Documentation on how to call with a bearer token when deployed to AppServices

[RonnyA]

As I am new to SCIM I am having trouble finding out how to call the SCIM endpoints when I deploy them to Azure App Service.

I would like to test the 3 different Authorization Methods described here https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-for-provisioning-connectors-in-the-application-gallery

But I am unsure how to proceed to make this work

[cadi3s]

I noticed that the documentation page was updated 01/06/2022. But the sections about tokens remain unchanged.
Please do not close this issue before addressing this!

To summarize:

• in https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication there is sample code for Development that uses a self-generated long term token, and sample code for Release that validates a token generated by the AAD in your tenant
• in several places the documentation warns us not to use the AAD generated token in production, but not why; which is strange because a) it seems standard oAuth protocol, b) it is in the Release branch of the sample code
• in https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-to-provisioning-connectors-in-the-application-gallery it is suggested that you use a long-lived token for your non-gallery app, but there is no hint on how to generate that token (other than the source code in the Development branch sample)

[apcsb]

Here's how to set up Postman for AAD-based bearer token. Please consider including in the Wiki
Essentially, the app is very basic and it only checks two things token issuer and audience. This is described in the docs

TLDR:

When requesting a token for your client, make sure you are using the OAuth 2 v2 endpoint
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
and just put this in the Scope field
8adf8e6e-67b2-4cf2-a259-e3dc5476c621/.default
Done!

Background

Just as described in the docs, this app does not do any additional validation or auth checks and only looks for Issuer and Audience. Out of box:

• Your issuer must be your AAD Tenant: https://sts.windows.net/{{TenantID}}/
• Your audience must always be: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 - this is a hardcoded number for custom gallery apps

Of course you can edit the code of the sample app for more sophisticated validation, but that's what you get out of box.
Thus, any token containing these values in the iss and aud fields will work.

You can use https://jwt.ms/ to test the tokens you are getting for the correct values.

Step by step:

0. If you don't already have an app registration that represents Postman in your AAD, create one. If you already have it, you just get the IDs/Secret - you most likely know the drill.

Go to App Registrations, create a new one, record the "Application (client) ID" from the Overview page
White there, also copy the Tenant ID from the same page.
Then go to Certificates & secrets -> Client Secrets and create a new one. Choose any name and duration. Once created - copy the Value (not ID) somewhere. You will never see it again - make sure to copy it!.

1. Now in Postman create Environment variables for ClientID , ClientSecret , TenantID and token. You may also hardcode them, but this is a bad practice. Variables are case-sensitive - be aware. Populate all the *ID variables with corresponding values from 0, we will deal with token later.

https://learning.postman.com/docs/sending-requests/managing-environments/#editing-environment-variables

2. Select the Collection-level Folder in Postman (SCIM Tests) and choose the Authorization tab (if you have your own custom collection, you probably know what you are doing anyway). Use the following values:

Type: OAuth 2
Add Auth Data To: Request Headers

== Configure New Token
Token Name: <choose one you like, we won't need it>
Grant Type: Client credentials
Access Token URL: https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
^^ Note the /v2.0/ - it will be different if you use the 1.0 endpoint
Client ID: {{ClientID}}
Client Secret: {{ClientSecret}}
^^ Note that variable names are case-sensitive.
Scope: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621/.default
^^ This is where the magic happens!
Client Authentication: Send as Basic Auth Header

3. Don't touch anything else, just scroll down and click the "Get new access token" button
   You should have successful auth, followed by a window with the token value.
   Copy out that value and assign it to a variable called token in your Postman Environment (note that it must be all lowercase - it is case-sensitive)

4. This is it! You don't need to do anything else, as the requests are hard-coded to read the token from the {{token}} variable
   I initially did the whole job of authorizing the Postman client to access the app, but realized that the app does not really do any checks, so ANYONE is able to access this demo app (again, your production app should probably do proper auth checks).

Conclusion

I still stand by the fact, that if would be nice if the app implemented a login page / proper AAD integration for a more friendly way of displaying user info. I work in presales (not a dev) and all I need is a sample app to show customers why SCIM is cool and they should demand it from the developers. This sample in its current state would probably be a show-stopper for way too many presales folks: one must know VS / VS Code, GitHub, upgrade the app from unsupported .NET Core 3.1 to at least .NET6, know Azure App Services, understand tokens, Postman etc., AND be able to write a customer-pleasing front-end to this thing...
Now I see why SCIM is spreading so slowly.. :)