I am building an Azure App Service that has both Windows Desktop (not UWP) and iOS clients. I want to use Microsoft Account Authentication to authenticate users.
As a result of a previous question here I can now authenticate users using the OneDrive SDK but have fallen at the next hurdle. The One Drive SDK does not appear to provide access to user details such as their given name and email address.
Please can someone point me in the direction of an example or instructions for authenticating a user from an old school desktop application to allow them to access an Azure App Service using their Microsoft Account (NOT Azure AD) that will also provide the client with access to their email address and which does not use depreciated technology.
After authentication via Easy Auth, we can acquire the user information from the me endpoint(https://{yourSiteName}/.auth/me) by invoking the API like code below:
var result =await client.InvokeApiAsync("/.auth/me");
And to acquire the email, we need the wl.emails scope when we authenticate with the OneDrive SDK. And after that we can get the given-name and emails from me endpoint like:
string email=(string)result[0].SelectToken("$.user_claims[?(#.typ == 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress')]")["val"]
string givenName=(string)result[0].SelectToken("$.user_claims[?(#.typ == 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname')]")["val"]
Related
Can we get credentials for the Google Calendar API on different devices?
We are using the Google Calendar API on the Raspberry Pi with the following steps as a reference.
https://developers.google.com/calendar/quickstart/python
We have generated the credentials by operating in the following steps
We chose TVs and Limited Input devices as the application type and then downloaded the JSON file.
Credentials > Create credentials > OAuth Client ID
https://console.developers.google.com/apis/credentials
Our Raspberry Pi does not have a keyboard and display.
We note the URL displayed in "Please visit this URL to authorize this application" via ssh.
We access the URL from the PC browser and note the authentication code after tying it to the calendar.
To "Enter the authorization code" we enter it.
It works as we expect.
But this is difficult for our customers.
Can we do this authentication using a PC or smartphone?
In that case, how do we move the token.pickle from the PC or smartphone to the Raspberry Pi?
Maybe we are thinking too hard.
If there is an easier way, please tell us about it.
We just want to use the Google Calendar API.
If you don't have a G-Suite account use SSH in order to send the tokens
Once you get the token.pickle you won't need to "visit" the URL to authorize the application. Anyway, a refresh token has its restrictions. A refresh token might stop working for one of these reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
Use a service account instead (G-Suite account only)
The token.pickle is generated the first time. The quickstart you mentioned makes use of the user credentials. However if you want to use just one token along the devices and see a different calendar in every device I strongly recommend you to use a service account and enable the domain-wide delegation in order to impersonate the user's calendar.
To do so:
Create a service account
Enable the domain-wide delegation
Impersonate the user in order to see the desired calendar (using Python)
Reference
Refresh token expiration
Creating a service account
I have an Azure client application that uses Microsoft graph APIs.
I am using the workflow described at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to have admin authorize my azure client application for his tenant.
This flow ends up giving my client application an access token which my client can use to access various resources in the tenant.
Now, my client application needs to find out is 'who' provided the concent. The access token I get does not have this information (unlike in case of other authorization flows).
A tenant may have multiple admins and my application needs to know who among those admins authorized my client application.
What is the best way to find this out?
Thanks,
~ Urjit
my client application needs to find out is 'who' provided the concent.
You want to find the admin that authorize your client app, as I know, there is no way to find out this information about the admin. Because when you consenting permission for your app, you need the admin to do this for your account. After admin consent, there will be no record for this, no matter in token or portal.
Can Google Sign-In be used on an iPhone app in conjunction with Touch ID? If so, how? I cannot find any examples of this being done or talked about online.
Apps can incorporate TouchID as a means to locally authenticate a user.
Basically, the TouchID system can be queried and will let you access items in a keychain or do a simple one-off authentication.
If you stored Google account credentials in a local keychain, you could use TouchID to unlock the local keychain item, and then pass that item to a Google service for Google's authentication.
The keychain item in question (a password) would have to be enter manually at least once by the user (and at that point, it is probably more straightforward to just request an reusable authentication token from Google).
TouchID is entirely a local system, no fingerprint data is ever exposed to third party developers or pushed to a network, so Google couldn't store a fingerprint in their servers and allow direct authentication against their services using TouchID.
Here's the framework reference for Local Authentication:
https://developer.apple.com/library/ios/documentation/LocalAuthentication/Reference/LocalAuthentication_Framework/index.html
The Local Authentication framework is best suited for either confirming a logged in user in an app where the user may be logged in between many sessions (such as for a purchase in a shopping app) or local authentication for local documents (such as for password protected note taking apps).
We are building a Front End Application which uses Azure AD APP to do single sign-on with Office 365.
To get Access Token using OAuth authentication process, we need to pass resource URI which can be
xyz.sharepoint.com -- to integrate with SharePoint site collections
xyz-my.sharepoint.com -- to integrate with OneDrive for business
outlook.office.com -- to integrate with outlook graph.windows.net --
graph.windows.net -- to use graph API for any search.
But to finish the single sign-on process, we need to fetch the user profile information at least email id is required. We were integrating with Onedrive for business in our Front End application.
So to get the user email, I can not get this information if I get the access token using resource xyz-my.sharepoint.com. I have to use xyz.sharepoint.com or graph.windows.net. So for our requirement, we have to fetch access token for 2 resources. It does not seem right, we had to maintain these access tokens along with refresh tokens to make these access tokens active.
Is there any other way to get an access token which can be used for all office 365 services OneDrive, Calendar, Mail, Outlook and Sharepoint?
Regards,
This is exactly the problem the Office 365 Unified API attempts to solve:
https://msdn.microsoft.com/en-us/office/office365/howto/office-365-unified-api-overview
Please take a look at the MSDN page above and let me know if you run into any issues integrating with the Unified API.
I hope this helps!
Shawn Tabrizi
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.