I want to create a calendar event using Microsoft Graph with the app's admin username and password. Actually, my logged-in user does not have access rights to edit that calendar.
They only need to, by clicking the button in my app, perform flow that will send admin's username and password using for example Basic Auth without using token and get permission to create calendar event using:
https://graph.microsoft.com/v1.0/me/calendars/{calendar ID}/events
Is it possible to use Microsoft Graph without using tokens and Bearer Auth?
I want the user (with some action from my app) to produce a flow in which the app with the admin's credentials access the admin's calendar. Users only need to click the button. The user is just someone who starts the flow.
Related
I'm trying to implement IdentityServer4. We need to functionality to login as another user, when we're administrators.
I've already setup the login functionality for regular users, but I'd like a specific endpoint where an administrator can enter the username/id of a regular user.
How would one go about implementing this in IdentityServer4, as well as regular oauth2?
This is outside the scope of OIDC/OAuth2 interactions but there are some conventions for how to respresent such a scenario in the result token/claims. Have a read of https://www.rfc-editor.org/rfc/rfc8693 (in particular the act claim bits) for some inspiration.
We did this via the sign in UI flow but the model was that users could grant other users impersonation permissions explicitly. If when signing in you had valid impersonation grants then you'd be prompted as part of the sign in flow to choose a different account or continue as yourself. In your case you can identify admin users and give them the option to impersonate anyone you like.
If the user choses an impersonatee then it would change the current session to respresent that user but also store claims relating to the original user/session in the actor claim (act) and also add an amr claim of imp. We then made these claims available to clients so that they'd be aware of the fact impersonation was used and could then for example add that info to audit logs etc. We also notify the impersonated user via email and restrict access to account settings - i.e. impersonators can only sign into clients as other users, they cannot change their account settings.
I have to read Outlook emails from an inbox in a Windows Console Application. I am trying to use MS Graph Client for the same. Problem is I don't want to login to generate access token. How should I go about generating access token without a login form ? I will appreciate any help.
I have tried the solution given in this article, but couldn't get it working as I didn't know redirectUrl and couldn't resolve some references for the given code.
Single user -> Use device code flow
If you want to access the mailbox of a single user: you can use the Device code flow documentation.
This flow allows you to display a code to the user, they go to the device login page and authorize your application. You also get a refresh token so this access can be used for a log time.
Any user in organization -> Use client credentials
If you want to access any mailbox of the entire organisation you can check out this answer and replace the required permission by Read mail in all mailboxes.
I am trying to understand how to create MVC5 website with Active Directory authentication. Also I want to manage users. So for this I created a simple project in VS2013 and selected "Windows Authentication". When I run the application I get authentication popup to enter AD username and password. After that it does says on top right "Hello AD/UserName!".
But I am not seeing logic where it actually calls for authentication. Also I want to save few AD users to database and allow only them to login to website. How can I do this? Also how will my other web pages know whether user is already authenticated. Thank You.
One Approach-
Instead of selecting 'Windows Authentication', you choose 'Anonymous' (doesn't remember exact word here)
Implement logic to Authenticate user against Active Directory. Once user is Authenticate, store that user object into 'User' property of Current Context. So that you can access it and authorised user in subsequent request.
As you are aware, AD can only authenticate user against it. Providing access to few of them is authorisation part which we need to handle as part of our application. Since you want to enable access to website for few people of AD, what you can do is add those users in your application's database and allow authorisation to those only.
Short description:
If a user has already granted my application OAuth access to their google profile, I want to spare them of having to press "sign in using google" button every time they land on my home page and log them in automatically.
If user has not granted access yet, I want to present them with sign in options page with "sign in using google" button.
Long description:
I am implementing Google OAuth flow as described on this link:
Using OAuth 2.0 for Web Server Applications
Just for the clarity, the flow in question is as follows:
present (client side) user with "sign in using google" button
after user presses the button, redirect them to google's OAuth 2.0 server, where they allow/deny my application to access their google profile
if user allows access, google redirects them back to my application
my application (server side) uses acquired grant to get access token
my application (server side) access user's profile using acquired access token
I want to achieve the following:
If user has already allowed my application access to their google profile before (either on current computer or some other), I want them to have an impression of being signed in to my application (using google) immediately after they navigate to my application's URL. Without having to click anything.
This is at first glance not a problem. To achieve this, I would automate steps 1 and 2 of the flow described above. User would be redirected to google oauth server automatically - without having to press "sign in using google" button - right after they navigates to application's URL. Google in turn immediately redirects user back to my application with a valid grant (again without requiring any input from the user). The rest remains the same. User would have an impression of being logged in immediately .
This approach has a problem though. If user goes to my page for the first time (not having granted my application access before), they would also be redirected to google OAuth page. But since they haven't granted access yet, and didn't press any sing in button, they would and end up staring at google oauth server page confused having no clue, what is going on.
Is there some API, by which I can detect that user has not yet granted access to my app (and I should present him with sing in button first)?
Please, if your solution would involve some API calls, point me to a HTTP/REST API, as I don't use (and do not want use) any higher level OAuth library.
Thanks.
Add "prompt=none" parameter to your initial OAuth redirect. This way google will not block if user has not logged in or has not granted your app the permissions.
See Chapter 3.1.2.1 of http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Short summary of other possible "prompt" values:
none - will not prompt anything, redirects back with error "login_required" or "interaction_required" if silent login is not possible.
login - force the login prompt, even when user is logged-in.
consent - force the consent prompt, even if user has provided consent in the past.
select_account - present account selection prompt.
I'm studying how to develop an iOS app and I need to figure out how should I structure it.
Architecture:
I've an external database, a REST api (as interface between the database and the app), and the iOS app.
The question:
I'd like users to authenticate by a simple form or by a Facebook login button but in each case a table 'user' in the database has to be filled with default fields like name, surname, email, profile picture, password(?).
For the standard authentication there are no problem, but for Facebook authentication I'm quite confused about theory:
Should I use access token? How?
When a user get authenticated with Facebook I haven't his password, so how can I get his informations from the database? In the standard way I would give to the database username and password and it would return for example the id field.
Sorry for my english.
You can use the access token of current logged in user
[FBSDKAccessToken currentAccessToken]
and send it to your REST api. From there you can retrieve every information you need and save it to your database (except user's password of course). If a user sign in for first time in your app insert a new user in your database and save user's Facebook User ID.
The whole idea of using authenticate and authorization is not to have access to user's password of another app, but the user authorize (confirm) your app to have access in his/her account with specific permissions.
Here is a step-by-step answer of what you need:
Design for Facebook authentication in an iOS app that also accesses a secured web service
You need to save the currentAccessToken that the login request returns to you.
Then, using Facebook's Graph API, the userID that was returned in the login request, and the user access token, you can request a user object, which has the email address, assuming you added the email permission in the login request.
Also use the Graphi API to retrieve the user's photo using the userID that was returned in the login request:
50x50 pixels
<img src="//graph.facebook.com/{{fid}}/picture">
200 pixels width
<img src="//graph.facebook.com/{{fid}}/picture?type=large">