I want to gain access to the Graph API in order to integrate a native iOS Sign Up page. I was able to achieve a native implementation of Sign In using ROPC but there too after logging in the user and redeeming the refresh token, I wasn't able to read the user profile using Graph API. Can someone please explain to me as to how I can go about this?
AAD B2C tokens can not access Microsoft graph api. Customise the token such that it contains all the information you require in the first place.
Related
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
I'm using adal.js to enable azure ad login via OAUTH. I've started with this sample app, https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi
I need to be able to use Microsoft Graph Api in conjunction with this so that I can grab a list of the groups that the currently logged in user belongs to. I don't know how to get the Access token to do this. Note that I already have a good id_token. Is there an additional redirection that I have to do after login? Is this something that adal.js can help with? Maybe msal.js? Can someone point me in the right direction?
Edit 1:
I'm using the Azure AD version 1 endpoints. I do not have the requirement that anyone outside of our AD needs to log in. It's an enterprise app and should be limited to only my AD. The users have more than 5 groups, thus the tokens have hasgroups:true instead of the actual groups list. I need to call the graph api, but the id token that I'm issued doesn't work, I need an access token, which I don't know how to get.
Seems like you just need to use the right sample code:
https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2
A simple JavaScript single page application calling the MIcrosoft
Graph using msal.js (Azure AD V2 endpoint)
It is possible to authorize some MS apps using OAuth and login form. If the user logins and allows the permissions the app wants then as a developer you can read (and write) some data via API.
Is it possible with https://botframework.com? I don't want my clients to have to write down the client_id and client_secret in my administration. I just want them to give me permission via logging in and let me download this data.
I've read MS docs about OAuth and have seen that the possible scopes doesn't include the bot platform.
To demonstrate what I mean here is a demo application from the docs.
I recommend you to check AuthBot.
AuthBot is a .Net library for Azure Active Directory authentication on
bots built via Microsoft Bot Framework.
In short, when using AuthBot, your users will receive a link that they will open and perform the OAuth flow. The users won't have to write the credentials in the bot (which could be a security concern) and instead will be done in the MS login page. Then a callback (already provided by the library) will be called and the conversation with the user will be resumed.
You can also check AzureBot as an example of a Bot that uses AuthBot and that retrieve information only available if you are logged.
I'm not understanding how OAuth2 works for Google API.
Supposing I've signed in API's console and chosen several API's I would like to use.
My website should offers these API's to its users.
I have a doubt if my website users have to be logged in GOOGLE to can use these APIs.
For example, some users that prefer to login with Facebook couldn't use the APIs?
Depends on the API. Anything where you're accessing a user's data on their behalf (tasks, calendar, etc) then of course the user would need to have a Google account and would need to log in when authorizing your app.
But not all APIs act on user data. APIs like search & translate don't require a user to authorize access, and typically use a simple API key rather than OAuth.
User must be signed in Google to grant authorization to your application.
Your application is required to provide an access token when call Google API. The access token is granted by a Google user so that your application is able to access this user's resource on Google. So it's obvious that the user must be signed in Google.