I try to retrieve the membership details of a GitHub user using the GitHub API and the endpoint /user/memberships/orgs.
I'm member of multiple organizations but all I get as a response is:
200 OK
[]
So there's no membership information shown for my user. I have an access token with scope user. Did I miss something? I also can't find any information regarding this in the official API documentation: https://developer.github.com/v3/orgs/members/#list-your-organization-memberships
If you want to get information about an organization membership the OAuth app has to be trusted by each company the user has a membership. If it's not a trusted OAuth app you don't get any information about a membership of the user for this organization.
See: https://help.github.com/articles/authorizing-oauth-apps/#oauth-apps-and-organizations
Related
We want to use Microsoft Graph for retrieving Business to Consumer (B2C) tenant users details in our code.
GET https://graph.microsoft.com/v1.0/users
It is giving only normal tenant users.
But we want to get all users signed up using sign up and sign in flows along with their usernames.
There is no proper documentation regarding this. Can someone with domain knowledge help us how to achieve this?
If not possible, CLI/powershell also satisfies our requirements.
Please help 🙏
I believe you're running into the limitation described in the note here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations#how-to-programmatically-manage-microsoft-graph
Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
Notice how you can't grant a delegated permission (for instance User.Read) to a B2C App Registration the way you can to a "normal" Azure AD App Registration. But - you can grant an application permission (like User.Read.All) to your application.
This means you'll have to submit the Graph API request using an auth token granted to your application, not to the user.
I have an Azure client application that uses Microsoft graph APIs.
I am using the workflow described at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to have admin authorize my azure client application for his tenant.
This flow ends up giving my client application an access token which my client can use to access various resources in the tenant.
Now, my client application needs to find out is 'who' provided the concent. The access token I get does not have this information (unlike in case of other authorization flows).
A tenant may have multiple admins and my application needs to know who among those admins authorized my client application.
What is the best way to find this out?
Thanks,
~ Urjit
my client application needs to find out is 'who' provided the concent.
You want to find the admin that authorize your client app, as I know, there is no way to find out this information about the admin. Because when you consenting permission for your app, you need the admin to do this for your account. After admin consent, there will be no record for this, no matter in token or portal.
I am working to build an application which would be able to create custom audiences for many of our clients for facebook ads. I came to know that the most suitable access token for this purpose is system user token (correct me if I am wrong). To get regular user access tokens, we can make a user go through the traditional oAuth flow, I am looking for something similar to get system user access token. How can I get it for any of my clients? Thanks
You must create your system users in the Business Manager of your company:
https://business.facebook.com/settings/system-users?business_id=<YOUR_BUSINESS_ID>
Once you create a system user, you can generate a token for him associated with a given app.
Meanwhile, on your business settings (as stated in the docs) you can request access to an ad_account.
Request Access to an Ad Account: If you request access to an ad
account in Business Manager, the admin of that Business Manager can
grant you permission to work on it.
Once your client gives your Business permission to work with one or more of their ad_accounts, those ad_accounts will appear in your Business Manager. (menu on the left).
At that point, when checking the profile of your system users, you can click on assign assets to give the system user access to pages and ad_accounts.
The token you generated for the pair [system_user,app_id] does not need to be reissued to reflect the addition of assets to which the system_user has access.
I have a corporate account with OneDrive users. I need to be able to access certain files within those users OneDrive accounts within my organization. For migration and backup purposes.
We do something similar for our Google drive and Box.com accounts where we use JWT authentication to provide a Simulate-User header which makes it so we can access all our users files within our organization if needed. As if we were administrators on a shared drive or something.
Is there a Rest API example of OneDrive JWT service account or something equivalent?
What you need is the client credentials grant flow. This will allow you to obtain an app-only token and make service calls without a user identity. You can read more about it here:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
The scopes you will need to request are Files.Read.All, and the consent will need to be granted by the tenant admin. You can read more about the permissions required for your scenario here (application permissions is what you are looking for):
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#files-permissions
Here is a link to a sample Microsoft Graph project which uses app only tokens(we recommend using Microsoft Graph):
https://github.com/microsoftgraph/nodejs-apponlytoken-rest-sample
Or if you are planning on calling directly into the OneDrive API(not recommended), then you can use the following sample:
https://github.com/rgregg/onedrive-app-delegate-sample
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.