Access to user's mailbox using EWS, OAuth2 and user's credentials - oauth-2.0

In our application we use EWS and basic authentication.
An user can get access to own mailbox only or to all mailboxes in his organization if he has admin credentials. Now we are trying to replace basic authentication with OAuth2 authentication.
We registered the application on Azure portal, added the permission "EWS.AccessAsUser.All".
For an admin account everything works well. Our application can get access to any mailbox in admin's organization.
The problem is in that we cannot get an authorization code for a standard user account.
"TestApp needs permission to access resources in your organization that only an admin can grant" is shown.
So the question is: is there a way to get access to user's mailbox using EWS, OAuth2 and user's credentials?

With oAuth you need to grant consent for your application in a Tenant eg
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent once you have granted tenant wide consent any user should be able to use the application unless you apply restrictions. If your application is being used by other companies then you need to have a Multi Tenant application registration and the client will need to consent to its use in their tenant before they can use it.

Related

Is It Possible to control User Access On An OAuth Client Application?

Our OAuth client application is built with Spring (through JHipster). The OAuth provider only serves the authentication functionality, but not the authorization functionality. Ideally, we should only allow a small group of people to access our OAuth client application, but not all those users who can sign in to the OAuth provider.
A solution I can think of at this moment is to create a custom user role to control the access in the OAuth client application. That, however, only can be done after the user's first sign-in when the user account data is created in the application.
Any better solutions?
Ideally you would apply user access control before creating user account data is created in the application. You could do so by providing an application specific scope or claim in the token that is generated for your application (aka. Client). Upon receiving the token, the application would check for the required attribute in the token before allowing access.

Delegated access to exchange online without user constent?

Would it be possible for a background service to use identity of specific shared mail box user in conjunction with the delegated access permissions without actually requiring an end user to authenticate ?
How would this be achieved in office365 exchange services with OAUTH 2.0 ?
Regards
Would it be possible for a background service to use identity of specific shared mail box user in conjunction with the delegated access permissions without actually requiring an end user to authenticate ?
If you use the client credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow so you service is then getting an Access token using a SSL certificate of client secret. It can then impersonate (so it not delegate access) any Mailbox in your tenant and send as that user.
If your on Office365 then you may want to look at the Graph API instead that allows you to have a much tighter set of permissions (eg you could for instance just grant your app/service SendAs rights) when compared to EWS which only allows full Mailbox access.

In the Microsoft Graph API, can an app with admin consent generate a token for a different user than the admin that approved it?

I have a multi tenant app registered in Microsoft Active Directory that uses admin consent to gain access to some application scope APIs in the Microsoft Graph API. It uses the /token endpoint to get a token, then calls those Graph APIs. It's working perfectly.
https://learn.microsoft.com/en-us/graph/auth-v2-service#token-request
Now I want to enhance my app to access some delegated (user) scope APIs, that do not allow access at application scope. My app is already configured to request these delegated permissions from the admin at admin consent time. But I'd like to call these APIs as each user in the directory, not the admin who installed my app.
Importantly, it is not feasible for me to have every user in the organization individually go through the OAuth flow for my app.
Is that possible?
Can I impersonate a user somehow by exchanging my application token for a user token?
Can the admin do something programmatically to generate tokens as individual users for my app as if they had been put through an OAuth flow?
No, you cannot convert an Application token to a Delegated token. The only way to act as a specific User is for that User to "delegate" those activities to your application.
Note that Admin Consent only provides consent to your App to operate within a tenant. It is destinct from, not a superset of, User Consent. In order to obtain a Delegated token, you need to receive both User and Admin consent.

office365/azure oauth using delegated user id

My goal is to write some code to enable an Office 365 user to access files in OneDrive for business via REST API. I have registered an application in Azure AD (Web App/single tenant) and have a redirect URI to receive the OAuth token. I want to use the "delegated user identity with OAuth" scenario. To see how it works, I use the "Office 365 OAuth Sandbox" here: https://oauthplay.azurewebsites.net/. When I "Authorize using own account" and enter any valid Office 365 user credentials, I get an access token back. When I replace the client ID and redirect URI in the authorization URL with the info of my registered app, I can only get the token when I enter a user registered in my app (otherwise I get an error 50012 during sign-in). What do I have to change in my configuration to allow any Office 365 user to get an authorization token (like the Sandbox does) ?
You need to mark your web application as multitenant, or Azure AD will constrain all callers to be from the tenant in which you provisioned the application.
Take a look at https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet for an example of a web app that is multitenant and invokes a Microsoft API. Note that you don't necessarily need to validate issues as shown in the sample, just do what makes sense for your scenario (which might mean even not validating).

Oauth resource owner password credentials grant type with WSO2 API manager when sso is setup with identity server

I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)

Resources