I'm cant GET Feeds of a Public Group where I'm the Admin.
The result is "(#200) Permissions error".
If I use an USER Access Token, The GET Work Ok, and obtain the list of feeds.
Please help me !!!!
The v2.12 update currently requires an admin user access token to read the group/feed endpoint among others. This is temporary and in the coming weeks it will return to allowing non-Admin permissions but restricting the amount of user information returned.
source: https://developers.facebook.com/docs/graph-api/changelog/version2.12#gapi-90-groups
GET /group — GET operations on the following fields and edges now require an access token of an Admin of the Group:
[...]
GET /feed*
[...]
In the coming weeks, edges marked with an asterisk (*) will once again allow requests from non-Admin Group members. However, responses will not include User information unless the request is made with an access token of an Admin of the Group.
Related
I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.
I am trying to get the impersonated userguid from the docusign api. Per the documentation I need to call /restapi/v2/accounts/account_id/users?email=email, which is not working for me. I assume the full url would be https://admin.docusign.com/restapi/v2/accounts/account_id/users?email="sampleemail#gmail.com" .
I am getting a 404 when entering my email in the above format.
Looks like you have the incorrect domain. API Calls generally don't get made against admin.docusign.com. You'll want to make that call against the Application Server your account is on.
In the Sandbox environment that will be demo.docusign.net. In prod you'd need to make a UserInfo call to determine which server your account is on. It could be something like www.docusign.net or na2.docusign.net, but there are several possible domains.
In order to get Impersonate GUID ,
Login to admin account
Under setting options Click API and keys
Value under the user id text box is Impersonate GUID
During configuration & setup:
1. You have an account admin enter information such as account, their userId ("API User Name" in web app). Save both items.
2. You follow the "consent flow", get their consent, generate a JWT and
exchange for a token.
3. Use the /user_info call against the account
server to get the list of their accounts. If more than one account
in the array, find the one that matches what they entered in the
configuration. Get and save the associated "base_uri". You will
use that for all subsequent API calls.
Your application now has stored the account ID, the admin's "userId", and the base URI to built API URLs.
During business application operations:
Admin is "Bob". Sender is "Jill"
You need to get an access token for Jill.
1. Create JWT for Bob, exchange for access token, make GET /users?email={Jill's email). This gives you Jill's "userId".
2. Create JWT for Jill, exchange for access token.
3. Make API call as Jill, using her access token.
I'm having some problems to configure a keycloak server. I created two roles, two groups (one per role) and two users (one in each group). Now I'm trying to give the authorization to access to a specific path (e.g http://localhost:8080/api/private/premium) only to one of my groups.
I created (under Authorization tab) a resource with the URI that I want to protect, a policy (type group) and a permission. I also use the Evaluate tab to test this configuration and I get the correct result: result DENY for the user in the group NOT associated with the policy, result PERMIT for the user in the other group. So I tried to test the configuration using POSTMAN:
1_ get the access tokens of my two users (http://localhost:7070/auth/realms/REST_realm/protocol/openid-connect/token).
2_ get the protected resource (http://localhost:8080/api/private/premium), first with the unauthorized user, then with the authorized.
The problem is that I get the resource correctly in both cases (I was expecting an error message for the call with the authentication token of the unauthorized user).
Any suggestion?
I try to retrieve the membership details of a GitHub user using the GitHub API and the endpoint /user/memberships/orgs.
I'm member of multiple organizations but all I get as a response is:
200 OK
[]
So there's no membership information shown for my user. I have an access token with scope user. Did I miss something? I also can't find any information regarding this in the official API documentation: https://developer.github.com/v3/orgs/members/#list-your-organization-memberships
If you want to get information about an organization membership the OAuth app has to be trusted by each company the user has a membership. If it's not a trusted OAuth app you don't get any information about a membership of the user for this organization.
See: https://help.github.com/articles/authorizing-oauth-apps/#oauth-apps-and-organizations
I have OAuth2 access tokens for both Users and Facebook Pages but I don't have the type distinction stored in my database. I'd like to be able to fetch basic information about the User/Page using the very same Graph API query - but for users, I'd like to get email field on top of that.
GET v2.5/me?fields=name,email // User token
Success.
GET v2.5/me?fields=name,email // Page token
Error. (#100) Tried accessing nonexisting field (email) on node type (Page)
Since I don't know if the token belongs to User or Page, I can't remove the ,email field from the query easily. Is there any way how to specify "optional" email field, so I don't get the above error?
P.S.: Currently, I do second request in case of ,email cause the error.
No, the API will fail if you request fields which don't exist on the type of object you're requesting - if it didn't [and it didn't until relatively recently], there's a whole class of bugs which introduced by people requesting non existent fields, including via typos
If you don't know what type of object an ID is when you go to access it, there's probably some other issue with how your app retrieves and stores its data - for this example, you should use the metadata (?metadata=true) or Facebook's Debug Tool to clean up which tokens are user tokens and which are page tokens and which page or user they're for - once you know, store that info, and use that in future -
If using the API directly and checking the metadata, check the type in the response when metadata is included, it will be 'user' or 'page' for user or page tokens
Your app really shouldn't have page tokens saved but not know which page they're for because you needed the user access token for a page admin in order to retrieve that token from the API; I'd recommend storing the user token and page token in a structured way when you first save the page token to avoid this confusion in future