I am trying to get the impersonated userguid from the docusign api. Per the documentation I need to call /restapi/v2/accounts/account_id/users?email=email, which is not working for me. I assume the full url would be https://admin.docusign.com/restapi/v2/accounts/account_id/users?email="sampleemail#gmail.com" .
I am getting a 404 when entering my email in the above format.
Looks like you have the incorrect domain. API Calls generally don't get made against admin.docusign.com. You'll want to make that call against the Application Server your account is on.
In the Sandbox environment that will be demo.docusign.net. In prod you'd need to make a UserInfo call to determine which server your account is on. It could be something like www.docusign.net or na2.docusign.net, but there are several possible domains.
In order to get Impersonate GUID ,
Login to admin account
Under setting options Click API and keys
Value under the user id text box is Impersonate GUID
During configuration & setup:
1. You have an account admin enter information such as account, their userId ("API User Name" in web app). Save both items.
2. You follow the "consent flow", get their consent, generate a JWT and
exchange for a token.
3. Use the /user_info call against the account
server to get the list of their accounts. If more than one account
in the array, find the one that matches what they entered in the
configuration. Get and save the associated "base_uri". You will
use that for all subsequent API calls.
Your application now has stored the account ID, the admin's "userId", and the base URI to built API URLs.
During business application operations:
Admin is "Bob". Sender is "Jill"
You need to get an access token for Jill.
1. Create JWT for Bob, exchange for access token, make GET /users?email={Jill's email). This gives you Jill's "userId".
2. Create JWT for Jill, exchange for access token.
3. Make API call as Jill, using her access token.
Related
I have a database with emails and passwords, and a Flutter app that lets those users log into the app by providing their email and password (the old fashioned way).
Now, some of those users are part of an organization that has a separate website where they use Microsoft/Office 365 accounts to sign in. Of course they want to be able to log into my app using their Office 365 accounts as well, instead of having to remember and type a different password in the app than they normally use on their organizations website.
So I've been looking at their website, which uses Microsoft Azure as a the backend. From their current login page I could find the tenantID, clientID, redirectURL and scope. From this I am able to get an authorization code back from the login.microsoftonline.com authorization endpoint. However, as my app is not registered in the organizations Azure account, I don't have a clientSecret so I can't call the token endpoint and get an idToken.
I'm using a WebView to display the login to their organizations website, so I can grab the authorization code from the redirect URL when they are redirected.
So my question is if I can use the authorization code directly to verify that the user has successfully signed in using their Office 365 account? All I need to know is that the user has an account at the organization, and that they could provide a valid email and password to login.
If they are redirected to the redirect URL with an autorization code, it means that they successfully logged in. Then I could consider them logged in to my app as well, based on the email provided to the Office 365 authorization endpoint. Because if they couldn't log in to their Office 365 they wouldn't get an authorization code, right?
No, the authorization code only has meaning to the identity provider, in this case Azure AD. It doesn't prove anything to your app.
What you could do is try response_type=code+id_token in the authorization URL.
If ID tokens have been configured as returnable from the authorization endpoint (this is done in the app registration configuration), you will get back a signed id token that you can verify.
I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.
I have an app where the user logs into Facebook (and thus has an Auth Token) and then sends that token to my server for authentication within the app.
If it's the users first time in the app, I need to sign them up as well (gather email and name)
Using the users FB auth token (and any server-side tokens) how do I retrieve the user's email address and name? (What endpoints do I need to hit with what tokens/body?)
--
Additional Info:
The login is scoped with ['public_profile', 'email']
The application is running in Node.js on AWS Lambda, and I'd prefer to make a simple fetch if possible instead of installing a whole gql client.
I have tried looking at their graphQL documentation, but I can't
seem to make heads or tails out of it.
I do have access to the user's ID (example: 10157426730xxxxxx)
This would be the API call to get the name and email of a user, with a User Token:
https://graph.facebook.com/me?fields=name,email&access_token=xxxx
Alternatively, you can add the version:
https://graph.facebook.com/v4.0/me?fields=name,email&access_token=xxxx
All the existing fields for users are here to find: https://developers.facebook.com/docs/graph-api/reference/user/
You do not need the User ID, the User Token identifies the User anyway and you can just use "me" instead of the ID. The Graph API is a REST API though, not GraphQL.
I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!
I am using app login access token retrieved through following API -
https://graph.facebook.com/oauth/access_token?client_id=&client_secret=&grant_type=client_credentials
Can I retrieve email address (primary email not the facebook email) of any user if it is public using Graph API?
Thanks
Lakhan
Two ways to get users primary email:
For the authenticating user (ie the one who has granted your application access to their profile) and only when you explicitly request that permission.
If the email is explicitly made public by some arbitrary user not authenticating with your app, then that will be available to you also. Any publically visable info you can see via facebook.com is equally accessible via the API.
For getting the authenticating users email, when you first request the oAuth dialog you need to pass a scope with the email permission (as well as whatever other permissions you require). See more about permissions here and more about using scope here .
When the email is available it can be found in the User payload, see more about the API request and payload here.
Check the doc here : http://developers.facebook.com/docs/reference/api/user/
With the email argument, you will be able to get the email.