I am creating an MS Teams messaging bot through Developer Portal and just relying on the bot messaging bot endpoint of my bot to send/receive messages. I also need OAuth flow for users to login to my website and map that login to the MS Teams user
Documentation:
https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-flow-bot
I have some questions:
It looks like the 'start OAuth page' and 'callback OAuth page' both utilize MS Teams libraries/packages to call initialize and microsoftTeams.authentication.notifySuccess("{{verificationCode}}"); Is there any rest API endpoint we can call to replicate this behavior or execute these flows? Or is there a java equivalent if we don't want to do all this in javascript?
Can we host the 'start OAuth page' and 'callback OAuth page' in our servers (i.e. not on Azure or Microsoft resources but on our website domain like mywebsite.com/start_oauth and mywebsite.com/callback_oauth)? And if so, is there any documentation for this?
If yes to #2, is there any additional work to be done for hosting these pages in our servers?
Quick update on answer. It looks like I can host these pages anywhere. The MS Teams OAuth flow opens a pop-up for sign-in in MS Teams and as long as that pop-up can redirect to these pages, then these libraries can be called/used regardless of where it's hosted
Related
I am new to Microsoft Graph and SharePoint Framework. Recently developing spfx webpart with Graph API's integration.
I have registered the app in https://apps.dev.microsoft.com portal and AAD implementation through hello.js.
The first time browsing to the page, it redirects to Microsoft app login page and prompt for credentials.
Once authentication successful then it's working fine, from then on it does not prompt for credentials.
Is there any possiblities to access MS Graph API directly using Application Id, and Secret without prompting for login?
Yes, you will want to use the client credential flow to do this. You will only have access to organizational data (/me won't work for example, but /users will). There is an article on getting access here.
You will need to log in as an admin one time per application to authorize your app to use your tenant's data. You can do this at:
https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
It is possible to authorize some MS apps using OAuth and login form. If the user logins and allows the permissions the app wants then as a developer you can read (and write) some data via API.
Is it possible with https://botframework.com? I don't want my clients to have to write down the client_id and client_secret in my administration. I just want them to give me permission via logging in and let me download this data.
I've read MS docs about OAuth and have seen that the possible scopes doesn't include the bot platform.
To demonstrate what I mean here is a demo application from the docs.
I recommend you to check AuthBot.
AuthBot is a .Net library for Azure Active Directory authentication on
bots built via Microsoft Bot Framework.
In short, when using AuthBot, your users will receive a link that they will open and perform the OAuth flow. The users won't have to write the credentials in the bot (which could be a security concern) and instead will be done in the MS login page. Then a callback (already provided by the library) will be called and the conversation with the user will be resumed.
You can also check AzureBot as an example of a Bot that uses AuthBot and that retrieve information only available if you are logged.
The blog post: Announcing Exchange ActiveSync v16.1 states that:
While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.
My question is: which scope should I use in the oauth request?
Is there an example, perhaps of the full request?
Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.
Secondary problem:
Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)
The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).
Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.
Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?
Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:
Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.
NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.
I am building a sample ASP.NET 5 (vNext) web application to act on behalf PowerBI users through Power BI API.
I followed all the steps here to register my application and I have the ClientId.
The app was added to my Azure Active Directory realavaloro.onmicrosoft.com
My web application is able to redirect the user to the authority https://login.windows.net/common/oauth2/authorize/passing as query parameters the response_type, clientId, resource and redirect_uri
"response_type": "code"
"resourceUri": "https://analysis.windows.net/powerbi/api",
"clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"redirectUri": "http://localhost:59136/"
The browser is properly redirected to the microsoft page and the user enters his Power BI credentials. If authenticated, it is redirected to the redirect_uri with the code + session_state
The problem is that I don't fully understand this mechanism.. :)
If I use my PowerBI test account credentials (diego#realavaloro.onmicrosoft.com) the authentication is successful and the browser is redirected properly with code + session_state
But if I try to authenticate with other PowerBI credentials, for example joe#companyb.com it fails to authenticate with the Bad Request message:
AADSTS70001: Application with identifier 408c866f-ad71-4354-b9fd-c954cae84dd7 was not found in the directory companyb.com
I thought any user with an account in PowerBI would be able to, through our web application, user his PowerBI account through the API provided our web application has permission.
But it seems that if we want that to happen with this approach every user would need their own Azure Active Directory to authenticate against.
Is there anything I am missing here?
Is there any option to allow our application act on behalf ANY Power BI user?
Thank you!
PS: I built my test web application following guidelines at https://github.com/PowerBI/getting-started-web-app-asp.net
I will answer myself. The reason I my web application couldn't authenticate external users with their Power BI credentials was (duh!) because I had not configured my web application in Azure AD as multi-tenant.
Thanks to this great presentation https://channel9.msdn.com/Events/Ignite/2015/BRK3551 I found some good answers including the meaning of multi-tenant :)
I still have to investigate the Azure libraries to manage all these Authentication headers for me and get my head around OAuth2 but at least I can say now that the authentication works for external users.
we're currently using the office 365 api but we're a little bit stuck in the oauth process. On the target platform we have no access to a browser, which cause the main problem using the oauth procedure.
Does Microsoft offer other kinds of authentication like Limited Input Device Authentication like google does? Or are there any alternatives, when no browser is available?
Thanks a lot!
Yes, there are ways to do it without a browser, depending on your scenario. If you're looking to prompt the user yourself for username/password, you can pass those directly via ADAL. For example, here's how to do it using the ADAL for Node.js: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/username-password-sample.js
The trick when you do this is that there must be user consent already recorded in Azure AD. Because this bypasses the user consent screen, it has to be "pre-consented". One way to do this is to have the organizational administrator register the application in their own Azure AD, which by default consents for all users in the org.
Another approach would be to use the client credential flow. In this scenario, the administrator consents once for their entire organization, and the app then has access to all mailboxes in that org.