuthentication.ResourceUrl.OriginalString,
Configuration.UserAuthentication.ApplicationId,
userCredentials);

But now in your new authentication code you are using AcquireTokenAsync with a popup to enter user credentials.

return Task.Run(() => authContext.AcquireTokenAsync(
Configuration.UserAuthentication.ResourceUrl.OriginalString,
Configuration.UserAuthentication.ApplicationId,
RedirectUri,
new PlatformParameters(PromptBehavior.Always),
UserIdentifier.AnyUser)).Result;

As my solution is automatic where i do not need to add user name and password. That comes from config file. So the application works fine without human interaction.

In the new solution where a popup appears, someone have to add the user name and password in case the token get expired or so. So i am trying to find a way to avoid it.

Also here is a copy of my code if you want to take a look for more details.
https://1drv.ms/u/s!AuRO-6uuGYN2h8tc8fdr_C7IhdVLyQ

Regards,
Salman

from partner-center-dotnet-samples.

This is so annoying by Microsoft. I have no idea how I can do this with MFA. If anyone comes up with a solution or hack as to how I can get around not putting in the credentials everytime I would be most gratefu

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

Great please keep us posted

from partner-center-dotnet-samples.

I appreciate everyone sharing their feedback and the additional information regarding where you are blocked. After reading through the comments I would like to take this opportunity to provide some context for this change. Microsoft will be requiring multifactor authentication for the Partner Center Dashboard and the Partner Center API when using app + user authentication. As a result of this new requirement Microsoft has introduced the secure application model. In addtion to this guidance new sample projects have been published that demonstrate how to accomplish the following tasks

1. Prompt for consent, this process is where the partner will authenticate using the service account that has been enabled for multifactor authentication. This will be accomplished using the authorization code flow.
2. After you have have successfully authenticated an authroization code will be returned from Azure AD. That code should be used to request an access token. The response from Azure AD for the request for an access token will include a refresh token. That value should be stored in a secure location such as Azure Key Vault.

You will use the refresh token to request new access tokens for use with the Partner Center API. With this new requirement on the horizon the SDK sample project was modified in this fashion to reduce the complexity of leveraging the sample. This way you do not have to implement the secure application model just to test the Partner Center .NET SDK.

If you are planning to use the SDK sample project as base for your integration you will need to modify the LoginUserToAad function to fulfill the secure application model guidance. You can do this by performing the following

1. Implement a process to perform partner consent. PartnerConsent is a sample web project that demonstrates how this can be done. Alternatively you can use the Partner Center PowerShell to perform this process. Additional information can be found here.
2. Modify the LoginUserToAad function to obtain the refresh token value from the secure repository and then use it to request an access token for use with the SDK. You can find an example of this here

Finally, I would like to recommend that each of you join the Partner Center security guidance Yammer group. In this group you will be able to find recordings from the past webinars we have hosted regarding this topic and be able to find additional resources.

from partner-center-dotnet-samples.

@SalmanMukhtar, @maciz84: An replay on Yammer from Isaiah Williams was this:

Hi Hein Pauwelyn - Savaco,

I will be responding to the issue in GitHub as well. We made this change to the SDK sample because of the upcoming new security requirements for Partner Center and the Partner Center API. Starting February 4, 2019 Microsoft will be requiring multifacot authentication for both the dashboard and the API when using app + user. This means you will need to build a process that follow the secure application model guidance. You can find details about this model at https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model

Fianlly, when I get an opportunity to respond on GitHub, I will include some possible solutions. In the meantime, I would like to encourage you to join the Partner Center security guidance group that is part of this Yammer network. You will find numerous helpful resource there as well.

(Just for information)

from partner-center-dotnet-samples.

Hi Hein.

Thanks for keeping us in the loop. Good to hear that there are some possible solution to come around this problem. Wait to get more tips.

Regards,
Salman

from partner-center-dotnet-samples.

@HeinPauwelyn thank you for keeping us updated. Look forward to possible solutions 👍

from partner-center-dotnet-samples.

Hi guys,

Sorry to be a pain, but has anyone managed to find a solution yet?

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

@SalmanMukhtar cheers dude, I am also trying but no luck so far :(

from partner-center-dotnet-samples.

@IsaiahWilliams thank you so much for putting the time to provide a sample. I am currently trying to get it to work but I struggling with KeyVault errors. I know I can try to search how set up Azure Key Vaults but I think it would be really useful if you explain how to generate the keys and how to use the certificate etc within your app

from partner-center-dotnet-samples.

I am getting an error
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'

from partner-center-dotnet-samples.

Ok got around this but what is the KeyVaultEndpoint. Because now the forbidden error is gone but it is saying not found now. I am guessing I have put in the wrong one? Where can I find this? Is it the DNS Name which is like https://cspapplication.vault.azure.net/

from partner-center-dotnet-samples.

Ok so I am almost there but the main problem is the block of code below errors out with Object Reference not set to instance of an Object. The GetADAppToken method works but is not authorised so cannot query the API:

Newtonsoft.Json.Linq.JObject token = await AuthorizationUtilities.GetAADTokenFromRefreshToken( "https://login.microsoftonline.com/" + tenantId, "https://api.partnercenter.microsoft.com", CSPApplicationId, CSPApplicationSecret, refreshToken);

from partner-center-dotnet-samples.

Hi @maciz84,

It looks like you are having issues caused by the configuration for Key Vault. I would recommend that you review the Key Vault setup documentation available at

http://assetsprod.microsoft.com/csp-partner-application-overview.pdf

Please let us know if you have any concerns or questions.

from partner-center-dotnet-samples.

@IsaiahWilliams ok I will have read of the document but that is what I suspected. Was thinking that’s its something to do with Vault setup but cannot pin it down to anything at the moment.

from partner-center-dotnet-samples.

@IsaiahWilliams ok I have rebuilt the CSP application and the Partner Consent projects using your templates and added my values etc.

Just to ensure that I understand how it works....I have run the PartnerConsent app first as that is the app that will create the necessary Keys to the Vault etc then the CSP application will consume the tokens first via the KeyVaultAccessApp (which I created as per guidelinese in your link) and then that passes the token to the CSP Application..correct or not?

In any case I get an error when I run the PartnerConsent App with the message below:

AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid

I am running out of ideas as to how I can get this working to be honest :(

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

@IsaiahWilliams as far I know we are not using ADFS. Hence why this error was strange, do you know how I can check this?

from partner-center-dotnet-samples.

Ok I just checked this out and I do not have it enabled

So what does this mean then? Does it need to be on or not?

from partner-center-dotnet-samples.

Ok I give up on this....I will run it manually until I dont't care anymoe. I am sorry to be ranting but I don't understand how Microsoft thinks sometimes.

I agree that security is very important but they did not think how some of us SME companies would deal with a problem like this, which was 'automated' for us until now. I appreciate the work that @IsaiahWilliams has done he has been great but there just doesn't seem to be any solution to this and if there is one, it hasn't been documented in way that most people would understand.

My last plea is to say if someone has managed to get this working please, oh please help me and Microsoft out because none of this works.

from partner-center-dotnet-samples.

Hi @IsaiahWilliams

I just tested new consent web app and got this warning.

You have not authenticated using multi-factor authentication

Does that means i have to enable MFA for the account which owns the application?
If yes then where can i do that?

If not then please guide me a bit.

Regards,
Salman

from partner-center-dotnet-samples.

Hi @IsaiahWilliams

I got it working. Never mind.

Regards,
Salman

from partner-center-dotnet-samples.

@SalmanMukhtar if you ever have the time could you please let us know how you managed to get this working?

from partner-center-dotnet-samples.

Hell yeah I finally got it to work 👍 Thanks everybody my issue was to do with the region and resource for the Azure Key Vault

from partner-center-dotnet-samples.

Hi,

I have downloaded latest .net SampleSDK from GitHub and created the application ids as per the document and i am getting Authentication failed error message when running the sample code
When running the colsole app it prompts for authentication and after entering user credentials i got this error message
Authentication failed. MFA required. (10001)
please see attached screenshot for more details and any help would be greatly appreciated.

Base Description: Microsoft.Store.PartnerCenter.Exceptions.PartnerException: Authentication failed. MFA required. (10001)

Thank you,
Srini

from partner-center-dotnet-samples.

Hi,

I am assuming that MFA authentication is enabled on the user you are using. In that case you have to use partner center consent app first to generate a token and store it in key vault. Use this (https://github.com/microsoft/Partner-Center-DotNet-Samples/tree/master/secure-app-model/keyvault).

When you start the app it will ask you to login and also will ask you for MFA. Once successfully logged in you will get a token that will be saved in key vault by consent app.

That token is going to be used further in partner center samples.

Hope that explains and will resolve your issue.

Regards,
Salman

from partner-center-dotnet-samples.

Hi Salman,
I am getting the following error message when trying to generate a key vault using partner center consent sample code, which was downloaded using the above url:

Please advice any help would greatly appreciated ...

Thank you,
Srini

from partner-center-dotnet-samples.

I think you have to add localhost as redirect URI. Try this

from partner-center-dotnet-samples.

On https://portal.azure.com/
Click Azure Active Directory Then
Click App Registration Then
Click on the listed app you are using to login Then
Click on Redirect URIs
And add http://localhost under Mobile and desktop applications

Then try to run the consent application.
Hope this will resolve your issue.

Salman

from partner-center-dotnet-samples.

from partner-center-dotnet-samples.

Alright. Then there must be something wrong the way you setup your things.
Can't help you anymore unless I see. Best of luck.

Salman

from partner-center-dotnet-samples.

I tried running the sample SDK and it is authenticated but it said forbidden, I also have the partner consent working and the token is already on the KeyVault, anyone has the steps to fetch the token from KV in the console sample app?

from partner-center-dotnet-samples.