I am trying to get only groups in without any extra tags along with the group names from the id_token after Authentication. I tried multiple ways to edit in Scripts as well but still unable to get the expected.
Currently I am getting as CN=Global_Protect_VPN_Users if I give this
"groups": userProfileClaimResolver.curry("memberOf") in Script.
How do I remove the CN tag.
I tried this
"groups": { claim, identity -> [ "groups" : identity.getMemberships(IdType.GROUP).collect {group -> group.name}]}
openID Script in forgerock
Related
I am failing to add an OpenId account to B2C using Microsoft Graph. What needs to be done to do an add operation?
B2C Setup as TestB2C
In Azure B2C the OpenID Connect (to my companies Azure AD) is setup as an Identity Provider.
For this example, take the blurred out B2C above to be TestB2C.onmicorosoft.com and the target openID is "Corporate AD".
Graph Call To Insert User into B2C
{
"accountEnabled": true,
"displayName": "OmegaMan",
"mailNickname": "OmegaM",
"identities": [
{
"signInType": "userName",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "emailAddress",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "federated",
"issuer": "Corporate.com",
"issuerAssignedId": "6ab...34"
}
],
"passwordProfile" : {
"forceChangePasswordNextSignIn": false
}
}
The issuerAssignedId is from the settings placed in the Identity Providers section for the OpenId Connect. When I attempt to insert said user, I get this current error:
...
"error": {
"code": "Request_BadRequest",
"message": "A password must be specified to create a new user.",
...
Which for a federated user does not make sense. Note, that in a different add operation for an "email user", this process works; with different settings. What is missing to then add a federated user?
For a federated user, "accountEnabled" is false.
I was able to circumvent the user "Sign-Up" after user insertion. The issue turned out to be, that to have proper federation occur, the proper values need to be in place.
"identities": [
{
"signInType": "federated",
"issuer": "https://login.microsoftonline.com/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/v2.0",
"issuerAssignedId": "YYYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
What was happening was that I was using "issuer": "myDomain.com" which was not resolving correctly to do a login; to which the user then had to "SignUp" via the federated IP and ended up with two logins.
By changing issuer from a DNS readable name, to the Microsoft login url with my AD directories' ID (the number provided when switching domain in Azure, XXXX-XXX ... btw) and also a proper issuerAssignedId, found from the originating AD issuer, it worked and the user was added.
I am building a Teams chat-bot that looks at the history of messages in the current chat/channel whilst in conversation with the user.
My bot has been granted all the RSC (Resource-Specific Content) Permissions it needs (see image below)
Here is the relevant parts of the manifest:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.11",
"id": "bd33f8b1-b593-433c-926e-44a27c1bd94a",
...
"permissions": [
"identity",
"messageTeamMembers"
],
...
"bots": [
{
"botId": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"scopes": [
"team",
"personal",
"groupchat"
],
"isNotificationOnly": false,
"supportsFiles": true
}
],
"validDomains": [],
"webApplicationInfo": {
"id": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"resource": "https://RscBasedStoreApp",
"applicationPermissions": [
"TeamSettings.Read.Group",
"ChannelMessage.Read.Group",
"TeamSettings.Edit.Group",
"ChannelSettings.ReadWrite.Group",
"Channel.Create.Group",
"Channel.Delete.Group",
"TeamsApp.Read.Group",
"TeamsTab.Read.Group",
"TeamsTab.Create.Group",
"TeamsTab.ReadWrite.Group",
"TeamsTab.Delete.Group",
"Member.Read.Group",
"Owner.Read.Group",
"ChatSettings.Read.Chat",
"ChatSettings.ReadWrite.Chat",
"ChatMessage.Read.Chat",
"ChatMember.Read.Chat",
"Chat.Manage.Chat",
"TeamsTab.Read.Chat",
"TeamsTab.Create.Chat",
"TeamsTab.Delete.Chat",
"TeamsTab.ReadWrite.Chat",
"TeamsAppInstallation.Read.Chat",
"OnlineMeeting.ReadBasic.Chat",
"Calls.AccessMedia.Chat",
"Calls.JoinGroupCalls.Chat",
"TeamsActivity.Send.Chat"
]
}
}
Note: the bot has permission to read messages in chats and channels. Specifically, my problem affects chats and not channels (which I can get messages from fine).
In order to do this, I get a JWT token for the bot account, accessing the Graph API like so:
GraphServiceClient<?> gsc = GraphServiceClient.builder()
.authenticationProvider(u -> mac.getToken())
.buildClient();
Next, I am using the Graph API to pull back these messages. For messages in channels I can do:
gsc.teams("some group id")
.channels("team id")
.messages()
.buildRequest(Collections.emptyList()).get()));
This works fine.
