Skip to content

Azure GLAB/Pre-ship environments - change in authentication process

Background

  • Due to recent security changes in the azure tenant, to access the osdu environments, one must have personal access token to test the services and workflows.

Prerequisites

  • Person who wants to access the environment (Azure GLAB / Azure Pre-ship should be invited to the azure tenant, Post accepting the invitation, one should complete the onboading process which includes setting up authenticator application/MFA.
  • Person should have tenant_id, client_id, client_secret handy, corresponding to the environement which he/she/they are generating access token.

How request

  • Approach azure team in slack or comment on this issue

Procedure to create Personal Access token ( access_token )

  • Get tenant_id, client_id, client_secret handy of the specific environment (Azure GLAB / Azure Pre-ship) to which access token is being generated.
  • In case of required access for both GLAB and preship environments, this process should be followed seperately with two different sets of corressponding client_id, client_secret.
  • Step 1.1: Prepare the below URL replacing the parameters <tenant_id>, <client_id> with actual values of targetted environment.
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?client_id=<client_id>&response_type=code&redirect_uri=http://localhost:8080&response_mode=query&scope=<client_id>%2f.default&state=12345&sso_reload=true
  • Step 1.2: After you replace the parameters, you can paste the request in the URL of any browser (incognito window/private tab) and select Enter.
  • Step 1.3: Sign in to your Azure portal with your organisation email id and its corressponding password.
  • Step 2.1: Now the browser authenticates the user and You might see the "Hmmm...can't reach this page" error message in the browser. You can ignore it.
    localhost-redirection-error
  • The browser redirects to http://localhost:8080/?code={authorization code}&state=... upon successful authentication.
  • Step 2.2: Copy the response from the URL bar of the browser and fetch the text between code= and &state. This is known as code
    ex: http://localhost:8080/?code=0.BRoAv4j5cvGGr0...au78f&state=12345&session....
  • Save the code as a postman environment variable code which will be used in next step.
  • Step 2.3: Replace <tenant_id>, < code > (code in step 2.2), <client_id> and <clent_secret> in the following curl request, hit this curl request using postman tool.
  • On postman click on new request. new_postman_request
  • Paste the following curl request in the URL section of the new request curl_request 
curl --location --request POST 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type="authorization_code" \
--data redirect_uri=http://localhost:8080 \
--data client_id="<client_id>" \
--data client_secret="<client_secret>" \
--data scope="<client_id>/.default openid profile offline_access" \
--data code={{code}}
  • Sample response
{
  "token_type": "Bearer",
  "scope": ".....",
  "expires_in": 4557,
  "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkJuUXdJd0ZFc...",
  "refresh_token": "0.ARoAv4j5cvGGr0GRqy180BHbR8lB8cvIWGtHpawGN..."
}
  • Step 2.4: Save access_token , refresh_token in your local postman environment
  • Step 3.1: Test couple of OSDU services with this access_token to make sure you can access the OSDU environment with newly generated token.

Common issues one can face during this process

  1. Not replacing placeholders ( <tenant_id>, < code >, <client_id> and <clent_secret> )with correct values in the URL/Curl request Resolution: Double check url and curl request and make sure correct values are being replaced in the placeholders.
  2. < code > generated during step 2.2 will expire after 1 hour. Follow the process again from Step 1.1 if the < code > expires.
  3. It is recommended to use postman tool for step 2.3 rather than git bash, windows cmd, etc.
  4. It is expected to face error "Hmmm...can't reach this page/ Can't found the URL" in the browser for step 2.1

How do I find my OID and it add in entitlements group.

  • Step 1. OID uniquely identifies a person in azure environment, if anyone gets status: 403 then oid needs to be added in the desired entitlements group.
  • Step 2.1: Create a personal access token.
  • Step 2.2: Navigate to https://jwt.io/ and paste token in encoded section image
  • Step 2.3: In right pane, payload section one can find corressponding OID image
  • Step 2.4: Use the similar curl request as shown below to add oid to the entitlements group.
curl --location 'https://osdu-ship.msft-osdu-test.org/api/entitlements/v2/groups/data.default.viewers@opendes.contoso.com/members' \
--header 'Content-Type: application/json' \
--header 'data-partition-id: opendes' \
--header 'Authorization: Bearer eyJPYPA' \
--data '{
  "email" : "e018ea05-0d3b-43b2-9562-01f2abe3099f",
  "role" : "MEMBER"
}
'
Edited by saketh somaraju [EPAM]
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information