I have implemented authentication against microsoft in my application. I have the following code:
Note that for scopes I have tried adding openid and profile but the same thing happens
Once it runs the acquireTokenSilent(), the authResult contains an accessToken that doesn't look right, and it's causing problems when using it to contact the graph api. This is what authResult looks like:
If you look closely this is what access token looks like:
EwBgA8l6BAAUO9chh8cJscQLmU LSWpbnr0vmwwAAR1aq2Mea9vF5dtLZLzQ/aPmRbx24QJ5pg8OLpfcRYDTx6CNZR5zNdBHsJ2PTbz Ypu1635Ur9wMA zmHhICnMt00QfA3hWgrLQXOYXXjt0xdzRRoxbjs6/jBLFvMcMdDPAt6yENfDaw9PQkdFp NNTjDYm5djScvBoMGS1K2ghFwWjFwa eRm5Zb17aMwopVWHs/cvF8T3/7A l/qbPi/BEGvVa8IZbAbVUpVPkml9gfW1lJ5rE6c2mNEEJWgg9YGeETQV4LjfVK/byr7oCdsbwSLua5Uwvo5jN9VFuuSs5x5QonJJmgpB3EfNnobUBLxYKm6HbuiE6t9LnDJJ2ESMDZgAACI46be98pNPrMALOOeGW2vSOp7qfeDPiy6R72fXzeBxnDRpe/pLyEWPZHDmQtjs6AhhqnYBQ1bLEoXoxPDmAKbGrH9yINhgx/WNscrPnnc5tPcgq0DvJXae50BPVzGvrlPW8bauEjMPFJBZL/TF07wmFIi7ppaxxSaXBmFiNBkD3/gxrjvXzbQdg/vUkOwyPRHF6HkX4N88y1CfE546SYx834nqzWQS9a6D3zMCSbrlBfw8BKVkbluJ0kI979lKiKd21rUZFCN781Qy4rmGHO5R91iKvshglPN4KV1LXNT3H2iHLgePxiWs HhBN1diWeMMcIe3cO4BFRetJF9s00/v6ENP1rZC 7CXTK8EV3av1 3QGBgCfPmMUfBjoAn/RsGQ6WzKty2N78buK4jOaF0VOKnR/XXsxAdZMO0LAyfcpYqOciHE05vzu7eDW7G0VCucGodpwF35ugKXAwW8sg1IIm3qQ4961k4PWRUoA3ah 6gwuzB9nDACvpoGmWRHGxjkO YUecSDuLeH3J3m FNsOJhsn wwKLtG4BsWyBb/4Oo7n798 a7W5USbowesk3 TsMLUrSobnbZTnIcu3gee2nSg6A8PQCPRR/Xx0 ItJM4LZXqMQNGK gMe5eD9rcXuRYI2yZFBBNEC1C6e/pzv3sfTaf4LkP8O2JYAQ9s0f46yvsPv35fwyZDMciNHBUpoGDSw2Ux9kWuNBnMWSdAjBu8ZWhkLFX4to PmsC
When, according to microsoft it should look more or less like:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9
This is happening when using personal outlook accounts. When I'm testing using my company account, it's working
You cannot decode an MSA token, they're not a JWT. Since Outlook comes under a personal account it is not similar to JWT.
Similar kind of issue please refer
Related
I'm having some issues with the List joinedTeams graph api endpoint.
I was expecting that me/joinedTeams would give the same result as users/my-user-id/joinedTeams, however the first one only returns one team and the second returns multiple (haven't checked if it's complete).
So the question is, did I find a bug in the Graph API or is there something else going on?
I'm using delegated permissions
I've checked the token at jwt.ms, the aud is 00000003-0000-0000-c000-000000000000 and it includes the following scopes:
Directory.Read.All
Group.Read.All
Member.Read.Hidden
Team.ReadBasic.All
User.Read
Update: It seems I can no longer reproduce the issue, so I'm concluding that there was some short issue with syncing between the Azure AD and the responding Graph API server.
My idea is the same as #Ergec, you need to make sure you are using the same user id.
I just tested these two APIs with graph-explorer and they did return the same result to me.
I suggest you first request the /me endpoint to get the id, then paste it to the /users endpoint, making sure they use the same id.
1.
2.
I'm fighting with the identity parts of ASP.NET Core 2.2 again. This time its Facebook login. Google and Microsoft work with some small tweaks but Facebook has me stumped.
Here's my config.
