I am trying to upload a message to a Google Group using this http call:
https://www.googleapis.com/upload/groups/v1/groups/mygroupname#domain.com/archive?ploadType=media&access_token=XYZ...
(Of course substituting the correct email address for the group, and the actual token). This produces the http error 401 (Authorization failed). The target account is Google Workspace. I am using a service account that has the Google Groups API enabled. I have added this scope to the service account and authorized it for my domain:
https://www.googleapis.com/auth/apps.groups.migration
As a test to make sure I have that scope authorized, I take the token that was generated and run it through this API:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XYZ...
The json returned does have the apps.groups.migration scope (along with others for mail, calendar, etc.). I have no trouble accessing those other data types.
Any idea what I could be missing here?
Related
I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.
I have simple jQuery page that makes calls to azure restful API to get the status of VMs.
I'm facing a problem that it's complaining about Cross-Origin Resource Sharing and I can't find where to set that for the Web app/API I have.
I'm using client credentials grant to get the token
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
I have finished my testing and when I tried to do the calls from jQuery/JS I got the CORS problem.
My setup involved:
From Azure portal, I used App registrations to register an app of type "Web app/API", give it a homepage address "this is where it lives", created a key.
Using
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
grant_type=client_credentials
client_id=application id
client_secret=application key
resource=https://management.core.windows.net/
Am I missing any missing anything? my search keeps leading me to Azure hosted apps
Okay, here is how to do it in short:
Add Function App (charge per request)
Open the Newly created function app
In Proxies, select that from the right list
Give it a name, route template will be your new endpoint URL, backend URL is your login endpoint eg: https://login.microsoftonline.com//oauth2/token
After that, back to your function app, select the platform feature tab, Select CORS, delete all of them and enter your application URL or simply a *
You can be more specific with these, but this is enough to get the token. And all the other endpoint didn't have CORS problem.
Good luck.
You cannot use a client secret from front-end Javascript.
Your client secret will be public, it's basically your app's password.
Client credentials grant is for back-end applications.
You need to use e.g. the implicit grant flow with ADAL.JS/MSAL.JS to acquire tokens.
Your front-end app also should be registered as Native since it is a public client.
Here is a sample app: https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi
Oh, and the CORS error comes from Azure AD's token endpoint.
You cannot do anything about it.
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil
I'm trying to make a call to the new Office 365 File REST APIs. (As explained here).
I'm using Postman rest client to send the request.
I have registered my application in Azure AD and given it full permissions to 'Office 365 SharePoint Online'.
I can successfully get an authorization token using the clientId generated in Azure AD.
However when I attempt to list files, using the access token I get an error.
------------------
RESOURCE HTTP GET:
------------------
URL: https://<OUR_DOMAIN>-my.sharepoint.com/personal/<user_domain>/_api/Files
HEADER: Authorization: Bearer <access token>
Response:
3001000;reason="There has been an error authenticating the request.";category="invalid_client"
What can cause this issue?
Not sure what steps you've tried to use to resolve this, so it's hard to help you out here. I've just finished writing up more detailed instructions on the steps to register an app to call OneDrive for Business. It's long and complicated right now, but we're working to make things better in the future.
You can check out the details of how to do auth here: https://dev.onedrive.com/auth/aad_oauth.htm
Make sure you aren't asking for too many permissions, since that will require your app to be authenticated by an admin instead of the end user. For most apps, you can just use the "My files" permission scopes which can be accepted by the user of your app directly.
If you post more information about what calls you're making, responses, and app configuration in AAD I might be able to help more.
You may have been using different resources.
Check whether the resource which you have used for getting access token is same as which you are requesting for getting files.
for example :
If the resource which you have mentioned while requesting access token be :: "https://tenant-my.sharepoint.com/"
Then you need to make request on the same resource for accessing files :: "https://tenant-my.sharepoint.com/_api/v2.0/drive/root/children"
The above request give list of root children.
tenant --> domain name which was registered to your organisation.
Follow this documentation for further accessing the api
I have created two facebook test accounts for my test application. Both test accounts have xmpp_login extended permissions. I am using SleekXMPP python library to connect (with second account) to the chat.facebook.com server. At the Resource Request phase (iq type="set" id="somethinghere" bind xmlns="urn:ietf:params:xml:ns:xmpp-bind" iq) I will get JID of the first test account as a final JID as a response from the server, while I am trying to use the second account JID.
Is there some way to tell at iq stanza request phase to the chat server, that I am requesting some specific test account jid for my client (In the developers.facebook.com chat API example the options['uid'] is not used for anything) ? I would like to create few python clients with test accounts to my application which are communicating with actual browser users through chat.
Thanks a lot for help,
-Mika
Are you using the the X-FACEBOOK-PLATFORM authentication method? I.e., using:
self.credentials['api_key'] = '... API_KEY ...'
self.credentials['access_token'] = '... TOKEN ...'
If so, Facebook provides the JID during binding based on the provided access token; there isn't a way to request a different one, and the initial JID provided when connecting is ignored. Are you certain that you're using different tokens for your accounts, and that it is the correct access token being used for your second account?
In the API documentation you mentioned, the options['uid'] is simply referring to the user's JID, in the form the_username#chat.facebook.com.
If you're just using the DIGEST-MD5 authentication option (i.e, not setting the credentials as above) then it's not clear where the issue is. Don't forget that you can join the sleek#conference.jabber.org room for help debugging with Sleek in that case.
-- Lance