Graph API /me/joinedTeams unexpected result - microsoft-graph-api

I'm having some issues with the List joinedTeams graph api endpoint.
I was expecting that me/joinedTeams would give the same result as users/my-user-id/joinedTeams, however the first one only returns one team and the second returns multiple (haven't checked if it's complete).
So the question is, did I find a bug in the Graph API or is there something else going on?
I'm using delegated permissions
I've checked the token at jwt.ms, the aud is 00000003-0000-0000-c000-000000000000 and it includes the following scopes:
Directory.Read.All
Group.Read.All
Member.Read.Hidden
Team.ReadBasic.All
User.Read
Update: It seems I can no longer reproduce the issue, so I'm concluding that there was some short issue with syncing between the Azure AD and the responding Graph API server.

My idea is the same as #Ergec, you need to make sure you are using the same user id.
I just tested these two APIs with graph-explorer and they did return the same result to me.
I suggest you first request the /me endpoint to get the id, then paste it to the /users endpoint, making sure they use the same id.
1.
2.

Related

I am getting these weird access tokens from microsoft

I have implemented authentication against microsoft in my application. I have the following code:
Note that for scopes I have tried adding openid and profile but the same thing happens
Once it runs the acquireTokenSilent(), the authResult contains an accessToken that doesn't look right, and it's causing problems when using it to contact the graph api. This is what authResult looks like:
If you look closely this is what access token looks like:
EwBgA8l6BAAUO9chh8cJscQLmU LSWpbnr0vmwwAAR1aq2Mea9vF5dtLZLzQ/aPmRbx24QJ5pg8OLpfcRYDTx6CNZR5zNdBHsJ2PTbz Ypu1635Ur9wMA zmHhICnMt00QfA3hWgrLQXOYXXjt0xdzRRoxbjs6/jBLFvMcMdDPAt6yENfDaw9PQkdFp NNTjDYm5djScvBoMGS1K2ghFwWjFwa eRm5Zb17aMwopVWHs/cvF8T3/7A l/qbPi/BEGvVa8IZbAbVUpVPkml9gfW1lJ5rE6c2mNEEJWgg9YGeETQV4LjfVK/byr7oCdsbwSLua5Uwvo5jN9VFuuSs5x5QonJJmgpB3EfNnobUBLxYKm6HbuiE6t9LnDJJ2ESMDZgAACI46be98pNPrMALOOeGW2vSOp7qfeDPiy6R72fXzeBxnDRpe/pLyEWPZHDmQtjs6AhhqnYBQ1bLEoXoxPDmAKbGrH9yINhgx/WNscrPnnc5tPcgq0DvJXae50BPVzGvrlPW8bauEjMPFJBZL/TF07wmFIi7ppaxxSaXBmFiNBkD3/gxrjvXzbQdg/vUkOwyPRHF6HkX4N88y1CfE546SYx834nqzWQS9a6D3zMCSbrlBfw8BKVkbluJ0kI979lKiKd21rUZFCN781Qy4rmGHO5R91iKvshglPN4KV1LXNT3H2iHLgePxiWs HhBN1diWeMMcIe3cO4BFRetJF9s00/v6ENP1rZC 7CXTK8EV3av1 3QGBgCfPmMUfBjoAn/RsGQ6WzKty2N78buK4jOaF0VOKnR/XXsxAdZMO0LAyfcpYqOciHE05vzu7eDW7G0VCucGodpwF35ugKXAwW8sg1IIm3qQ4961k4PWRUoA3ah 6gwuzB9nDACvpoGmWRHGxjkO YUecSDuLeH3J3m FNsOJhsn wwKLtG4BsWyBb/4Oo7n798 a7W5USbowesk3 TsMLUrSobnbZTnIcu3gee2nSg6A8PQCPRR/Xx0 ItJM4LZXqMQNGK gMe5eD9rcXuRYI2yZFBBNEC1C6e/pzv3sfTaf4LkP8O2JYAQ9s0f46yvsPv35fwyZDMciNHBUpoGDSw2Ux9kWuNBnMWSdAjBu8ZWhkLFX4to PmsC
When, according to microsoft it should look more or less like:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9
This is happening when using personal outlook accounts. When I'm testing using my company account, it's working
You cannot decode an MSA token, they're not a JWT. Since Outlook comes under a personal account it is not similar to JWT.
Similar kind of issue please refer

Is it not possible anymore to use chat:write:bot scope for Slack apps

I want my app to chat.postMessages to Slack, using the icon_emoji and username parameters so that I sometimes change the icon and name displayed.
From the doc of the method, it seems I have to set as_user to false. But when I do so, I'm getting a missing_scope error: I need scope chat:write:bot. (Same error whether I use my OAuth access token or my OAuth bot user access token)
But from this page I got that they are disappearing? So are the parameters I want to use (icon_emoji and username) going to disappear as well?
No, as of Dec 19 2019, you cannot use icon_emoji, etc
I ran into the same issue, and so I opened a support ticket with Slack. After a few messages back and forth, I got confirmation that this is likely a bug:
With your help I was able to replicate the issue. I suspect this is a bug but I've escalated it to the Granular Bot Token team for a second opinion. As soon as I have more details I will let you know.
Edit:
I've received another update, which I've trimmed down to the essentials:
When building the Granular Bot Token model our team really wanted to use this as an opportunity to slowly deprecate certain API behaviour. The as_user parameter is one of them. See the following comment from (https://api.slack.com/authentication/quickstart).
One effect worth noting: chat.postMessage and other chat.* methods no longer mess around with the as_user parameter. You're granted a single chat:write scope (no :user or :bot is appended). If you call the chat.postMessage method with your bot token, you post as the bot. If you've obtained a user token through the new install flow, and you call the method with your user token, you post as the user.
So in regards to the action you are wanting to take, I'm afraid it's not possible with Granular Bot Token. We also recognized that the error this is throwing is completely unhelpful and confusing for developers. For this, we've created a bug to fix the error that's returned when Granular Bot tokens try to make restricted API calls.
I've requested clarification on whether it is just the as_user part that is deprecated, or the icon_emoji part as well.
Edit 2 (Dec 19, 2019 13:38 EST):
One, probably final, update:
The option for app to change information such as username, avatar and icon via the API is up for debate as well. Currently with Granular Bot Tokens you can only update that information via your API management page.
Which is really unfortunate.
I had to add a Scope to "Bot Token Scopes" with the value of "chat:write.customize".
https://api.slack.com/scopes/chat:write.customize
then I had to re-install my app. And it worked like I expected.
Note: I tried this as it was a suggestion from a comment. but it worked so i am adding it as an answer.

Can I retrieve an Outlook room calendar view with the MS Graph API?

Using the Graph API we are already successfully retrieving calendar views for a user's calendar (on behalf of the user). Now users would also like to be able to retrieve room calendars. So I tried the following:
https://graph.microsoft.com/beta/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/beta/users/room1#ourdomain.com/events
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/events
Unfortunately all of them return a ErrorServiceUnavailable error.
App permissions and OAuth2 scopes are set to: openid email profile offline_access https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Calendars.Read.Shared https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.Read.All, so that should not be an issue.
Am I doing something wrong or is this simply not supported?
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView is the approach I've used successfully. I had an issue with permissions and gave my app every permission in Azure, and it worked for me. I can't help with which specific permissions it is, but for testing this is how I resolved an issue I had.
Am I doing something wrong or is this simply not supported?
For your current question: Obviously you did wrong or the Service - side temporary exception. The api is supported.
You should provide the code you have used, and based on the code, we can check what is wrong on your side.

Can't access Microsoft Graph users calendars 403

I have seen other posts that are very similar, but I don't find a real answer. Some say "it is coming", those are old.
I am authenticating with the Admin credentials to our O365 and trying to pull calendar information. The Scope has Calendars.ReadWrite (which falls under App-Only and Delegate as far as scopes), but it always returns a 403. ErrorAccessDenied, "Access is denied. Check credentials and try again"
The Graph doc for calendar views shows it can send in users/{id} in the request, and the id's came back when I listed all the users. Of course if I use mine, it works.
If there really is an App-Only scope vs a Delegate scope for this same scope name, how do you specify that?
Is there something I have to specify in O365 for my admin user so it has rights? I can delete or create any user with that account in O365, so it appears it should have what it needs.
Thanks
So, App-Only has a slightly different flow.
First, instead of authenticating the user at "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", you authenticate them at "https://login.microsoftonline.com/common/adminconsent".
Second, you pass in the same parameters minus "scope". Scope is determined by your Application Permissions defined in you application that you registered at apps.dev.microsoft.com.
Third, when you receive your callback you will not have a "code" to use to go and retrieve your Access and Refresh tokens. Instead, you will receive a "tenant" property and an "admin_consent" property. "admin_consent" will tell you whether you have the rights or not.
Fourth, when requesting your access token, you will not supply the "scope" or "code" parameters, but you will provide a "resource" parameter, with the value "https://graph.microsoft.com".
Lastly, the URL you contact to get the token will change from "https://login.microsoftonline.com/common/oauth2/v2.0/token" to "https://login.microsoftonline.com/{tenant}/oauth2/token", where {tenant} will be the value returned.
Please note that in the URL that "v2.0" is missing. That isn't a typo. If you do not remove that from the path you will get errors about an invalid or missing "scope" parameter.
Once it successfully returns your Access and Refresh token, the flow seems to follow normal delegated access.
Here are a couple of links that Microsoft gave me, with their guidance to help figure this out.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
(Big Thanks to Jeff at Microsoft)
Latest doc is here: https://learn.microsoft.com/en-us/graph/auth-v2-service
I followed it and I was able to read/write other's calendar with permission Calendars.ReadWrite.

YouTube API broken by Google. 'Authentication with Google failed. Reason: NoLinkedYouTubeAccount'

** UPDATE **
It truly seems that Google has just screwed every single person on the planet by absolutely requiring user interaction to upload a video. Of course I know, they are free. Exactly what I warned the client years ago about, so I don't need to be reminded. Thank You.
So I would like to try to take this in a different direction and just find a loophole and a workaround to still keep doing what we are doing in spite of Google's complete lack of support or caring in any way about the developers and what they have to deal with.
It would be different if you can actually call a phone number and talk to a human being about YouTube Partner access, but you can more quickly get access to the Illuminati.
OAuth 2.0 is now the only supported authentication method period. It does require user interaction.
But what about that token? Does anybody know how long the token lasts?
If I can obtain a token just once using user interaction and place it in the database, I can automate possibly hundreds or thousands of interactions afterwards.
In other words, I'm trying to turn the user interaction into a speed bump instead of a concrete wall.
If anybody has any examples of obtaining that token, caching it, and using it afterwards, that would be a godsend to me right now.
Thanks for the comments and the help. I'm not surprised that the YouTube Developers Forum just folded and said to come here instead :)
It seems that Google has completely pulled the plug on the existing dashboard.
https://code.google.com/apis/youtube/dashboard/gwt/index.html
That link is now 404'd. Tried from several different browsers on different systems.
Registered under the new Google APIs Console already, but still get the problem.
// Set the authentication URL for this connection object
$authenticationURL= 'https://www.google.com/youtube/accounts/ClientLogin';
// Try to connect to YouTube with the channel credentials passed
try {
$httpClient =
Zend_Gdata_ClientLogin::getHttpClient(
$username = $channelfields['EMAIL_ADDRESS'],
$password = $channelfields['PASSCODE'],
$service = 'youtube',
$client = null,
$source = 'Redacted Data',
$loginToken = $channelfields['CACHED_TOKEN'],
$loginCaptcha = '',
$authenticationURL);
} catch (Zend_Gdata_App_HttpException $httpException) {
$update_error['response_body'] = $httpException->getRawResponseBody();
$update_error['error'] = 1;
} catch (Zend_Gdata_App_Exception $e) {
$update_error['message'] = $e->getMessage();
$update_error['error'] = 1;
}
This code has worked perfectly fine before, but does not work with the older API key, or the newer one generated inside the Google APIs console.
I'm attempting a simple upload and this concerns me greatly:
"The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Data API does not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate a NoLinkedYouTubeAccount error."
From all reports it seems that Google has forced YouTube uploads to become interactive in all cases precluding all possibility of platforms that automatically upload generated content from working at all.
Any help or insights into the process is appreciated.
P.S - Ohhh, it's been awhile since I looked at that system and Google shut down the YouTube Developer Forums and said "YOU" were responsible for their support now :)
OAuth2 does support the ability to avoid user interaction through the offline access type parameter (ie, using access_type=offline). Check out Google documentation for details.
The solution is really rather simple. Your app needs to use oauth to request offline access. It will be given an access cide which you convert to a refresh token, which is the thing you store in your database. This doesn't expire. Well actually it sometimes does, but that's another story. Whenever you need to access the api, use the stored refresh token to request an access token which you include in each api call.
See https://developers.google.com/accounts/docs/OAuth2WebServer for details.
I don't know what you did but https://code.google.com/apis/youtube/dashboard/gwt/index.html works perfectly fine for me. Maybe it was a temporary issue. If you want no user interaction you HAVE to use YouTube API v2 OR you have to use v3 with methods that don't require authentification OR you have to provide your own youtube account credentials which is not recommended and probably not appropriate for you situation.
Several issues to respond here, I think.
1) The older API console has not been removed, but I've noticed intermittent outages to it and to the newer API console while Google is rolling out their new "cloud console."
2) ClientLogin was officially deprecated in April of 2012, not just 48 hours ago. Jeff Posnick has detailed all the changes over the months (and related ones, such as AuthSub, Youtube Direct, etc.) at his blog (apiblog.youtube.com).
3) You're right that, with v3 of the APIs, you cannot do automatic uploads across the board, as the oAuth2 flow requires user interaction. However, given the limited description of your use case, using refresh tokens is probably your best bet. If the content is user generated, somewhere they must be logging into your app, correct? (so that your app knows which credentials to leverage to do the uploads). At the point they're logging into your app, and you're starting the oAuth2 flow, you just have to hit the first oAuth endpoint and pass it the parameter access_type=offline (along with any other parameters). This will ensure that, when they grant that initial permission, you're returned a refresh token instead of an access token. With that refresh token, you can exchange it for multiple access tokens as needed (an access token lives for about an hour. I don't know how long a refresh token lives, but I've never had one expire before my own login cookies did, and then I just get a new one when my users re-login to my app).
Here's some more info on how to use the refresh token; note, too, that the various google api client libraries make it pretty smooth.
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
Also, this video tutorial from a Google Developers Live broadcast a couple of months ago might help illustrate the point: http://www.youtube.com/watch?v=hfWe1gPCnzc -- it's using the oAuth playground rather than a client library, but the concept is the same.
The answer is to use google-api-php-client, create an interactive auth page, and set up YouTube API v3 correctly with the new API console.
You can create a very simple page that will authenticate for the supplied channel and then store the correct token in your database. Is already working and uploading hundreds of videos on one channel. You do need to remember to fully activate yourself under the new API console and add the services required. Just keep authenticating and adding the services it says it needs. After that, the regular v3 upload process works just fine. On failure send a group an email and they can get a new token in 10 seconds.
Not the most elegant solution, but the documentation from Google is far from elegant anyways that Stack Overflow is now their front line support.
Just hang in there, a solution is always found. Don't give up!
I didn't get here by myself either, the other answers on this page helped me get all the way to this point. Thanks guys.
P.S - Don't forget the scopes
$client->setScopes("https://www.googleapis.com/auth/youtube https://www.googleapis.com/auth/youtube.upload");

Resources