Jump to content
Welcome to our new Citrix community!

AAA OAUTH SP with Azure b2c


Recommended Posts

Hello,

 

has someone configured AAA with oauth SP against Azure B2C to protect an traffic management load balancing vserver?

 

I followed this guide https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/oauth-authentication/citrix-adc-oauth-sp.html

 

Configured an oauth action GENERIC with client id, client secret, Authorization Endpoint and  Token Endpoint.

 

Added an nonaddressed auth vserver. bound the action through a "true" policy to that aaa vserver. On my lb a added authentication and selected the AAA vServer.

After browsing to my lb, i only got the error message "unauthorized". Within the ns.log file i dont see any entries. 

What i the correct log file to see, why the oauth isnt working ?

Link to comment
Share on other sites

  • 1 month later...
  • 4 months later...

Hi Stefan,

 

I'm experiencing almost exactly the same issue as you did a few months ago. Same config as yours:

 

-"oauth action GENERIC with client id, client secret, Authorization Endpoint and  Token Endpoint"

-"Added an nonaddressed auth vserver. bound the action through a "true" policy to that aaa vserver. On my lb a added authentication and selected the AAA vServer."

 

Did you find a solution for that ? If yes how did you figure it ?

 

Thanks in advance for your help.

 

Have a nice day.

 

Sam

Link to comment
Share on other sites

Hi again Stefan,

 

Thanks a lot for your reply. 

So far, I have only configured Authorization Endpoint and Token Endpoint in the OAuth action. Those two values are required. As I understand cert endpoint is also needed ? This value comes from the Azure b2c configuration right ?


I will take a look at ns.log file thanks for the tip. 
 

Thanks a lot for your help. I’m out of the office till next week. 
 

I let you know asap :-)

 

Have a nice weekend. 
 

Cheers. 
 

Sam

Link to comment
Share on other sites

On 5/13/2021 at 10:42 AM, Stefan Wendrich1709160263 said:

Hi Sam,

yes, the solution was to easy. Take a look into the ns.log. There you can find, why its not working.

 

Have you configured the cert endpoint? This endpoint is needed for Token validation and was the missing point in my configuration.

 

 

Hi Stefan,

 

Hope you're doing ok ?

 

I've reviewed my configuration and let me ask you a few questions if you have time to answer to:

 

1) I can't locate the cert endpoint on Azure B2C side. I have different endpoints (Authorization, Token,...) but nothing about the cert endpoint you suggest to configure in the Netscaler OAuth Action. Where can I find this endpoint ?

 

2) I can't see any logs in ns.log file and it's because the error happens before. (error is "redirect URI mismatch"). My backend application protected by an AAA VServer (OAuth) isn' t designed with OAuth/OpenID authentication mechanism. I just tried to publish a simple application with no authentication mechanism and protect it with this AAA OAuth VServer for testing purpose. I think the application HAS to speak OAuth + OpenID language am I right ?

 

3) Do you have any suggestion about a simple application (similar to https://jwt.ms) that can be installed and deployed on premise and configured on Azure B2C for testing purpose ? I think once I have such a configuration I will be able to test the configured AAA OAuth VServer and use your tips. Do you agree ?

 

Thanks in advance for your reply.

 

Cheers

 

Sam

Link to comment
Share on other sites

15 hours ago, Sam Ga said:

1) I can't locate the cert endpoint on Azure B2C side. I have different endpoints (Authorization, Token,...) but nothing about the cert endpoint you suggest to configure in the Netscaler OAuth Action. Where can I find this endpoint ?

 

I cant say the location, i searched a lot. But my url for cert endpoint is https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1_<Userflow>/discovery/v2.0/keys

 

15 hours ago, Sam Ga said:

2) I can't see any logs in ns.log file and it's because the error happens before. (error is "redirect URI mismatch"). My backend application protected by an AAA VServer (OAuth) isn' t designed with OAuth/OpenID authentication mechanism. I just tried to publish a simple application with no authentication mechanism and protect it with this AAA OAuth VServer for testing purpose. I think the application HAS to speak OAuth + OpenID language am I right ?

 

What is your redirect url in azure B2C? Is this matching your url? Do you know this article? https://support.citrix.com/article/CTX234873 see the part of redirect url.

 

15 hours ago, Sam Ga said:

3) Do you have any suggestion about a simple application (similar to https://jwt.ms) that can be installed and deployed on premise and configured on Azure B2C for testing purpose ? I think once I have such a configuration I will be able to test the configured AAA OAuth VServer and use your tips. Do you agree ?

 

No. I asked a collegue to build a simple vue.js application for testing. And also, you can use your citrix gateway for oauth authentication.

Link to comment
Share on other sites

On 5/18/2021 at 8:22 AM, Stefan Wendrich1709160263 said:

 

I cant say the location, i searched a lot. But my url for cert endpoint is https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1_<Userflow>/discovery/v2.0/keys

 

 

What is your redirect url in azure B2C? Is this matching your url? Do you know this article? https://support.citrix.com/article/CTX234873 see the part of redirect url.

 

 

No. I asked a collegue to build a simple vue.js application for testing. And also, you can use your citrix gateway for oauth authentication.

 

Hi Stefan,

 

Yes the redirect URL is similar to the one described in this documentation. Is yours also similar with your simple application vue.js ? You have something like "https://<your-application-domain>/oauth/login ?

 

Ok I will move forward by first trying to publish a simple application which works with OAuth/OpenID mechanisms. Then I'll configure it on Azure  B2C and on Netscaler.

 

I'll let you know :-)

 

Thanks a lot for your help.

 

Wish you a very nice day.

 

Cheers.

 

Sam

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...