I am preparing an app where i need to import calendar events of users in the app. App already has okta authentication and my domain is configured with Office365 to use Okta.
Please advise if I can directly pass Okta token generated by my app to microsoft graph api and fetch calendar events of that user instead of registering an app of MicroSoft azure and using the client id of that app to generate token and use it further fot making calls to
Microsoft Graph calendar API.
Thanks in advance.
Related
I am building an application where the user logs in via Microsoft sso using MSAL.But the token that I get from MSAL doesn't work when I try to create an Event in Microsoft calendar.
What i have done:
I have added Delegated Calendar.Read and Calendar.ReadWrite Permission for the App.
While trying to create an event from the Microsoft Graph explorer it is working.
The error i got when i used the access token from MSAL to create an event
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be
understood.","innerError":{"oAuthEventOperationId":"9fc5a400-c9d7-4880-89ff-0670cfe1b5e7","oAuthEventcV":"fVIhwRVmSAkpeAAnHn03vQ.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"c3bbb134-c902-4f46-b525-f1d30011c5dc","date":"2022-01-13T10:03:01"}}}
Make Sure to use an organization account to login with microsoft.
I have a .Net core web Api calling google drive api. The google drive api should authenticate the api call with Okta and authorize. How can this be achieved?
Should i setup the auth application in Okta dashboard and generate client id and authentication token?
Which before calling google api will be used to get bearer token from Okta and shared with the google api?
Will be registered with google admin console and generate the tokens?
The domain of the api will be google.api.com ... so no where it is going to Okta for authentication
What you do with your Okta site will be after you have gained access to the google api on behalf of your users. a bearer token from Okta will not grant you access to a google api you need to go though googles authorization server to get that.
In order to access the Google Drive api and access private user data. The owner of that data will need to authorize your access.
To do this we use something called Oauth2. The issue you will have is begin that you say you are using a web api to call Google you will need to create a web application on the side where your users can authorize your application to access their data. You will need to register your application with google on Google Developer console. Create a web client credentials. Then when the user has authorized your application to access their data you will will need to store the refresh token in your system associated with the user.
Then your web api will be able to access the users data by loading the refresh token and requesting a new access token.
There is currently only one sample web-applications-asp.net-core-3 for .net core web applications it doesn't show how to store the refresh token you will need to work that out.
I do have a video on setting up asp .net core with the google people api it might give you a starting point How to get a Google users profile information, with C#. as well as one on how to create a How to create Google Oauth2 web application credentials in 2021.
I have been using Microsoft Graph APIs in my .NET application to read Calendar, mails and Contacts from Office 365. Now my application uses Access Token for its working, which expires after every one hour and prompts the User to re-login.
My requirement is to extend the token expiry, which can only be done using Refresh Token. I tried to include the scope "offline_access" in my app and it gave me the error "MSAL always sends the scopes 'openid profile offline_access'. They cannot be suppressed as they are required for the library to function. Do not include any of these scopes in the scope parameter."
I have modelled my application on the demo given by Microsoft for Graph APIs and MVC integration on the link:
https://learn.microsoft.com/en-us/outlook/rest/dotnet-tutorial
What wrong am I doing here or what am I missing?
Any help would be greatly appreciated.
The tutorial you are referring to is for the Outlook REST APIs. NOT Microsoft Graph. All Microsoft Graph samples are here https://developer.microsoft.com/en-us/graph/gallery/?filterBy=Samples,SDKs
There is a great getting started page that links to a tutorial to build your first app https://developer.microsoft.com/en-us/graph/get-started/asp.net
This uses MSAL v2.7 SDK that handles the refresh tokens for you and the Microsoft Graph SDK for dotnet.
I am developing a console app in .net which will send mail using the Azure AD application. I followed all the step from generating the certificates to registered an application in Azure AD. Then provided the application permission (Send mail as any user) using Microsoft graph API and provided it “grant permission” as an admin consent.
In my console app code I uses the below outlook api to send mail as
resourseurl — https://outlook.office.com/api/v1.0/users/{my email account}/sendmail. After providing grant permission to my app I am still facing the 401:unauthorized error.
You gave permissions to Microsoft Graph API, so you need to use it.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_sendmail
The URL that you need to use is thus:
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/sendMail
Internally the graph API does call the API you mentioned. But your token is for the graph. Not the outlook API.
You also mentioned the resource URL. The graph API resource URL is https://graph.microsoft.com.
I am new to Microsoft Graph and SharePoint Framework. Recently developing spfx webpart with Graph API's integration.
I have registered the app in https://apps.dev.microsoft.com portal and AAD implementation through hello.js.
The first time browsing to the page, it redirects to Microsoft app login page and prompt for credentials.
Once authentication successful then it's working fine, from then on it does not prompt for credentials.
Is there any possiblities to access MS Graph API directly using Application Id, and Secret without prompting for login?
Yes, you will want to use the client credential flow to do this. You will only have access to organizational data (/me won't work for example, but /users will). There is an article on getting access here.
You will need to log in as an admin one time per application to authorize your app to use your tenant's data. You can do this at:
https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions