I am trying to call Microsoft graph API (ListUsers) with Auth Code grant flow where after authorization I am unable to get the granted permissions in the scope of returned access token thus leading to permission issues.
After some time when I fetch the new access token it has all the permission we granted during authorization and I am successfully able to execute the graph API call. The issue could be seen here in the video: https://drive.google.com/file/d/1jmdAb8vrvqkIiYBLccSIPbdUbhxM9JgC/view?usp=sharing
This issue is happening only when I try add the following scopes in the request for auth flow.
https://graph.microsoft.com/.default
offline_access
When I don't use offline_access for refresh token, it works completely fine.
Please help me understand the issue and guide me to the resolution.
Related
I am having a difficult time getting a Microsoft Graph API call to work. Specifically, I am having a hard time with the authentication process working. I followed the directions in this article
http://martink.me/articles/using-microsoft-graph-in-logic-apps
However, when I make the api call of https://graph.microsoft.com/v1.0/me/messages/{id}, I get the error:
Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.
I then added an oAuth token call to get a token. Then I used that token in the Authorization header when making the Microsoft Graph Api call. I still get the same error.
Can anyone provide guidance on how best to make an Graph Api call in LogicApps? Do I only need the authentication discussed in the article? Or, do I need to call the Graph Api with an Authorization token? Do I need to make an oAuth authorization call before I make the oAuth token call?
This exception is caused by the token acquired using the client credentials flow. In this flow, there is no context for /Me.
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user(no user logged in).
For your problem, you are using client credential flow and you are granting application permissions, so you should request /users.
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/messages/{id}
I am trying to list the Outlook Task Folders using Microsoft Graph with POSTMan.
Following is the URL I am using:
https://graph.microsoft.com/beta/me/outlook/taskFolders
After adding the Bearer Token in the request header, I am getting the following response Graph:
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",
I have already enabled the following permissions:Tasks.ReadWrite.
What am I missing here?
I can reproduce your issue while using client credentials flow to get access token. I decode the access token and do not see the permission I assigned. As the article said:
The permission is delegated from the user to the application, usually during the consent process. However, in the client credentials flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user.
So, I suggest that you could use OAuth 2.0 authorization code flow to get the access token. And add your Tasks.Read permission in scope.
https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=https://localhost:123
&response_mode=query
&scope=https://graph.microsoft.com/Tasks.Read
For more details to get access token with auth code flow you could refer to this article.
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
I am trying to get an access token to upload large files as described in the docs.
I am using client credentials grant flow to get access token per the documentation. I got an access token using that flow.
I tried to use that access token with this URI:
/v1.0/users/{userId}/drive/items/{itemId}/createUploadSession
but it gives me an error that "AccessDenied Either scp or roles claim need to be present in the token"
I have granted admin permission for the app. I have tried this flow in both postman and in coding but both give the same error.
Well as Marc pointed out Sites.ReadWrite.All was the only permission i needed, it was just that permission had not been accepted by admin.so the roles were not visible in my access token.Now i am able to call graph api using that access token.
I'm making a program uses Youtube API for testing purpose.
Because my program is an installed-application, I've found a picture pointing out how to implement authentication.
It's what I have:
Immediately, I'm confused. According to this figure, I don't know why Google Servers just returns Authorization code after User login and consent.
Why doesn't Google Servers return Token instantly?
You are Confused because, I guess, you have missed 3rd leg "User". Authorization code represents the User Consent.
Google server returns Authorization code when User grants the permission to your app to get his/her data from google server(resource server). if user denies the permission Google server wont generate the Authorization code and your app wont be able to get access token.
Another use of Authorization_code is to keep resource owners credentials secret. Authorization code is shared with client and client exchanged that code for access_token.
Find more Information about Oauth 2.0 in this article.