For chats, I am doing something like:
gsc.chats("29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ")
.messages()
.buildRequest().get()));
However, this time I get an error from the Graph API:
[Some information was truncated for brevity, enable debug logging for
more details] com.microsoft.graph.http.GraphServiceException: Error
code: Forbidden Error message: Invoked API requires Protected API
access in application-only context when not using Resource Specific
Consent. Visit
https://learn.microsoft.com/en-us/graph/teams-protected-apis for more
details.
GET
https://graph.microsoft.com/v1.0/chats/29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ/messages
SdkVersion : graph-java/v5.6.0
I am at a loss to explain why querying channels works fine but querying chats fails.
Any help gratefully appreciated!
This is a protected API and in order to use it you will first need to make a formal request to Microsoft Graph, asking for permissions to use the API without any user interaction
Here is the list of protected APIs. You need to fill this form to get the required permissions.
To request access to these protected APIs, complete the following
request form. We review access requests every Wednesday and deploy
approvals every Friday, except during major holiday weeks in the U.S.
Submissions during those weeks will be processed the following
non-holiday week.
The other option would be to use delegated flow.
I'm trying to Share Files on a SharePoint Document Library that I have as a part of an Office 365 Developer Program instance.
My AD has a variety of users, some "native" users created in the AD manually and the rest are "guests" from different domains that my team and I work for.
I'm executing the following API request on the graph via code using NestJs (as per snippet). I've all the required Delegated Permissions in the Application Registration to do everything too.
REST View:
POST /drives/{drive-id}/items/{item-id}/invite
{
"requireSignIn": true,
"sendInvitation": false,
"roles": [
"sp.full control"
],
"recipients": [
{
"email": "xxx.xxx#xxx.com"
}
]
}
Code View:
//build list of all to add: PL, PLB, Main, Current User and whatever is added in DTO
const participantsToAdd = [project.projectLead]
.concat(project.projectLeadBackup)
.concat(project.participants.filter(p => newRoles.includes(p.participantRole.name)).map(p => p.user))
.map(u => ({
oid: u.microsoftId,
mail: u.mail,
}));
const permission = {
recipients: participantsToAdd.map(p => ({ email: p.mail })),
requireSignIn: true,
sendInvitation: false,
roles: ['sp.full control'],
};
// add the right permissions to the file
const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);
The above code is building up a list of "User" objects which contain an "oid" which I use later, and a "mail" object. I give these users "sp.full control" role on a file. Some are granted direct access and others are given links (grantedToIndentities) with write permissions.
This only seems to be happening when Guests on the active directory make the request; though it's only occurring for some guests. Two guest users in particular that I grant access to are fine, they get "Direct Access". Others go into the "link sharing" category. I don't see any differences in the users in AD anywhere.
I've tried looking through all admin sites (SharePoint, M365) and tweaked External Sharing permissions but the problem still persists.
When I invoke the action from a "native" user on AD to the Graph using the same request, it all works fine. All users (native and guests) are added with "direct access".
Can anyone share any thoughts? Hope I've given enough info.
Snippet from Graph response:
Image
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
Problem:
Only one of our three Office 365 tenant, a Graph call fails with an itemNotFound error. The other two tenants works as expected.
Case:
When using the Graph API to access a folder on a SharePoint site, we get the following "itemNotFound" error:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"request-id": "4ea1730c-1b1d-4993-8335-4e10cc3b47c1",
"date": "2020-04-27T09:15:37"
}
}
}
Query Information:
This is the final query that fails: https://graph.microsoft.com/v1.0/sites/54929188-6c44-4555-a85b-27a698b9b572/drive/root:/InvestmentTemplate
To find information to "build" the query, that fails, we are using this query to find the site id:https://graph.microsoft.com/v1.0/sites/testnrep.sharepoint.com:/sites/DocumentTemplates
To recreate test data:
Create a site with the url "/sites/DocumentTemplates"
Add a folder name "InvestmentTemplate" to the Shared Document library
The full folder url: https://ZXY.sharepoint.com/sites/DocumentTemplates/Shared%20Documents/InvestmentTemplate
Re-stating comment above as answer as this appears to address your scenario.
I reproduced a similar scenario in my lab environment. The query succeeds when running as a tenant administrator. Query fails as a normal user. I removed all permissions granted to Graph Explorer and added them back one by one. Once I granted Files.Read.All (not just Files.Read) for the non-admin user I was then able to successfully query a similar endpoint.
As for the ":/" syntax, yes that is common to use a ":" when specifying a relative location within the siteUrl or path in a document library. See examples for site-id using relative URL or relative path within document library.