"Facebook": {
"ClientId": "See secrets.json",
"ClientSecret": "See secrets.json",
"AuthorizationEndpoint": "https://www.facebook.com/v5.0/dialog/oauth",
"TokenEndpoint": "https://graph.facebook.com/oauth/access_token",
"UserInformationEndpoint": "https://graph.facebook.com/me?fields=id,name,first_name,email",
"CallbackPath": "/oauth2/facebook",
"Scope": [ "public_profile", "email" ]
}
Using Fiddler I cannot see any attempt to call the /me resource to get the profile. I can see the backchannel call out to get the access token and I see the response looks like good JSON to me and the token works; I can call the Facebook Graph API manually and get my profile.
I had Fiddler trace a working Google login and I see a token come back with what appears to be the same JSON schema as Facebook uses, and then another clear request/response on the backchannel to get my Google profile.
Facebook returns { "access_token", "token_type", "expires_in" } while
Google return { "access_token", "expires_in", "scope", "token_type", "id_token" }.
Sadly, because I'm using the Microsoft framework and didn't roll my own OAuth code this time, I am unable to see what's happening internally and I think Microsoft chose not to log anything for fear of leaking secrets into logs.
I'm out of ideas.
Exact same issue after setting up LinkedIn. Token comes back looking fine but it doesn't even try to call to get the profile.
What a severely costly nightmare the Identity framework is.
I have the Facebook login working. I was looking at why the Microsoft and Google ones work and saw that they use their own extension methods, like AddGoogle and not the vanilla AddOAuth.
Looking at the code on GitHub reveals that each of the named ones uses a custom handler.
This tells me that each OAuth provider is incapable of following a standard and so custom code is needed for each one! Lovely job everyone. Top marks.
I'll try using the Google (etc) handlers for LinkedIn and see if any are "compatible".
Using the Graph API we are already successfully retrieving calendar views for a user's calendar (on behalf of the user). Now users would also like to be able to retrieve room calendars. So I tried the following:
https://graph.microsoft.com/beta/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/beta/users/room1#ourdomain.com/events
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/events
Unfortunately all of them return a ErrorServiceUnavailable error.
App permissions and OAuth2 scopes are set to: openid email profile offline_access https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Calendars.Read.Shared https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.Read.All, so that should not be an issue.
Am I doing something wrong or is this simply not supported?
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView is the approach I've used successfully. I had an issue with permissions and gave my app every permission in Azure, and it worked for me. I can't help with which specific permissions it is, but for testing this is how I resolved an issue I had.
Am I doing something wrong or is this simply not supported?
For your current question: Obviously you did wrong or the Service - side temporary exception. The api is supported.
You should provide the code you have used, and based on the code, we can check what is wrong on your side.
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.
I'm trying to develop a desktop application to access an API exposed by Groundspeak for geocaching.com. The API requires the use of OAuth.
After finally figuring out why my message signature was being rejected (I had to double-encode my callback URL, after reading somewhere that double-encoding causes problems), I now receive the following error from Groundspeak when attempting to get a request token:
oauth_error_message=Error%20while%20reading%20message%20%27DotNetOpenAuth.OAuth.Messages.UnauthorizedTokenRequest%27%20parameter%20%27oauth_callback%27%20with%20value%20%27http%253A%252F%252Fwww.mysite.com%252F%27.
Not a very descriptive error message. What's the problem here? Groundspeak uses DotNetOpenAuth on its server. Seems like my callback URL might be causing some issue, but I don't have any idea what.
I should probably also say that I'm developing a desktop application, so the callback URL isn't really valid. It does point to a website I own, but that website has no idea about OAuth at all. If I omit the callback URL, I receive the error "Callback URL not present or not valid" or somesuch.
I don't know anything about Groundspeak but I'd guess that they require that you register your app's callback URL before using OAuth. At least Google and Microsoft do this with their OAuth APIs. Look for some kind of developer settings on Groundspeak.
This is definitely something that needs to be further defined in the future: OAuth for non-web applications. But there does seem to be a few possible solutions (not the cleanest) that you can try to get OAuth working within a desktop application. You can look into the articles below that have some working solutions (I have not tested this myself). It's based off of Google's workable solution for handling OAuth from installed desktop apps:
https://developers.google.com/accounts/docs/OAuthForInstalledApps
Link to possible workaround solutions:
http://blog.appharbor.com/2012/06/21/oauth-for-net-desktop-applications
Here's also a related article on SO for desktop app OAuth: OAuth for Desktop apps?
Hope this helps!