FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can't use api login with azure ad

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    4
    801
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abehari
      last edited by

      Hi,

      We are switching from crowd to fusionauth. One of the requirements is to use FusionAuth as proxy authentication provider for Azure AD. So far we've have configured OpenID Connect to use Azure AD of our company. Via the hosted login pages of fusionauth we're abled to login. But we need the api to login and this is not working. We have our own login services etc in place.

      When we login via de hosted login page the login is successful and a linked user is created.

      User created when logged in via the hosted page

      7a52943c-3455-44c7-95df-096e807ef22b-image.png

      a1136cad-db46-49a8-aa82-994fcf09f7be-image.png

      OpenID connect config
      3505634e-b685-47e0-ba83-06f1ae762b37-image.png

      When trying to login in via the api, it returns 404. The user is not found.

      5c96707b-0f9d-49bd-9a2e-fb1fd48b909c-image.png

      When change the usre to have a password in fusionAuth, the the user is return via the api. That's is not what we want. We want to manage the password in azure and use fusionauth only as a login proxy with our own custom login in out back end application.

      What are we doing wrong?

      Regards,
      Aswien

      joshuaJ 1 Reply Last reply Reply Quote 0
      • joshuaJ
        joshua @abehari
        last edited by

        @abehari Thanks for the question -

        The user is not found when they are initially linked as they are tied to an external auth store (azure in this case), so we are relying on Azure to store the user's password/credentials (federation). Once you create a user with a password, and call the api/login we are going to look in our database and if the user is found (and with the correct credentials), we will return (as you experienced).

        I am wondering if using the login API for OIDC provider is more appropriate for your use case

        • https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect#complete-an-openid-connect-login

        In this case, you are building your own login pages, in which you call Azure, and on that final step, called complete the login, you are asking FusionAuth to log the user in based on what Azure says.

        Let us know if that better addresses your use case.

        Thanks,
        Josh

        A 1 Reply Last reply Reply Quote 0
        • A
          abehari @joshua
          last edited by

          Hi @joshua thanks for your reply. We've tried the suggested "Complete an OpenID Connect Login", but the problem is we don't understand where to get de "code" from. And we don't have any redirect uri (callback url) in our application. Where and when should the 'code" be returned and by whom?

          bea967b9-b11d-4b26-9214-12ad1a63fcc9-image.png

          In our application we're doing a rest (json based) login via a java rest client and we like to maintain that. We have no login pages etc. You can login with postman. Is that possible with fusionauth?

          Postman (Request) -> Our application (Rest) ->FusionAuth -> Azure AD -> FusionAuth (some token) -> Our application (Rest, we generate our own JWT, based on fusionAuth token and additional information) -> Postman (JWT response). Is this possible?

          Regards,
          Aswien

          joshuaJ 1 Reply Last reply Reply Quote 0
          • joshuaJ joshua has marked this topic as solved on
          • joshuaJ
            joshua @abehari
            last edited by joshua

            @abehari

            Marking this as "solved" as this was addressed out of band. Let us know if there are any other questions.

            Thanks,
            Josh

            1 Reply Last reply Reply Quote 0
            • First post
              Last post