I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
I have asp.net core web api which is talking to MS Garaph Api.I have Implemented ROPC using service account to talk to onedrive. I have created the MS graph Api app in MS Portal 2 years back using the same service account. The the portal is obsolete now and the App is moved to Azure Portal. But i can get the Bearer token using ROPC and consuming Graph api and its working good.
Now i tried to mimic the same, i have created a new app in azure portal with same credentials and similar Metadata.The service account user type is member in azure Portal. I am getting the following error for the new App
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID
any ideas would be appreciated.
Thanks in advance
Subbiah K
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to here process.
Then follow this process to grant administrator consent to the app:
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
In the Azure portal, I registered the application for testing and used User.Read permission to demonstrate:
Then use the ROPC flow in postman to get the access token:
We are publishing an outlook add-in to office store, and this add-in is authenticated based on the O365 authentication, so once customer logins his o365 account, he could go to our service directly via our add-in. The question is whether we sign out the o365 account or not since we have failed for Add-in validation. There are two screenshots:
[Failed if not sign out o365 account]
[Failed if sign out o365 account]
We are a little confused about what we should do next step, could we just keep signing out of O365 account and add a note: we are authenticated by O365 authentication or could we just remove the Signout since our add-in is O365 authentication based?
Thanks very much in advance for your help.
Removing the sign out might not be a good idea, unless you actually don't want that feature available to your users. I guess your problem might be that a session or local identifier is stored on the client and it is automatically being logged in when the add-in opens again when sign-out was pressed ( from what i understand ).
If you are using OAuth 2.0 standard, what you should try: Find the stored session either locally or server side and remove it when the user logs out. Also you could log out the user out with the Microsoft sign-out url see: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code
If you are using the SSO of Office, what you'd want to do is just remove the local side storage that holds the tokens, and then show the user the log in page ( with a button to log them in again ) for info about SSO see:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins
Goodluck!
I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.
I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.
Here is the response:
{
"error": {
"code": "BadRequest",
"message": "Tenant does not have a SPO license.",
"innerError": {
"request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
"date": "2017-10-10T04:34:05"
}
}
}
I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.
According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:
In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.
Answering a couple of things here.
Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.
As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.
Hope this helps,
In case anyone else has a similar issue, I was getting the same error message when using a personal Microsoft account, just like OP.
So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.
The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:
You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
Your application registered in AAD needs be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can saw clicking on endpoint button, near the delete app button in app page). [3]
Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.
With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):
Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.
Aquire access token:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All
After you fill in your information on Postman's request, I recommend using a browser and network inspection to login with a Microsoft account and permit the app. You are getting the access token via network inspection.
List one drive root files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1
In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need send an API request open a popup window to authenticate a valid Microsoft account.
Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).
The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.
Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?
If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.
If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.
To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:
https://login.microsoftonline.com/consumers/
I can manage sharing access by user to his personal Office365 account via OAuth2. This article does not contain information how to revoke the access. I believe there is should be REST API to revoke shared access.
Can I have help or missed link to Office365 developers API where I could find correspond documentation please?
If you want to revoke access token issued by azure ad , currently , Azure AD doesn’t support revoking the token . However, we can clear the token cache if you doesn’t want users to user the token. You could also read document Configurable token lifetimes in Azure Active Directory to specify the lifetime of a token issued by Azure Active Directory (Azure AD) .